Skip to content
Chimera readability score 81 out of 100, Specialist reading level.

When it comes to using agentic AI, make sure you can walk before you run.
Krot Studio via Getty Images
Agentic AI tools are starting to appear in real organisations, not just research labs. These tools don’t just generate content or predictions; they can plan, make decisions and take actions on your behalf.
This capability can be beneficial, including in cyber defence, but it can also introduce new risks if used without care. 'Careful adoption of agentic AI services’ is new joint guidance, co-authored by the NCSC with international partners, that sets out why organisations should start small, use agents only for low-risk tasks, and apply established cyber security controls from the outset.
This blog summarises the key points from that guidance, and will be of use to anyone involved in the design, development, deployment and operation of agentic AI systems.
What is agentic AI?
Agentic AI represents the next step for the most advanced generative AI (also known as ‘frontier AI’). Rather than outputting a prediction or new content, agentic systems can access data sources, remember context, make decisions, use tools, and take actions in pursuit of a goal. They can operate without continuous human intervention and even create sub-agents to complete specific tasks. This is what makes them useful, but also more hazardous than non-agentic AI tools.
Agentic AI increases the risk
Many risks associated with agentic AI are not new: access control, secure development, supply chain risk, monitoring, incident response and accountability are all still relevant concerns. Agentic AI systems also inherit known LLM risks like susceptibility to jailbreaking and prompt injection, with security challenges evolving as the technology matures.
However, the extra autonomy and complexity of agentic systems can increase the attack surface and make behaviour harder to predict, test and govern. Additional risks include:
-
broader access – agents can be permitted to access external systems, data and tools in ways that non-agentic AI systems are not
-
unpredictable behaviour – especially when goals can be interpreted in ways that a human would not expect
-
harder to spot problems – particularly when actions occur faster than humans can meaningfully review them
-
challenging to explain – while the workings of non-agentic frontier AI systems are notoriously difficult to interpret, the range of behaviours and tools available to agents make it even more challenging to explain a particular course of action
Approach adoption very carefully
If an agent is over‑privileged or poorly designed, a single failure can quickly become a serious incident. It is crucial, therefore, to think before you deploy. Specifically you should:
- consider what could go wrong and how failures or misuse could affect operations
- reflect on whether AI is really needed, or whether a process could be simplified, removed or automated in a lower-risk way
- deploy agentic AI incrementally, starting with tightly bounded pilots using clearly defined tasks, and build confidence in the system before you expand the scope
Develop and adopt agentic AI with security in mind
Think about what could happen if an agent misunderstood its task, exceeded its intended scope or was manipulated, and never grant an agent unrestricted access to sensitive data or critical systems. Ensure you maintain ongoing visibility of the system’s operation, and understand how to retain meaningful human oversight and control. If you cannot understand, monitor or contain an agent’s actions, it is not ready for deployment
Insist on human accountability
A system may take an action, but humans remain accountable for:
- the decision to deploy it
- the access it was granted
- the safeguards around it
- the consequences of its operation
You should be clear about who owns an agentic system, who approves its access, who monitors its behaviour, who reviews incidents, and ultimately who can stop it. These responsibilities should be defined before the agent is connected to real systems or data and, crucially, responsible individuals should be empowered and incentivised to intervene if necessary.
Apply cyber security best practice
As ever, following established best practice remains the starting point. Agentic AI risks and mitigations should be aligned and integrated with your existing security model and risk posture. ETSI EN 304 223: Securing Artificial Intelligence (pdf) outlines baseline cyber security requirements for AI systems writ large, including agentic systems.
Practical steps include:
-
apply least privilege – give agents only the minimum access they need, for the shortest time required
-
limit scope – constrain what an agent can access, what actions it can take and when it can take them
-
avoid long-lived credentials – use temporary credentials where possible and revoke elevated access when tasks are complete
-
use secure defaults – design applications with safe configurations, secure protocols and appropriate validation
-
understand dependencies – manage supply chain risk for third-party components, models, tools and integrations
-
monitor behaviour – look for unusual or unexpected activity across tools, workflows and connected systems
-
threat-model the deployment – consider how the system could be misused, manipulated or caused to behave unexpectedly
-
plan for incidents – ensure response plans cover agentic AI failures, misuse and loss of control
A cautious but practical approach
Agentic AI is likely to offer significant benefits in many scenarios, particularly where tasks are repetitive, well-understood and low risk. The NCSC understand the desire to realise these benefits, and are encouraging responsible, thoughtful, and scalable adoption. Start small, apply existing cyber hygiene and governance from the start and plan for failure (including how you would respond to it).
For more detailed mitigations, please refer to the full Careful adoption of agentic AI services guidance.
Martin R
Data Science and AI Research, NCSC
Dr Kate S
Technical Director for Security of AI Research, NCSC
Share and print this article
Written by
Data Science and AI Research, NCSC

Facts Only

Agentic AI tools can plan, make decisions, and take actions.
The NCSC issued joint guidance with international partners on the careful adoption of agentic AI services.
Agentic systems can access external systems, data, and tools in ways non-agentic systems cannot.
Risks include broader access, unpredictable behavior, difficulty spotting problems, and challenges in explanation.
Organizations must consider potential failures and misuse before deployment.
Human accountability remains for the decision to deploy, access granted, safeguards, and operational consequences.
Mitigation steps include applying least privilege, limiting scope, avoiding long-lived credentials, and monitoring behavior.
The guidance aligns with established cyber security requirements, including ETSI EN 304 223.

Executive Summary

Agentic AI systems can plan, make decisions, and take actions on behalf of users, representing an advanced step beyond non-agentic generative AI. This capability introduces new risks beyond those associated with standard AI tools. The guidance from the NCSC and international partners recommends cautious adoption: organizations should start small, use agents only for low-risk tasks, and apply existing cybersecurity controls immediately. Risks associated with agentic systems include broader access to external systems, unpredictable behavior, difficulty in spotting problems when actions occur rapidly, and challenges in explaining the resulting actions. To mitigate these risks, organizations must ensure human accountability for deployment, maintain ongoing visibility, and adhere to security best practices such as applying least privilege, limiting scope, avoiding long-lived credentials, and threat-modeling deployments.

Full Take

The shift from non-agentic AI, which outputs predictions, to agentic AI, which executes actions, represents a fundamental change in the relationship between the user and the technology—from passive prediction to active control. This evolution introduces a critical tension between the immense capability of the system and the necessity of human accountability. The core pattern emerging is the exponential increase in complexity and opacity; systems that operate autonomously and rapidly increase the attack surface and obscure the causal chain of failures, challenging traditional methods of monitoring and incident response. The risk is not just technical failure, but the erosion of human oversight when actions occur faster than human review.
This dynamic highlights a systemic challenge: the delegation of decision-making power requires pre-defining boundaries and ownership. The call for human accountability is not merely a regulatory requirement but a defense against the potential for unmanaged, autonomous action. The advice to adopt incrementally and prioritize least privilege is a necessary response to the asymmetry of power created by these systems. The underlying implication is that technological advancement must be deliberately constrained by principles of human control and verifiable responsibility, ensuring that the pursuit of automation does not circumvent human agency.

Sentinel — Human

Confidence

The text is highly structured, authoritative guidance that reads like expert-authored policy, suggesting human authorship supported by structured research.

Signals Detected
low severity: Natural variance in sentence length and complex clause structure; the tone shifts between definitional and prescriptive, demonstrating human rhetorical flow.
low severity: The text successfully integrates technical concepts (agentic AI) with practical security policy (least privilege, threat modeling), displaying a logical, human-driven synthesis rather than purely mechanical flow.
low severity: The argument follows a clear, hierarchical structure (Problem -> Risk -> Approach -> Implementation), matching the pattern of high-quality technical guidance, but lacks the seamless, often repetitive flow of pure LLM generation.
low severity: All claims are grounded in established, verifiable sources (NCSC, ETSI), reducing the risk of confabulation.
Human Indicators
The presence of specific, actionable security advice (e.g., 'apply least privilege,' 'avoid long-lived credentials') blended with high-level strategic warnings suggests an expert human voice.
The nuanced risk assessment—focusing on the interplay between autonomy and attack surface—demonstrates contextual understanding beyond simple summarization.