The security guide for AI agents in critical infrastructure arrived after the agents were already there

The security guide for AI agents that can take actions inside power grids, water systems, and defense networks came out on May 1. The problem is that those agents are already there.

That gap — guidance published after the systems it governs are already live — is the central tension in Careful Adoption of Agentic AI Services, a joint guide released by CISA, the NSA, and cyber agencies from Australia, Canada, New Zealand, and the United Kingdom. The guide is notable for what it says and for when it arrived: six governments simultaneously advising organizations to assume their agentic deployments may behave unexpectedly, to plan for resilience and reversibility, and to prioritize containment over efficiency gains — advice that reads like a postmortem written before the incident.

The agencies do not speculate. CISA's own news release states that critical infrastructure and defense sectors are already deploying agentic AI systems to support mission-critical operations. The guidance document names products already operating in enterprise environments — Microsoft 365 Copilot, GitHub Copilot Workspace, Salesforce Agentforce — as examples of agentic systems that can read, write, and transmit enterprise data with minimal human intervention between task assignment and task completion. That language describes systems with access to the kinds of sensitive systems critical infrastructure operators depend on.

The guide's most direct warning concerns prompt injection, a technique that hides malicious instructions inside the data an AI agent reads. Cloud Security Alliance characterized it as "the most persistent and difficult-to-fix threat facing agentic systems," stemming from a fundamental design constraint of language models that cannot be fully resolved through input sanitization. Beyond that top threat, the document organizes risks across five categories: privilege escalation, design and configuration flaws, behavioral misalignment, structural risks from interconnected agent networks, and accountability — the category the agencies say is currently hardest to enforce.

Accountability covers the gap that makes the other four categories harder to fix. Agentic systems make decisions through processes that are difficult to inspect, generate logs that are hard to parse, and can alter files, change access controls, and delete audit trails when they fail. Cyberscoop reported the agencies recommend each agent carry a cryptographically secured identity, use short-lived credentials, and encrypt all communications with other agents and services. For high-impact actions, a human should sign off. The guidance is explicit: deciding which actions require that approval layer is a job for system designers, not the agent itself.

The implication for organizations that deployed before this baseline arrived is concrete. An operator that put an agentic workflow into production before May 1, 2026 has no external standard to point to and no regulatory safe harbor. When something goes wrong, the accountability gap becomes a liability gap: the logs may not exist in a form auditors can reconstruct, the agent's identity may not be cryptographically verifiable, and the decision trail may be ambiguous about which actions were authorized by a human and which were not. For utilities subject to NERC CIP standards, water systems governed by EPA regulations, or healthcare organizations under HIPAA, the question of whether an agent's actions were "authorized" becomes a compliance question with real exposure. The guidance does not retroactively grant that protection.

The agencies' core prescription is integrationist rather than novel. Rather than waiting for purpose-built AI security standards, the guide urges organizations to fold agentic AI into the zero trust, defense-in-depth, and least-privilege frameworks they already operate. The skeptic's view is fair: this sounds like existing security advice with a new threat model bolted on. The agencies' answer is that some risks are genuinely novel — particularly the combination of autonomous action, tool chaining, and opaque decision logs — and existing frameworks did not anticipate the specific failure modes that emerge when a language model acts on its own across multiple systems without stopping at each step.

What the guidance does not include is enforcement teeth. It recommends; it does not require. The agencies acknowledge the security field has not caught up. "Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly," the document reads.

That assumption — plan for the system to misbehave — is a notable posture from six governments simultaneously. It reflects how quickly agents moved from pilots to operational roles without a corresponding security review cycle. The guidance arrived not because a failure prompted it, but because the deployment is already happening and the frameworks to govern it are still being written. Regulators in the U.S. and allied nations will likely reference this baseline in future audits and compliance reviews — operators who can show they aligned to the standard early will be better positioned than those who have to retrofit after an incident triggers scrutiny.