CISA, NSA, and Allied Agencies Publish the First Global Safety Framework for Agentic AI in Enterprise IT

By Hector Herrera | May 22, 2026

CISA, NSA, the UK's National Cyber Security Centre, and cybersecurity agencies from multiple allied nations jointly published guidance for securing AI agents deployed in enterprise IT environments. It is the first coordinated international framework specifically addressing agentic AI systems—software that can autonomously execute code, chain decisions, and take actions across networks—rather than static AI models that simply respond to individual queries. The guidance covers the risks that most enterprise security teams have not yet built defenses against.

Why it matters: AI agents are already running inside corporate networks at major banks, healthcare systems, law firms, and defense contractors. Until now, there was no agreed-upon international baseline for what controls those agents should operate under. This document is that baseline.

What "Agentic AI" Actually Means

The term "agentic AI" refers to AI systems that do not just answer questions—they take sequences of actions autonomously over time. An AI agent given access to a company's email system, CRM, and calendar can schedule meetings, draft contracts, send communications, and update customer records without human approval for each step.

That autonomy is the capability organizations are deploying for productivity. It is also the capability that creates new attack surfaces. Traditional security models assume that software takes defined, predictable actions. Agents, by design, make dynamic decisions based on inputs that can be manipulated.

According to ASIS Online, the joint guidance identifies four primary threat categories and sets best practices for each.

The Four Risk Categories

1. Autonomous code execution Agents with the ability to write and run code can be manipulated through crafted inputs into executing malicious payloads without human review. A coding agent told to "fix the bug in the authentication module" could be redirected by a prompt injection (see below) to insert a backdoor instead.

2. Privilege escalation An agent granted access to one system often has pathways—through API calls, shared credentials, or service accounts—to reach adjacent systems. Attackers can exploit an agent's trusted access to traverse network boundaries that would stop a direct intrusion attempt.

3. Chain-of-thought manipulation AI agents reason through tasks in multi-step sequences. Adversaries can craft inputs—embedded in emails, documents, or web content the agent reads—that alter those reasoning steps, redirecting the agent toward actions the user never intended. This technique, called prompt injection, is the agentic equivalent of SQL injection for traditional software.

4. Supply chain risks Agents built on third-party models, plugins, or tool integrations inherit the security posture of those upstream systems. A compromised plugin can give attackers indirect access to any enterprise network where that plugin is deployed.

What the Guidance Recommends

The document sets concrete best practices across several control domains:

• Least-privilege access: Agents should have access only to systems and data required for their specific task—no persistent elevated permissions, no standing admin rights
• Audit logging: Every action an agent takes should be logged with enough detail to reconstruct the full decision chain after an incident
• Human-in-the-loop checkpoints: For high-stakes actions—financial transactions, system configuration changes, external communications—human approval should be required before execution
• Input sanitization: Documents, emails, and web content that agents read should be screened for prompt injection attempts before being passed to the model
• Sandboxed execution: Where possible, agents should operate in isolated environments that limit lateral movement if a session is compromised
• Model provenance verification: Enterprises should validate the integrity and origin of AI models they deploy, particularly in supply chain contexts

Why International Coordination Matters

The joint publication brings together CISA and NSA (United States), NCSC (United Kingdom), and agencies from Australia, Canada, New Zealand, and Germany—effectively the Five Eyes intelligence alliance plus key European partners. That coordination matters for two reasons.

First, enterprise AI deployments are multinational. A U.S.-only guidance document would leave gaps that adversaries could exploit through jurisdictional inconsistencies. Second, the joint publication gives the framework more legitimacy with corporate security leaders who need executive buy-in to implement new controls on AI systems that business units are eager to deploy.

This is also the first time this coalition has issued guidance specifically on AI agents, distinct from AI systems generally. That specificity reflects growing regulatory recognition that agentic AI is a categorically different risk surface—not an incremental extension of prior AI security concerns.

What This Means

For enterprise security teams: This guidance gives CISO-level executives a defensible framework to present to their boards when implementing AI agent controls. "CISA and NSA said so" is a significant argument for security spending in organizations that have been reluctant to constrain AI tool adoption.

For AI vendors: Companies selling agentic AI tools to enterprise customers—Anthropic, OpenAI, Microsoft, Salesforce, and dozens of others—will face increasing pressure to demonstrate that their products facilitate compliance with this framework. Expect it to appear in procurement security questionnaires within months.

For regulators: The guidance is advisory, not mandatory. CISA has no authority to require enterprise compliance. But this framework is the natural reference document for sector-specific regulators—the SEC, OCC, and banking regulators—when they move to binding AI governance requirements.

What to Watch

Watch for the SEC, Federal Reserve, OCC, and sector-specific agencies to issue binding guidance that cites this framework in the coming 6-12 months. The EU AI Act's provisions on high-risk AI systems and agentic capabilities are also being finalized; this document may directly influence that rulemaking. The first major enterprise breach attributable to agentic AI misuse—which most security researchers consider a matter of when, not if—will accelerate mandatory adoption of these controls.

Source: ASIS Online / Security Management