Agentic AI tools are starting to appear in real organisations, not just research labs. These tools don't just generate content or predictions; they can plan, make decisions and take actions on your behalf.

This capability can be beneficial, including in cyber defence, but it can also introduce new risks if used without care. 'Careful adoption of agentic AI services' is new joint guidance, co-authored by the NCSC with international partners, that sets out why organisations should start small, use agents only for low-risk tasks, and apply established cyber security controls from the outset. This blog summarises the key points from that guidance  and will be of use to anyone involved in the design, development, deployment and operation of agentic AI systems.

What is agentic AI?

Agentic AI represents the next step for the most advanced generative AI (also known as ‘frontier AI'). Rather than outputting a prediction or new content, agentic systems can access data sources, remember context, make decisions, use tools, and take actions in pursuit of a goal. They can operate without continuous human intervention and even create sub-agents to complete specific tasks. This is what makes them useful, but also more hazardous than non-agentic AI tools.

Agentic AI increases the risk

 Many risks associated with agentic AI are not new: access control, secure development, supply chain risk, monitoring, incident response and accountability are all still relevant concerns. Agentic AI systems also inherit known LLM risks like susceptibility to jailbreaking and prompt injection, with security challenges evolving as the technology matures.

However, the extra autonomy and complexity of agentic systems can increase the attack surface and make behaviour harder to predict, test and govern. Additional risks include:

  • Broader access - agents can be permitted to access external systems, data and tools in ways that non-agentic AI systems are not
  • Unpredictable behaviour - especially when goals can be interpreted in ways that a human would not expect
  • Harder to spot problems - particularly when actions occur faster than humans can meaningfully review them
  • Challenging to explain - while the workings of non-agentic frontier AI systems are notoriously difficult to interpret, the range of behaviours and tools available to agents make it even more challenging to explain a particular course of action

Approach adoption very carefully

 If an agent is over‑privileged or poorly designed, a single failure can quickly become a serious incident. It is crucial, therefore, to think before you deploy. Specifically you should:

  • Consider what could go wrong and how failures or misuse could affect operations
  • Reflect on whether AI is really needed, or whether a process could be simplified, removed or automated in a lower-risk way
  • Deploy agentic AI incrementally, starting with tightly bounded pilots using clearly defined tasks, and build confidence in the system before you expand the scope

Develop and adopt agentic AI with security in mind

Think about what could happen if an agent misunderstood its task, exceeded its intended scope or was manipulated, and never grant an agent unrestricted access to sensitive data or critical systems. Ensure you maintain ongoing visibility of system's operation, and understand how to retain meaningful human oversight and control. If you cannot understand, monitor or contain an agent's actions, it is not ready for deployment.

Insist on human accountability

 A system may take an action, but humans remain accountable for:

  • The decision to deploy it
  • The access it was granted
  • The safeguards around it
  • The consequences of its operation

You should be clear about who owns an agentic system, who approves its access, who monitors its behaviour, who reviews incidents, and ultimately who can stop it. These responsibilities should be defined before the agent is connected to real systems or data and, crucially, responsible individuals should be empowered and incentivised to intervene if necessary.

Apply cyber security best practice

 As ever, following established best practice remains the starting point. Agentic AI risks and mitigations should be aligned and integrated with your existing security model and risk posture. ETSI EN 304 223: Securing Artificial Intelligence (pdf) outlines baseline cyber security requirements for AI systems writ large, including agentic systems.

Practical steps include:

  • Apply least privilege - give agents only the minimum access they need, for the shortest time required
  • Limit scope - constrain what an agent can access, what actions it can take and when it can take them
  • Avoid long-lived credentials - use temporary credentials where possible and revoke elevated access when tasks are complete
  • Use secure defaults - design applications with safe configurations, secure protocols and appropriate validation
  • Understand dependencies - manage supply chain risk for third-party components, models, tools and integrations
  • Monitor behaviour - look for unusual or unexpected activity across tools, workflows and connected systems
  • Threat-model the deployment - consider how the system could be misused, manipulated or caused to behave unexpectedly
  • Plan for incidents - ensure response plans cover agentic AI failures, misuse and loss of control

A cautious but practical approach

Agentic AI is likely to offer significant benefits in many scenarios, particularly where tasks are repetitive, well-understood and low risk. The NCSC understand the desire to realise these benefits, and are encouraging responsible, thoughtful, and scalable adoption. Start small, apply existing cyber hygiene and governance from the start and plan for failure (including how you would respond to it).

For more detailed mitigations, please refer to the full Careful adoption of agentic AI services guidance.