Federal cybersecurity officials urge safeguards for agentic AI deployment

The proliferation of artificial intelligence (AI) agents – complex software actors build on large language models (LLMs) designed to make autonomous plans, decisions and actions – has greatly expanded the capabilities of both public and private enterprises. However, these same technologies have shown to pose critical cybersecurity risks when mishandled without proper precautions and safeguards. 

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), alongside international partners, recently jointly published a comprehensive guidance sheet for deploying agentic AI in critical infrastructure and defense sectors. The Cybersecurity Information Sheet (CSI) is titled “Careful Adoption of Agentic AI Services.” 

The document raises concerns that these technologies have already been implemented without accounting for risks associated with giving an autonomous tool access to keystone systems – external, tools, databases, memory stores and automated workflows among others. 

AI agents cannot function without being ingrained in a working environment’s core functions. However, the lack of human oversight exposes these sectors to inherent risks and vulnerabilities of LLMs, expanded attack surfaces, increased complexity, rapidly shifting cybersecurity landscapes and the need to manage AI security as part of a holistic established security framework. 

Unlike with generative AI systems, AI agents do not require constant human validation for all actions. While this broadens their capabilities, it also means that agentic AI solutions can have unpredictable or catastrophic effects. There are five primary risk categories typically associated with agentic AI implementation that many organizations must address: 

• Privilege. 
• Design and Configuration. 
• Behavior. 
• Structural.
• Accountability. 

Privilege risks arise when AI agents are given too much access with too long a leash. The greater the agent’s influence and sway in operations, the larger the impact when it makes a single compromise. In worst case scenarios, this may result in AI agents deleting massive amounts of data or creating exploits in the holistic cybersecurity framework. Other vulnerabilities include privilege compromise, scope creep, identity spoofing and agent impersonation. 

Poor design and configuration can lead to vulnerabilities as third-party components are introduced to the system. These elements may possess excessive or unintended privileges when integrated into agent operations. Malicious actors may use these inclusions to assign decision-making processes that allow unauthorized actions. Agents may also gain access to resources, calls or commands beyond the scope of their intended privilege. 

Behavior risks cover how AI agents may act unpredictably, cause harm or become exploitable. These issues tend to stem from goal misalignment creating unintended behavior, taking shortcuts and loopholes that go against the developers’ intentions. These tools may also engage in deception to achieve positive results, develop emergent capabilities and unpredictable behavior or be manipulated by malicious actors to do harm. 

Creating an interconnected structure between agents, tools and the outside world is a pivotal component of agentic AI technologies. However, while integration broadens their toolset and capabilities, they also increase the system’s attack surface and complexity, introducing unforeseen issues. As a result, agents may trigger cascading failures across interconnected systems. 

Perhaps most notable of all, AI agents lack adequate accountability in many cases. These systems are often opaque by design, making it difficult to audit actions and promote compliance. Actions taken by agents are often divorced from human decision-making process, leading to initiation of secondary tasks, spawned sub-agents or obscured delegation chains that may severely impact operations. These same technologies are also known to make mistakes and hallucinate data and responses. 

Because agentic AI is a recently emerging field, the cybersecurity sector is still catching up to address unprecedented risks to organization networks, operations and data. Securing these technologies requires proactive solutions tied to covering gaps and minimizing the potential for autonomous agents to act outside their expected parameters. The guidance sheet includes four subcategories outlining best practices to secure agentic AI systems: 

• Designing secure agents by controlling context, implementing oversight mechanisms, managing identity and implementing defense in depth. 
• Developing secure agents through comprehensive testing, appropriate evaluation, input management, red teaming, resilience, accountability and managing third-party components. 
• Deploying agents securely by leveraging threat modelling, updating governance, utilizing progressive deployment, prioritizing isolation, integrating guardrails and constraints and making agents secure by default. 
• Operating agents securely through monitoring, auditing, validating outputs, performance monitoring, limited privileges and authentication and always keeping a human in the loop. 

While these solutions are pivotal for addressing the most pressing concerns, the NSA and CISA project that AI agents are only going to increase in sophistication and utility. As it scales, organizations will need to adapt to future risks before they pose any real issue or threat to security. The guidance sheet includes three actions that will prepare organizations to develop robust standards for securing AI systems. 

The first will be to expand threat intelligence through collaboration, strengthening partnerships with stakeholders to keep pace with evolving threats. Both AI developers and government organizations will need to consolidate threat information to better adopt a collaborative security approach. Some measures include implementing alerting, data collection and tracking methods for malicious actors and techniques. In addition, entities should work to improve situational awareness and align threat intelligence across industries to enhance threat modelling and effective mitigation design. 

Organizations must also create robust, agent-specific evaluations to identify and address gaps while validating agentic AI systems. Additional plans should include generating benchmark datasets to cover new domains and represent realistic deployment contexts. These results should inform and validate security practices, identify failure points and contribute to developing better security practices. 

The final recommendation will be to leverage system-theoretic approaches to analyze security and offer appropriate measures. Current analyses are incapable of measuring and monitoring these systems, making it difficult for leaders to make informed and effective decisions regarding their operation, utility, and security. The document recommends the following best practices: 

• Apply System Theoretic Process Analysis (STPA) and its security extension, STPA for Security, to analyze notional and operational systems, identify security issues, assess mission risk and inform potential mitigations. 
• Use Causal Analysis using System Theory (CAST) to investigate security incidents and identify underlying causes at the system level. 
• Apply STPA and CAST to address safety and security concerns concurrently across agentic AI system lifecycles. 

Photo by Oluwaseun Duncan from Pexels