Lead story
Five Eyes to Enterprises: Your Agentic AI Is Running Ahead of Your Security
The intelligence agencies of Australia, the US, the UK, Canada, and New Zealand don't usually agree on much in public. When they do, it's worth paying attention. Yesterday, the Five Eyes published a joint advisory warning that the rapid deployment of agentic AI systems — AI that can take autonomous actions, chain tasks together, and operate across enterprise tools without human sign-off at each step — is outpacing the security frameworks organisations have in place to govern them.
The advisory isn't abstract. Agentic AI is already showing up in enterprise environments as automated code reviewers, IT helpdesk agents, supply chain orchestrators, and customer service systems with access to live databases. The problem the Five Eyes are pointing at is structural: these systems inherit credentials, operate across trust boundaries, and make consequential decisions in ways that traditional access control and audit frameworks weren't designed to handle.
The specific risks flagged include prompt injection (where malicious content in the environment hijacks agent behaviour), privilege escalation (agents accumulating permissions beyond their original scope), supply chain compromise (poisoned tools or APIs that agents call autonomously), and insufficient logging (agentic actions often happen faster and deeper than human-readable audit trails capture). Each of these is a known risk in isolation. The advisory's concern is that agentic architectures combine all four simultaneously.
The timing matters. Enterprise AI deployment has accelerated sharply since late 2025, with vendors including Microsoft, Salesforce, ServiceNow, and Google all shipping agentic features into products already running inside critical infrastructure. The agencies note that many deployments are happening under existing software procurement processes that weren't designed to evaluate autonomous decision-making systems.
For Australian organisations, this advisory lands squarely within the scope of existing obligations. The SOCI Act requires operators of critical infrastructure to manage risks to systems, including third-party and automated processes. The ASD's Essential Eight doesn't yet have explicit agentic AI guidance, but the advisory aligns closely with application control and least-privilege principles. The ACSC is one of the Five Eyes signatories, meaning Australian defenders should treat this as a domestic directive, not just international commentary.
The practical recommendations in the advisory are sensible if unglamorous: apply least-privilege to agent identities, treat agent-to-agent communication as an untrusted channel, log agent actions at the same fidelity as human actions, and conduct red-team exercises that specifically test agentic attack paths. The advisory also calls out the risk of over-relying on vendor safety claims — the fact that a model has built-in guardrails doesn't mean the broader agentic system is secure.
What to watch: how quickly enterprise security vendors translate this guidance into tooling, and whether the ASD follows up with Australia-specific controls for sectors already deep into agentic AI deployments — financial services and federal government procurement being the two most obvious candidates. The advisory is the opening shot of what will likely be a multi-year regulatory conversation about who is responsible when an AI agent does something it wasn't supposed to.