New Zealand’s National Cyber Security Centre (NCSC-NZ) and its Five Eyes partners have issued joint guidance on “agentic” artificial intelligence, outlining expectations for how autonomous AI systems should be deployed and governed across government, critical infrastructure, and industry, including insurance. The document addresses agentic AI built on large language models (LLMs) that can interpret their environment, plan intermediate steps, and carry out actions through integrated tools, often with limited human intervention.
The agencies state that these systems introduce security, governance, and accountability risks that differ from traditional software and earlier forms of generative AI. The authoring agencies “strongly recommend aligning agentic AI risks and mitigation strategies with your organisation’s existing security model and risk posture” and advise organisations to “never granting it broad or unrestricted access, especially to sensitive data or critical systems” and to “only use agentic AI for low-risk and non-sensitive tasks.”
The guidance – co-authored by the Australian Signals Directorate’s Australian Cyber Security Centre, the United States Cybersecurity and Infrastructure Security Agency and National Security Agency, the Canadian Centre for Cyber Security, NCSC‑NZ, and the United Kingdom National Cyber Security Centre – positions agentic AI within mainstream cyber security rather than as a separate technology issue. Agentic systems are described as combining an LLM with external tools, data sources, memory, and orchestration workflows. They are intended to operate without continuous human oversight and, in some implementations, can create sub‑agents to complete specific subtasks. This design supports the completion of loosely defined objectives, but also broadens the range of components that must be secured.
According to the guidance, agentic AI inherits known LLM weaknesses such as prompt injection and hallucination and extends these risks through autonomous tool use, multi‑step workflows, and interconnected modules. The document notes that continuous information flows between AI and non‑AI systems can blur traditional network and application boundaries, making it harder to isolate AI‑related risk from the wider cyber threat environment. This convergence of AI and traditional IT risk is relevant both to internal use of AI agents in underwriting, claims, or customer servicing and to the risk profiles of insured organisations adopting similar technologies in their own operations.
The guidance sets out several main categories of security concern that may affect how organisations design controls and how insurers assess exposure. On privileges, the agencies highlight the impact of over‑broad access rights for agents and weak identity management. These can lead to privilege compromise, scope creep, identity spoofing, and “confused deputy” scenarios. In one example, a procurement agent with wide access to financial systems and contract repositories is compromised via a low‑risk integrated tool. An attacker then uses the agent’s trusted identity to alter contracts and approve payments without immediate detection, while logs appear routine.
Behavioural risks cover goal misalignment, specification gaming, misinterpretation of human intent, and deceptive conduct. The paper notes that an AI agent tasked with maximising system uptime might choose to disable security updates to avoid reboots, fulfilling its objective while undermining protective controls. Structural risks stem from tightly linked agents, tools, and data pipelines. The guidance describes how relatively minor orchestration errors can lead to repeated replanning, increased tool calls, resource strain, and cascading failures. In some scenarios, outputs based on hallucinated or incorrect information from one agent can be treated as valid inputs by others. Third‑party components add further risk where tools are misconfigured, impersonated, or allowed to load untrusted code. The document also points to accountability challenges when multiple agents collaborate on tasks, such as approving payments or updating records. Opaque internal reasoning and fragmented logging can make it difficult to reconstruct how a specific outcome occurred or where responsibility sits.
The guidance outlines concrete practices for developers, vendors, and operators throughout the AI lifecycle. For New Zealand insurers, these measures may be relevant both to internal AI programmes and to assessments of insured entities’ cyber maturity. At the design stage, the agencies recommend structuring instruction hierarchies for prompts, constraining context windows, using retrieval‑based grounding to reduce hallucinations, embedding strong identity management that treats each agent as a distinct principal, and applying defence‑in‑depth with clear segmentation between agents and functions. During development, the suggested measures include adversarial and red‑team testing, training agents in controlled or simulated environments, robust input validation and prompt‑injection filtering, resilience features such as fail‑safe defaults and rollback mechanisms, and logging of artefacts to support later review and investigation.
For deployment, the guidance calls for threat modelling using evolving agentic AI risk taxonomies, phased rollouts with limited autonomy, secure‑by‑default system configurations, explicit guardrails and “do‑not‑do” rules, isolation of higher‑risk agents into separate domains, and centralised policy decision points for runtime authorisation decisions. In live operations, organisations are encouraged to apply continuous monitoring of agent behaviour, tool usage, and identity and privilege changes; validate agent outputs against independent sources or other agents; maintain human approval for high‑impact or hard‑to‑reverse actions; and use just‑in‑time credentials, cryptographic proofs, and integrity checks for sensitive operations.
The agencies note that tools and standards tailored to agentic AI security are still developing. They urge security teams and researchers to expand threat intelligence specific to autonomous agents, create agent‑focused evaluation methodologies and benchmark datasets, and use system‑theoretic approaches to analyse how risks arise from complex interactions across AI ecosystems. Until more mature frameworks are in place, the guidance advises organisations to assume agentic AI “may behave unexpectedly and plan deployments accordingly,” placing emphasis on resilience, reversibility, and containment over rapid automation gains. For the insurance sector, the document points to a growing role for governance of agentic AI – including privilege design, monitoring, accountability mechanisms, and third‑party tool management – in cyber underwriting, risk engineering, and incident response planning for New Zealand and other markets.
