Securing Agentic AI: CISA and International Partners Issue Guidance

The evolution of artificial intelligence from passive text generators to active agents represents a significant shift in enterprise technology. According to Careful Adoption of Agentic AI Services, CISA and its partners, including the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), have released comprehensive guidance to address the unique security profile of these systems. Unlike traditional AI, agentic AI has the capacity to plan tasks, use external tools, and execute actions with minimal human intervention, which fundamentally alters the enterprise attack surface.

Security Challenges of Autonomous AI Agents

The move toward autonomy introduces specific security challenges of autonomous AI agents that go beyond traditional software vulnerabilities. Agentic AI systems often rely on Large Language Models (LLMs) as a core reasoning engine. These agents are granted permissions to access internal databases, execute code via APIs, and communicate with external services to fulfill complex user requests.

One of the primary concerns is the potential for Privilege Escalation. If an agent is configured with overly broad permissions, a malicious actor could use prompt injection to trick the agent into performing unauthorized actions. This could lead to Lateral Movement within a network, as the agent may have credentials to access multiple disparate systems. Furthermore, because these agents often utilize third-party plugins or external tools, they are susceptible to a Supply Chain Attack if the integrated services are compromised. Unlike a standard CVE that might be patched at the software level, the logic-based vulnerabilities in AI agents require architectural guardrails.

Recommended Agentic AI Risk Management Framework

To safely integrate these technologies, organizations must adopt a recommended agentic AI risk management framework that aligns with established cybersecurity practices. This involves a rigorous assessment of the “agency” granted to the AI. Defenders should evaluate the potential impact of an agent making an incorrect decision or being subverted by an adversary.

Key components of this framework include:

• Granular Permissioning: Applying Zero Trust principles to AI agents. Agents should only have the minimum access required to perform their specific task, and their credentials should be strictly managed.
• Human-in-the-Loop (HITL): Implementing mandatory human approval for high-risk actions, such as modifying sensitive data or executing code in production environments.
• Sandboxing: Running agentic tools and code execution environments in isolated containers to prevent an RCE from compromising the underlying host.
• Audit Logging: Ensuring that every action taken by the agent is logged and monitored by the SOC. This data should be integrated into the SIEM to detect anomalous TTP or unauthorized API calls.

Actionable Mitigations for Defenders

Security teams must understand how to secure agentic AI services by moving beyond reactive patching. While no specific CVSS score can encapsulate the risk of a logic error in an agent, the potential for data exfiltration or system disruption remains high. Organizations should conduct a MITRE ATT&CK mapping for AI-specific threats, focusing on techniques like automated exfiltration and malicious tool use.

Monitoring for IoC in agentic environments requires looking for unusual patterns in API traffic and unexpected data flows. As Zero-Day vulnerabilities in LLM frameworks continue to emerge, maintaining a high level of observability is essential. Implementing an EDR solution on the hosts where agents reside can provide an additional layer of visibility into the processes initiated by the AI. By treating agentic AI as a powerful but high-risk non-human identity, enterprises can leverage its benefits while maintaining a defensible security posture.