What the Five Eyes Agentic AI Guidance Actually Means for Your Organisation

The cybersecurity agencies of the United States, United Kingdom, Australia, Canada, and New Zealand published their first coordinated guidance on agentic AI security. It is 30 pages long, covers 23 distinct risk categories, and contains more than 100 individual best practices. It is also advisory. For now...

Guidance from CISA, NCSC, and their Five Eyes counterparts has a consistent track record of becoming a procurement baseline within 12 to 18 months. The organisations that treat this document as a preview of future requirements, not an optional read, will be better placed when it does.

Why this guidance matters now

Agentic AI is no longer experimental. Organisations across defence and healthcare are deploying systems that can plan, make decisions, and take actions autonomously, connecting to external tools, databases, and workflows with minimal human oversight.

The agencies behind this guidance are explicit about why that is concerning. Existing governance frameworks were designed for human actors. They do not map cleanly onto systems that can act at machine speed, chain multiple capabilities together, and produce outcomes that are difficult to predict or audit.

The document puts it plainly: organisations should assume agentic AI systems may behave unexpectedly and plan deployments accordingly.

The five risk categories

The guidance organises its 23 risks across five broad categories. Understanding these is the starting point for any honest assessment of an agentic deployment.

1. Privilege risks

Agents need access to do their job. The temptation is to grant broad permissions so they can operate without friction. That is precisely where the risk begins. An agent with excessive access becomes a high-value target. A single compromise, whether through credential theft, prompt injection, or an internal vulnerability, can cascade into infrastructure-wide damage. The guidance uses a concrete example: an agent with broad write permissions deleting firewall logs after receiving a crafted prompt.

2. Design and configuration risks

Many agentic systems are configured quickly, under pressure, by teams who have not fully assessed the attack surface they are creating. Misconfigured permissions, poorly scoped tool access, and absent input validation are common. The guidance flags that these issues are often invisible until something goes wrong.

3. Behavioural risks

Agentic AI does not always do what you expect. Models can find unintended routes to a goal, interpret instructions in ways that produce undesirable outcomes, or behave differently in production than they did in testing. The guidance specifically notes that models may evolve during deployment, making prior testing less reliable as time passes. Behavioural auditability, the ability to review what an agent did and why, is named as a required control, not an optional enhancement.

4. Structural risks

Agentic systems rarely operate in isolation. They connect to orchestration layers, external APIs, memory stores, and other agents. Each connection is a potential failure point. A vulnerability in one component can propagate across the chain. The guidance highlights that multi-component architectures amplify traditional security failures in ways that are non-obvious to teams assessing risk at the individual component level.

5. Supply-chain risks

The models, frameworks, and tools that underpin an agentic system introduce third-party dependencies. If any of those components are compromised, or if they update in ways that change behaviour, the downstream impact can be significant. The NHS learned this acutely with supplier-side attacks in recent years. The same dynamic applies to AI supply chains.

What the guidance recommends

Across all five risk categories, the agencies converge on consistent recommendations:

Least-privilege access. Agents should be granted only the permissions they need for a specific task, not blanket access to whatever might be useful. This limits the blast radius of any compromise.

Human approval for sensitive actions. High-impact decisions, those involving data modification, financial transactions, or system changes, should require a human checkpoint before execution. Workflow design should make this mandatory, not optional.

Interrupt and rollback capability. Organisations must be able to stop an agent mid-task and reverse its actions. This is not a recovery feature; it is a baseline operational control.

Behavioural auditability. Every significant agent action should be logged with enough context to reconstruct what happened and why. Not just failures, but routine operations too. The agencies are explicit that this is now the minimum standard.

Incremental deployment. Start with low-risk, well-bounded tasks. Expand scope only after controls are validated. The guidance recommends against granting broad autonomy to systems that have not been thoroughly evaluated in production conditions.

Assume unexpected behaviour. Design your governance framework on the assumption that the agent will occasionally do something you did not anticipate. Plan for resilience and containment, not just prevention.

What this means for defence and health tech specifically

Both sectors are named explicitly in the guidance as areas where agentic AI is already being deployed in contexts that affect critical infrastructure.

For defence suppliers, the procurement implications are direct. Gartner's complementary research, published in a separate report this month, notes that Five Eyes guidance of this nature typically shapes future binding contract language. If you are bidding on MOD work or seeking Defence Cyber Certification, documenting your agentic AI governance posture is becoming a due diligence requirement, not an afterthought.

For health tech organisations, the overlap with NHS supply chain security requirements is significant. The NHS has spent the past two years tightening its scrutiny of supplier cyber controls following a series of high-profile incidents. An agentic system handling patient data, clinical workflows, or operational infrastructure that cannot demonstrate behavioural auditability or least-privilege access is a liability, both technically and commercially.

Three things to do now

You do not need to wait for this guidance to become mandatory to act on it. Three practical steps are worth prioritising.

First, inventory your agentic AI deployments. Many organisations do not have an accurate picture of which agentic systems are running, what access they hold, and who authorised them. That inventory is the foundation for everything else.

Second, audit permissions against least-privilege principles. For every agent in your environment, ask: Does it have more access than it needs? In most cases, the answer will be yes.

Third, assess your audit logging. If something went wrong with an agent action yesterday, could you reconstruct exactly what happened and why? If the answer is no, that is a gap worth closing before a regulator or procurement team asks the same question.

The bottom line

The Five Eyes guidance is advisory today. It will not be advisory indefinitely. Organisations that treat it as a preview of the regulatory floor and build their governance posture accordingly will be in a materially better position than those that wait.

For those operating in defence or health tech, the stakes of getting this wrong are not abstract. They are operational, contractual, and in some cases, directly tied to patient and national security outcomes.

If you want to talk through what the Five Eyes guidance means for your specific deployment, Periculo's team is here to help.