The Five Eyes intelligence alliance — composed of Australia, Canada, New Zealand, the United Kingdom, and the United States — recently published Careful adoption of agentic AI services, guidance on the cybersecurity risks and best practices associated with bringing agentic AI into enterprise IT environments. Its warning is clear: do not give autonomous AI agents broad or unrestricted access to sensitive data or critical systems.

Agentic AI is fundamentally different from the copilots many organizations have been experimenting with. Where a copilot suggests, an agent acts by interpreting goals, making plans, calling tools, accessing data, interacting with APIs, and executing multi-step workflows with limited human intervention. The Five Eyes guidance describes agentic systems as combining LLMs with external tools, data sources, memory, and orchestration workflows. That creates enormous productivity potential, but it also changes the security model.

The core issue is not whether organizations should adopt agentic AI. They will. The value potential is simply too large to ignore. Capgemini Research Institute estimates that AI agents could generate up to $450 billion in economic value by 2028 through revenue growth and cost savings across surveyed markets. More importantly, that value is tied directly to how work gets done: Capgemini notes that organizations can capture value from agentic AI by “agentifying” high-impact workflows, modernizing data architectures, enforcing data quality, and evolving operating models. As agentic AI moves from task assistance to autonomous workflow execution, the security question becomes more urgent: will organizations treat AI agents like trusted productivity tools — or like privileged digital workers that need identity, access control, segmentation, monitoring, and runtime enforcement?

The Five Eyes guidance highlights several risks that should be on every CISO’s radar: over-privileged agents, weak identity management, prompt injection, goal misalignment, confused deputy scenarios, cascading failures across agent workflows, opaque decision-making, and incomplete logging. In other words, the danger is not only that an AI agent might make a mistake. The danger is that it may make a mistake while holding access to systems, data, tools, and privileges that were never designed for autonomous software actors.

This is especially important in industries where the impact of a bad action is high: government, insurance, energy, manufacturing, utilities, transportation, healthcare, and other critical infrastructure sectors. If an agent can read sensitive data, trigger workflows, modify records, approve transactions, run commands, or interact with operational systems, then that agent must be governed like any other privileged identity.

At Xage Security, we see five practical takeaways from the Five Eyes guidance:

1. Every AI agent needs its own identity. Agents should not hide behind shared service accounts or generic application credentials. The Five Eyes guidance recommends treating each agent as a distinct principal with strong identity management. Xage supports this model by assigning every AI agent a unique, cryptographically verifiable identity so every interaction can be authenticated from a secure root of trust.
2. Agents should never receive broad access. Least privilege has to become action-level privilege. It is not enough to say an agent can access an application or database. Security teams need to define exactly which API endpoints, MCP tools, resources, commands, and operations that agent is allowed to use. Xage enforces granular access controls so agents are restricted to specific actions on specific resources instead of receiving open network access.
3. Standing privileges and long-lived secrets are a major risk. If an agent is compromised through prompt injection, tool misuse, or a third-party integration, static credentials become an attacker’s gift. The Five Eyes guidance recommends just-in-time credentials, cryptographic proofs, and integrity checks for sensitive operations. Xage XPAM dynamically generates short-lived credentials for agent sessions so agents do not directly hold persistent access to protected resources.
4. Segmentation is essential. Agentic AI will create new pathways between users, agents, tools, data, APIs, MCPs, SaaS platforms, and infrastructure. Without segmentation, one compromised or misaligned agent can become a bridge into sensitive systems. Xage uses identity-based microsegmentation to isolate agents and limit blast radius, preventing lateral movement across infrastructure, resources, or other agents.
5. Security must happen at runtime. Prompt filters and policy documents are useful, but they are not enough. Organizations need to monitor what agents actually do, not just what users ask them to do. Xage provides real-time visibility into agent requests, detects anomalous behavior, blocks unauthorized API calls, and creates immutable, cryptographically signed audit logs for accountability and investigation.

For a detailed mapping of Xage capabilities against the security recommendations provided in Careful adoption of agentic AI services guidance, explore the table below. 

The biggest lesson from the Five Eyes warning is simple: agentic AI security cannot be bolted on after deployment.

Organizations need to design for identity, least privilege, human approval, segmentation, continuous monitoring, and containment from the start. The right question is not, “Can this AI agent complete the task?” The right question is, “What is this agent allowed to do, under what conditions, with whose approval, and how will we prove what happened afterward?”

Agentic AI will become a powerful force multiplier. But without Zero Trust controls, it can also become a privileged attack path.

The enterprises that move fastest with AI will not be the ones that give agents unrestricted access. They will be the ones that give agents the right access, for the right task, at the right time — and nothing more.

From Guidance to Real-World Visibility and Control

At Xage, we are not only sharing lessons learned from the front lines of Zero Trust, critical infrastructure, and AI security. We are building those lessons directly into our products.

Xage recently announced major agentic AI security enhancements to its Zero Trust for AI platform, providing visibility and control over AI agents across SaaS, cloud, in-house data center, and edge environments. The enhancements include  Xage Agent Sentry and Xage Resource Gateway,two core capabilities designed to help organizations see what agents are doing, block unauthorized behavior, and maintain detailed logs for governance and audit.

This is exactly the kind of practical security foundation the Five Eyes guidance points toward. Agentic AI cannot be secured by policy documents, prompt filters, or trust alone. It requires deterministic enforcement around the full interaction chain: users, agents, LLMs, MCP servers and tools, APIs, SaaS applications, cloud services, internal systems, and operational environments.

Xage’s approach is built for that reality. Agent Sentry encapsulates the AI agent wherever it runs and monitors what goes into and out of the agent, while Resource Gateway sits in front of critical resources to govern how AI systems interact with them. Together, these capabilities are designed to control the actions agents can actually take at the network-interaction, local event, and OS-call levels, rather than focusing only on prompts or model outputs.

That distinction is critical. As AI agents move from pilots into production, enterprises need more than visibility into prompts. They need provable control over behavior. They need to know which agent acted, which identity it used, which resource it touched, which action it attempted, whether that action was allowed, and what happened next.

The future of AI will not be defined by how much autonomy we give agents. It will be defined by how safely we can control that autonomy.

That is the opportunity in front of us: not to slow AI down, but to make it secure enough to scale.

To learn more, request a demo with a Xage expert.

Careful adoption of agentic AI services – Xage Capability Mapping

The following table maps key security recommendations from the Five Eyes guidance, Careful adoption of agentic AI services, to the corresponding capabilities of the Xage Security Fabric:

Identity Management: Cryptographic Anchoring

Construct each agent as a distinct principal, a cryptographically anchored identity with its own unique keys or certificates.

Xage Fabric assigns every AI agent a unique, cryptographically verifiable identity. This ensures that every interaction is authenticated based on a secure root of trust rather than easily stolen credentials.

Identity Management: Mutual TLS

Authenticate all inter-agent and agent-to-service API calls using mutual transport layer security (mTLS) to ensure non-repudiation.

Xage supports mTLS for all interactions between agents and backend services/tools through the Xage Resource Gateway (no direct access), providing encryption and ensuring that each party in the exchange is validated and approved.

Privilege Management: Least Privilege

Apply the principle of least privilege, assigning only the minimum access required for each role and limiting entitlements to exact resources.

Xage provides granular access control. Instead of giving an agent broad network access, Xage restricts it to specific actions (read only, read/write) on specific API endpoints, MCP tools, resources and commands.

Privilege Management: Ephemeral Credentials

Replace static, long-lived secrets with ephemeral credentials that expire when the job is complete.

Xage XPAM (Privileged Access Management) dynamically generates short-lived credentials for agent sessions, eliminating the risk of standing privileges or credential theft. With Xage, agents never have direct access to resources and their credentials.

Structural Risks: Isolation & Segmentation

Implement isolation and segmentation to limit the blast radius of agent failure scenarios; separate high-risk agents into distinct domains.

Xage uses identity-based microsegmentation to isolate agents and control their actions. This prevents a compromised agent from moving laterally to sensitive infrastructure or other agents.

Operational Security: Continuous Monitoring

Monitor all agent operations, including internal processes, tool calls, and decisions made; use anomaly detection to identify unusual patterns.

Xage provides real-time visibility into every agent request. By baselining “normal” behavior, Xage can automatically detect and block anomalous API calls that indicate prompt injection or rogue behavior.

Operational Security: Tamper-proof Logs

Maintain comprehensive logs and unified audit logs for all inter-agent interactions to maintain observability.

Xage generates immutable, cryptographically signed audit logs of all agent activities. These logs are stored centrally and are resistant to tampering, even if an agent is compromised.

Governance: Human-in-the-loop

Prevent agents from autonomously executing high-impact actions without prior human approval (e.g., system resets, deletion of records).

Xage can enforce “Just-In-Time” approval workflows where high-stakes commands based on the context require a human authorization before the Xage allows the command to reach the target system.

Input Management: Injection Filters

Integrate prompt injection filters and semantic analysis to detect malicious instructions.

Xage provides guardrails protecting against prompt injection such as malicious prompts, sensitive information leakage, and PII exposure. In addition, Xage provides jailbreak-proof defense by validating that the resulting *actions* of a prompt aligns with the agent’s identity-based policy.

Future Proofing: System-Theoretic Analysis

Use system-theoretic approaches (STPA) to identify security issues emerging from component interactions.

Xage’s multi-layer Zero Trust architecture is designed for complex ecosystems, providing the necessary controls (Identity, Access, Log) to mitigate risks identified during STPA analysis. Xage captures all AI and resource interactions, identifies potential issues, and suggests necessary changes.