AI Governance

Agentic AI Security: What Five Eyes Guidance Means for MSPs

Zack Jones ·
AI GovernanceAI Gov Weekly

On May 1, 2026, six national cybersecurity agencies across the Five Eyes alliance published a 30-page joint guidance document titled Careful Adoption of Agentic AI Services. CISA, the NSA, the Australian Signals Directorate’s ACSC, the Canadian Centre for Cyber Security, the UK’s NCSC, and New Zealand’s NCSC all signed it. This is the first time all five nations have issued coordinated policy on a single AI attack surface.

Six days later, Microsoft published a research disclosure demonstrating how prompt injection in popular AI agent frameworks leads directly to remote code execution. Four CVEs in CrewAI. Two in Microsoft’s own Semantic Kernel. The title of the post says it plainly: “When Prompts Become Shells.”

These are not isolated signals. A structural vulnerability in the Model Context Protocol puts up to 200,000 AI servers at risk of complete takeover. Darktrace’s 2026 State of AI Cybersecurity Report found that 92% of security leaders are concerned about AI agents in their environments, yet 46% admit they feel unprepared to defend against AI-driven attacks. Three critical information disclosure vulnerabilities in Microsoft 365 Copilot were quietly remediated server-side the same week.

The pattern is clear. Agentic AI is deploying faster than security teams can govern it, and governments are now telling organizations to slow down and get the fundamentals right.

If you advise clients on security posture, this is worth understanding in detail.

What the Five Eyes Guidance Actually Says

The CISA guidance defines agentic AI as systems that can plan, act, and use tools autonomously across networks. The document identifies five categories of risk specific to these systems:

Privilege escalation. When agents are granted broad access, a single compromise causes disproportionate damage compared to a typical software vulnerability. Agents routinely receive service accounts, API keys, and OAuth tokens that persist longer than any human session. The guidance explicitly calls out organizations granting agents more access than they can monitor or control.

Design and configuration flaws. Poor initial setup creates exploitable gaps before an agent processes its first request. Default configurations, missing input validation, and unrestricted tool access fall into this category.

Behavioral misalignment. Agents pursuing goals in ways their designers did not predict. This includes prompt injection attacks that redirect agent behavior, but also emergent behavior in multi-step workflows where the agent’s intermediate decisions compound in unexpected directions.

Structural brittleness. Interconnected networks of agents can trigger cascading failures that propagate across systems. When Agent A calls Agent B which triggers Agent C, a failure or compromise at any node can ripple through the chain.

Accountability gaps. Agentic systems make decisions through processes that are difficult to inspect and generate logs that are hard to parse. When something goes wrong, tracing the root cause through an agent’s reasoning chain is materially harder than investigating a conventional application failure.

The central recommendation is not a new framework. It is the application of existing principles (zero trust, defense-in-depth, least-privilege access) to a new category of workload. Each agent should carry a verified, cryptographically anchored identity with short-lived credentials. Organizations should begin with low-risk use cases and expand scope as governance matures.

Three Threat Vectors That Prove the Point

The Five Eyes guidance is not theoretical. Three disclosures from April and May 2026 demonstrate exactly the risks the document describes.

Prompt Injection to Remote Code Execution

Microsoft’s May 7 research disclosure documented six CVEs across two frameworks that developers rely on to build AI agents.

In CrewAI, four vulnerabilities (CVE-2026-2275, CVE-2026-2285, CVE-2026-2286, CVE-2026-2287) chain together to turn prompt injection into full host compromise. The CodeInterpreter tool falls back to a weak sandbox (SandboxPython) when it cannot reach Docker, enabling arbitrary C function calls. A separate vulnerability allows the agent to read arbitrary local files without path validation. A server-side request forgery flaw enables content acquisition from internal and cloud services. The runtime does not verify that Docker is still running during execution, so an attacker who kills the Docker process forces a fallback to the exploitable sandbox.

In Microsoft’s own Semantic Kernel, CVE-2026-25592 (.NET SDK) and CVE-2026-26030 (Python) allow prompt injection to become code execution primitives through the In-Memory Vector Store’s filter functionality.

The title of Microsoft’s post was chosen carefully. In traditional computing, a shell is the interface between a user and the operating system. In agentic AI, the prompt is becoming that interface. When an agent has code execution tools, access to file systems, and network connectivity, a crafted prompt is functionally equivalent to a command injection.

MCP Supply Chain Vulnerability

On April 16, OX Security published research identifying a structural flaw in Anthropic’s Model Context Protocol (MCP), the open-source protocol that LLMs and AI agents use to connect to external data sources, tools, and one another.

The root issue is in how MCP uses STDIO (standard input/output) as a local transport mechanism. When an AI application spawns an MCP server as a subprocess, the STDIO transport will execute any arbitrary OS command. If the command creates a valid STDIO server, it returns the handle. If not, it returns an error, but only after the command has already executed.

OX Security’s research team identified four families of exploitation: unauthenticated UI injection in AI frameworks, hardening bypasses in tools like Flowise, zero-click prompt injection in AI coding IDEs (including Windsurf and Cursor), and malicious package distribution through MCP marketplaces.

The scale is significant: 150 million downloads, over 7,000 publicly accessible servers, and up to 200,000 vulnerable instances. When OX Security asked Anthropic to patch the root issue, Anthropic declined, stating the behavior was “expected.”

This is the supply chain risk the Five Eyes guidance warns about. A design decision in a foundational protocol propagates through every framework, tool, and deployment that builds on it.

Shadow AI Agents in Production

Microsoft launched Agent 365 to general availability on May 1 with a feature set that reveals how seriously Microsoft takes the shadow agent problem: automated discovery of AI agents running across the tenant, Intune policy enforcement to block unauthorized agent execution methods, and cross-cloud agent inventory spanning AWS and Google Cloud.

The same week, three critical information disclosure vulnerabilities in Microsoft 365 Copilot (CVE-2026-26129, CVE-2026-26164, CVE-2026-33111) were disclosed and remediated server-side. All three stemmed from improper neutralization of special elements, meaning injected commands could cause Copilot to disclose information across trust boundaries. CVSS scores of 7.5 on two of the three.

Microsoft building a dedicated governance product for AI agent sprawl is a strong signal. The company that ships the agents is simultaneously shipping the tool to find and control agents that users deploy without IT’s knowledge. That tension is the operating reality for every MSP managing M365 tenants.

Mapping to NIST AI RMF

The Five Eyes guidance aligns with what the NIST AI Risk Management Framework already provides. For organizations that use NIST AI RMF (voluntary, published by NIST, not a regulation), the mapping is direct across two functions that matter most for agentic AI governance.

Measure. The Measure function focuses on analyzing and quantifying AI risks. For agentic AI, this means inventorying every agent in the environment, cataloging its permissions and tool access, measuring credential hygiene (rotation frequency, scope, lifetime), and tracking behavioral drift over time. The Five Eyes privilege and accountability risk categories map here. You cannot govern what you have not measured.

Manage. The Manage function addresses risk treatment. For agentic AI, this means credential rotation and permission reduction, input validation on agent-facing interfaces, runtime monitoring for behavioral anomalies, and incident response procedures that account for agent reasoning chains rather than simple log analysis. The Five Eyes behavioral misalignment and structural brittleness categories map here.

NIST AI 100-5 provides an agentic AI profile that addresses autonomous AI systems specifically. It extends the base RMF with controls for tool-use governance, multi-agent orchestration risk, and human oversight requirements at decision boundaries.

For MSPs and vCISOs building AI governance practices, the framework gives you a structured assessment methodology that connects to the specific risks the Five Eyes guidance identifies. The assessment surfaces what exists, what is misconfigured, and what is missing. That is the deliverable clients need before deploying agents or expanding agent scope.

What MSPs Should Be Doing Now

The Five Eyes guidance is addressed to organizations deploying agentic AI. For MSPs and vCISOs, the guidance describes the assessment work your clients need.

Inventory agent deployments across client tenants. Most organizations do not have a complete picture of which AI agents are running, what access they hold, and who deployed them. Microsoft Agent 365 provides discovery tooling for M365 environments. For everything else, manual enumeration is the starting point. Service accounts with API access to agent frameworks, MCP servers in development environments, and Copilot Studio agents published without IT governance review all need to be cataloged.

Assess agent permissions against least-privilege. The Five Eyes guidance calls this out as the highest-risk category. Every agent should be reviewed for excessive scope: Does the agent need write access or only read? Does it need access to all mailboxes or a specific set? Are credentials long-lived or short-lived? Are service accounts shared across multiple agents?

Evaluate framework and protocol exposure. If clients are building custom agents on CrewAI, LangChain, Semantic Kernel, or other frameworks, the CVEs disclosed in May 2026 need to be checked against deployed versions. If MCP servers are running in any environment, the structural vulnerability needs to be assessed and mitigated with network segmentation and access controls.

Extend DLP and monitoring to agent interactions. Copilot DLP policies, covered in CIS Microsoft 365 Foundations Benchmark v7.0.0 control 3.2.3, are the minimum. Agents that interact with sensitive data need monitoring that covers their prompts, tool calls, and outputs.

Build AI governance into existing assessment programs. The Five Eyes guidance explicitly says agentic AI does not require an entirely new security discipline. Organizations should fold agent security into the frameworks they already use. NIST AI RMF provides the structure. CIS benchmarks provide the M365-specific controls. The AI governance assessment is the connective layer that maps agent risk to existing policy and identifies gaps.

The Signal, Clearly Stated

Five governments, including the agencies responsible for signals intelligence and cybersecurity across the English-speaking world, jointly published guidance on securing agentic AI. The same week, Microsoft disclosed that prompt injection in two widely used agent frameworks leads to remote code execution. A structural flaw in the protocol that connects AI agents to external tools puts 200,000 servers at risk. Three critical vulnerabilities in Microsoft 365 Copilot were patched server-side.

The Darktrace survey of 1,540 security leaders found 92% are concerned about AI agents in their environments. Nearly half feel unprepared to defend against the attacks these systems introduce.

The organizations deploying agentic AI need assessment work done before they expand scope. The organizations that have not started deploying need to understand the governance requirements before they do. Both conversations start with the same question: what agents are running in this environment, what can they access, and who is watching them?

That is an assessment engagement. The frameworks exist. The threat evidence is public and specific. The work is straightforward for teams that already deliver security assessments against NIST and CIS benchmarks.

The Five Eyes governments just told your clients to do it.