Kiteworks

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Cybersecurity Risk Management > CISA Drew the Red Lines on Agentic AI — Most Are Already Across
CISA Guidelines for Secure Agentic AI Adoption

CISA Drew the Red Lines on Agentic AI — Most Are Already Across

by Uri Kedem updated May 28, 2026 Cybersecurity Risk Management
Reading Time: 7 minutes

On April 30 and May 1, 2026, six national cybersecurity agencies jointly published Careful Adoption of Agentic AI Services, a 28-page guidance document on securing autonomous AI agents — the first time these agencies have coordinated on a single AI attack surface. The language is unusually direct: do not grant agents broad or unrestricted access, start with low-risk and non-sensitive use cases only, fold agentic AI into the existing security model rather than treating it as an experiment.

As reported in CSO Online, the agencies emphasized that strict adherence to least privilege is critical for agentic AI — naming privilege risk as a primary concern. That sentence is a problem for most enterprises. The Kiteworks 2026 Forecast found 63% of organizations cannot enforce purpose limitations on AI agents, 60% cannot quickly terminate a misbehaving agent, and 55% cannot isolate AI systems from broader network access. Those are the exact controls the advisory now expects — and it converts them from a research-backed gap into a compliance gap.

5 Key Takeaways

1. The Five Eyes joint advisory raises the agentic AI bar.

Six national cybersecurity agencies — CISA, NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, the UK’s NCSC, and New Zealand’s NCSC — jointly published Careful Adoption of Agentic AI Services. Six agencies do not coordinate on guidance lightly. The practical effect: “best practice” becomes “expected practice” almost immediately. Internal auditors cite it. Regulators reference it. Plaintiffs’ lawyers attach it to discovery requests. The AI governance gap it documents is now a compliance gap.

2. Privilege creep is the headline risk.

The advisory puts least-privilege enforcement, capability inventories, and tightly scoped data access at the top of the agentic AI control set. This is a problem for most enterprises: privilege creep is exactly what agentic AI deployments tend to produce. The Kiteworks 2026 Forecast found 63% of organizations cannot enforce purpose limitations on AI agents — the exact control the advisory now expects. A research-backed gap is now an audit finding waiting to be written.

3. Continuous auditing is no longer optional.

Operators are expected to maintain traceability for every decision and action an agent takes. The Kiteworks 2026 Forecast found 33% of organizations lack evidence-quality audit trails and 61% run fragmented logs that are not actionable. A regulator asking for evidence that a specific agent did not access a specific record on a specific date will not accept “the system prompt said it shouldn’t.” The accountability category is where most programs collapse.

4. Five risk categories now define agentic AI security.

Privilege, design and configuration, behavior, structural, and accountability risks are the new framework. Each maps to a question auditors will ask: Who authorized this? What did the agent access? Can you produce the log? Can you explain the decision? If the answer to any of those is “we are not sure,” the program does not meet the standard the advisory just set. The accountability category is the hardest to retrofit and the most important to get right.

5. The data layer is where this gets real.

System prompts are instructions, not controls. Runtime guardrails operate on the host, not the data. Both can be bypassed. Only data-layer enforcement — attribute-based access controls independent of the model, tamper-evident audit trails, and cryptographic identity — produces evidence regulators will accept after the model has been updated or retired.

You Trust Your Organization is Secure. But Can You Verify It?

Read Now

Five Risk Categories That Will Define Agentic AI Programs

The joint guidance organizes agentic AI risk into five categories, as covered by CyberScoop. Each maps directly to questions an auditor, regulator, or plaintiff’s expert will ask.

Privilege risks. Agents granted too much access turn a single compromise into a far-reaching breach. The advisory calls for capability inventories, scoped permissions, and verified cryptographic identity per agent.

Design and configuration risks. Poor setup creates security gaps before the system goes live. Threat modeling, secure-by-design architecture, and configuration validation must happen before deployment.

Behavioral risks. Agents pursue goals in ways their designers never predicted. Goal misalignment and deceptive behavior are explicitly named — the advisory does not pretend prompt injection is solved.

Structural risks. Networks of interconnected agents cascade failures. When one agent’s compromised output becomes another agent’s input, the blast radius compounds. The 55% of organizations that cannot isolate AI systems from broader network access have no practical way to bound this risk category.

Accountability risks. Decisions through opaque processes, logs that are hard to parse, and chains of action that cannot be reconstructed after the fact. This is where most programs collapse. It is also the hardest category to retrofit once agents are already in production.

Why System Prompts and Runtime Guardrails Will Not Pass an Audit

The joint guidance requires agentic AI to be folded into existing zero-trust, defense-in-depth, and least-privilege frameworks. System prompts are instructions, not controls. Runtime guardrails operate on the host, not the data. Both can be bypassed by indirect prompt injection, model updates, or an adversary who controls the inputs the agent processes. Foundational research on indirect prompt injection showed years ago that invisible instructions hidden in retrieved content can hijack LLM-integrated applications. The problem has not been solved, and several major AI companies have publicly conceded it may never be fully solved.

The accountability problem compounds this. When a model is updated, retired, or replaced — which happens frequently — the audit trail tied to that model evaporates. A regulator three years from now asking for evidence about a specific agent action will not accept “the system prompt said it shouldn’t.” Controls at the model layer cannot produce audit-defensible evidence. Controls at the runtime layer cannot enforce data-handling policies. The only layer that satisfies both the advisory and a downstream auditor is the data layer — where every access decision is logged, every authorization is verified, and every action is attributable to a human-authorized session.

Where the Containment Gap Lives Today

The five containment controls the advisory implicitly requires map directly to the Kiteworks 2026 Forecast’s measured gaps:

Purpose binding. 63% cannot enforce purpose limitations on AI agents. The advisory’s least-privilege requirement assumes you can.

Kill switch capability. 60% cannot quickly terminate a misbehaving agent. The advisory’s human-in-the-loop guidance assumes a meaningful ability to stop.

Network isolation. 55% cannot isolate AI systems from broader network access. Without isolation, the structural risk category — cascading failures across interconnected agents — cannot be bounded.

Input validation. A majority cannot validate AI inputs. Indirect prompt injection survives every other control if inputs are not validated.

Continuous monitoring. Roughly two in five organizations have no continuous monitoring of AI activity. The advisory’s traceability requirement is impossible without it.

These are not point-product failures. They are governance architecture failures — the absence of a unified place where AI agent access, identity, policy, and audit can be enforced and proved.

Architecture Over Aspiration: Where Agentic AI Governance Has to Live

The architectural answer to the joint advisory is data-layer governance, independent of the model and independent of the runtime. The model can be updated, compromised, or replaced. The runtime can be bypassed. The data layer is the only layer where access decisions, identity verification, policy enforcement, and tamper-evident logging can be guaranteed across every agent interaction — regardless of which model is running, which prompt is being processed, or which agent framework is in use.

The Kiteworks Secure MCP Server and AI Data Gateway implement this pattern: every agent request is authenticated via OAuth 2.0, evaluated against ABAC policy in the Kiteworks Data Policy Engine, encrypted with FIPS 140-3 validated cryptography, and logged in a tamper-evident audit trail feeding existing SIEM and compliance infrastructure. The Kiteworks Private Data Network extends that governance across email, file sharing, MFT, SFTP, web forms, and APIs under one policy engine and one consolidated audit log.

Less than half of enterprises today have a centralized AI data gateway — the architectural foundation the advisory now effectively requires. The controls that live above that layer can be talked around. The data layer cannot.

What Organizations Need to Do Before the Next Audit

First, inventory every agent. Build a complete map of every agentic AI system currently operating — internal copilots, embedded SaaS agents, departmental pilots, third-party tools. Most organizations will discover shadow AI they did not know existed. Until the inventory is complete, no other control matters.

Second, audit the gap. Map current capabilities against the five risk categories and identify which controls will fail an audit today. Most organizations will discover they cannot enforce purpose limitations and lack a clean termination path. That output becomes the agentic AI roadmap.

Third, enforce least privilege at the data layer. Authorization decisions for AI agent access to sensitive data must happen at the data layer, with attribute-based access controls respecting data classification, jurisdiction, and the human user the agent is acting on behalf of. A centralized AI data gateway is the architectural foundation the advisory now effectively requires.

Fourth, build tamper-evident audit trails for every agent action. Every agent interaction with regulated data needs to be logged with sufficient detail to reconstruct who authorized what, when, and why — across the full lifecycle of the data, not just the lifecycle of the model.

Fifth, treat the joint advisory as the floor, not the ceiling. Organizations under EU AI Act pressure are notably ahead on every major AI control. The advisory will move the bar globally. Get ahead of the standard before it becomes the rule — organizations waiting for region-specific enforcement will be retrofitting governance under deadline pressure.

To learn more about mitigating agentic AI risk, schedule a custom demo today.

Frequently Asked Questions

Apply the five risk categories: privilege, design and configuration, behavior, structural, and accountability. Require a capability inventory, least-privilege scoping, continuous monitoring, human-in-the-loop checkpoints for sensitive actions, and tamper-evident audit logs before approving deployment. Most agentic AI customer service deployments will fail one or more of these on first review — identifying those gaps before deployment is the value of the advisory framework.

Audit-defensibility for AI agent access to PHI now has a named federal standard. 63% of organizations cannot enforce purpose limitations on AI agents — a control HIPAA‘s minimum-necessary standard effectively requires. Data-layer ABAC enforcement and tamper-evident audit trails satisfy both HIPAA and the joint advisory simultaneously.

CMMC Level 2 AC, AU, and IA families require enforced authorization for AI agents touching CUI. Only 46% of DIB organizations consider themselves prepared per the Kiteworks 2025 CMMC Preparedness Report, and the joint advisory adds agentic AI controls on top. Data-layer governance with ABAC enforcement satisfies all three control families simultaneously and produces the evidence assessors require.

Yes. The advisory applies to any agentic AI that can plan, decide, or take actions autonomously — which includes Copilot when used with broad permissions. Less than half of enterprises have a centralized AI Data Gateway. Without one, Copilot deployments cannot demonstrate the least-privilege and traceability controls the advisory now expects from any agentic AI system.

Start with a complete inventory of every agentic AI system in the environment, then map controls against the five risk categories in the CISA advisory. The two most common audit findings are inability to enforce purpose limitations and lack of kill-switch capability. Closing both requires data-layer governance — ABAC enforcement, FIPS 140-3 encryption, and tamper-evident audit trails — not model-layer guardrails.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks