The most honest thing a government agency can say about a technology it's regulating is: we don't fully understand it yet either. The Five Eyes did that on May 1st.

CISA, the NSA, and their counterparts in the UK, Canada, Australia, and New Zealand published a 30-page joint document called "Careful Adoption of Agentic AI Services." It is the first coordinated policy these agencies have ever produced that targets agentic AI specifically, and the third in an evolving series of Five Eyes security guides on AI going back to 2023. The series has been getting progressively more alarmed, and this one opens with a line worth reading slowly: organizations should assume that agentic AI systems may behave unexpectedly until security practices, evaluation methods, and standards mature.

Not might behave unexpectedly. Will.

That framing matters. The agencies are not warning about some future risk on the horizon. They are describing the current state of deployments in critical infrastructure and defense sectors. Agents that can plan, call APIs, modify files, and chain actions across systems are already running inside organizations with, per the guidance, vastly more access than anyone can safely monitor or control. The document names five risk categories: privilege, design and configuration, behavioral drift, structural risk from interconnected agent networks, and accountability. That last one is the quiet killer. When an autonomous system causes harm, who is responsible? The guidance identifies accountability as a risk category without resolving it, because nobody has.