The UK's National Cyber Security Centre (NCSC) has released new security guidance for organizations deploying agentic AI systems, highlighting the unique cyber risks posed by autonomous artificial intelligence agents. The document summarizes a detailed report co-authored with Five Eyes partners from Australia, Canada, the United States, and New Zealand, addressing growing concerns about AI systems that can act independently without continuous human direction.

The NCSC warns that the autonomy and complexity of agentic systems create particular dangers, including excessively broad access to external systems and unpredictable behavior patterns. Problems become harder to detect when AI agents execute actions faster than humans can review them, while the wide range of available behaviors and tools makes it challenging to explain specific decisions or actions. The agency cautions that a single failure in an over-privileged or poorly designed agent could rapidly escalate into a serious security incident.

Before deployment, organizations must establish clear governance structures defining who owns the agentic system, who approves its access permissions, who monitors its behavior, who reviews incidents, and who holds authority to shut it down if problems arise. The NCSC recommends starting with tightly bounded pilot programs using clearly defined tasks, rather than broad deployments. Organizations should apply the principle of least privilege, granting agents only minimum necessary access for the shortest required time, and use temporary credentials that can be revoked once tasks complete.

The guidance references the international ETSI EN 304 223 standard as a framework for best practices. Key recommendations include limiting agent scope by restricting accessible resources and permissible actions, using secure default configurations with appropriate validation, understanding supply chain dependencies for third-party components and models, and continuously monitoring for unusual activity across connected systems. Organizations should also conduct threat modeling to identify potential misuse scenarios and manipulation vectors.

The NCSC acknowledges that agentic AI offers significant benefits for repetitive, well-understood, low-risk tasks, and encourages responsible adoption. However, the agency stresses that organizations must maintain meaningful human oversight and control throughout deployment. If teams cannot understand, monitor, or contain an agent's actions, the system is not ready for production use. Organizations should plan for incidents including AI failures, misuse, and loss of control, applying existing cybersecurity hygiene and governance practices from the start while scaling gradually.

Source: https://www.infosecurity-magazine.com/news/ncsc-publishes-guidance-securing/