Five Eyes Agencies Warn Companies to Secure Agentic AI Before Deployment

Cybersecurity agencies from the United States, United Kingdom, Canada, Australia, and New Zealand issued joint guidance on May 4, 2026, warning that agentic AI systems introduce new security risks when deployed inside enterprise and critical infrastructure environments.

The guidance, issued by the Five Eyes intelligence alliance, comes as agentic AI, systems designed to take autonomous action with limited human oversight, moves from experimental use to real-world deployment.

The agencies warned that agentic AI can automate routine tasks, initiate transactions, and resolve service issues without human review. That autonomy creates new attack surfaces. A compromised agentic system could take harmful actions at machine speed before anyone notices.

The guidance recommends that organizations establish clear boundaries for what agentic systems can do, require human approval for high-stakes actions, and monitor agent behavior continuously. It also calls for strong identity and access management, noting that AI agents need their own credentials and permissions that must be tracked and audited.

The warning follows a separate alert from U.S. Treasury Secretary Scott Bessent, who said banks and technology companies are working to strengthen defenses against AI-enabled cyberattacks targeting bank accounts.

Colorado lawmakers also introduced a new bill on May 4 to regulate automated decision-making in areas including hiring, housing, education, healthcare, and finance. The bill aims to balance consumer protection with the needs of startups and enterprises.

Fitch Ratings warned separately that AI adoption in cybersecurity could expose gaps in existing defenses and risk models, particularly as companies deploy new tools faster than governance processes can keep up.