CISA and ASDs ACSC publish joint guidance on securing agentic AI systems

The Guide is directed at organisations that design, develop, deploy and operate agentic AI systems and addresses the cybersecurity risks associated with their deployment, particularly in critical infrastructure and defence settings.

The Guide explains that agentic AI systems are AI systems which autonomously reason, plan and execute actions by combining large language models (LLMs) with external tools and data sources. The Guide notes that these systems are increasingly being deployed across government, critical infrastructure and industry environments to perform complex tasks with limited human intervention.  

The Guide recommends that organisations should align agentic AI risks and mitigation strategies with their existing security model and risk posture and should only use agentic AI for low-risk and non-sensitive tasks. 

Key risks

The Guide identifies several cybersecurity risks that agentic AI systems introduce for organisations deploying them, such as: 

• vulnerabilities inherited from the underlying LLMs (such as susceptibility to prompt injection and data poisoning)  
• an expanded attack surface arising from the system's reliance on external tools, memory components and integrations  
• increased system complexity, which can lead to cascading failures and make it difficult to isolate compromised components  
• privilege and identity risks, where agents with excessive permissions may be exploited or misused to perform unauthorised actions  
• reduced accountability and visibility, as autonomous and opaque decision-making processes can complicate monitoring, auditing and incident response.

Recommended practices

The Guide sets out several recommended practices for organisations to mitigate these risks. A central theme is that security should be embedded from the outset; organisations should design agentic AI systems with built-in security controls and least-privilege access and implement strong identity and access management for AI agents, including assigning distinct identities and continuously authenticating agent interactions. 

The Guide also emphasises the importance of rigorous testing, evaluation and red-teaming throughout the system's lifecycle to identify security weaknesses and unintended behaviours. Rather than deploying agentic AI at full capability from the start, the Guide recommends a progressive approach, beginning with lower-risk tasks and expanding the system's autonomy only as security controls mature. Organisations should maintain continuous monitoring and logging of agent behaviour and tool usage and should retain meaningful human oversight over high-impact or irreversible actions. 

The Guide concludes by noting that until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and should plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gain. 

The Guide is available here and the ASD's ACSC press release is available here.