HomeInsightsAI Strategy
AI Strategy · 9 min read

Five governments just issued security rules for AI agents. Here is the plain-English version.

The Five Eyes intelligence alliance, the United States, United Kingdom, Canada, Australia, and New Zealand, published their first joint guidance on securing AI agents in 2026, a framework identifying more than twenty distinct risks in deploying autonomous AI. Most of it targets critical infrastructure and large organisations, but two of the risks apply directly to any small business that uses AI agents to do real work: agents quietly accumulating more access than they need, and agents being hijacked by malicious instructions hidden in content they read. The good news is that the core defence for both is a single, simple principle, and this is the plain-English guide to applying it.

When the intelligence and cybersecurity agencies of five countries jointly publish a document about a technology, it is usually a sign that the technology has become both genuinely useful and genuinely worth securing. That is exactly what happened when the Five Eyes alliance released its first joint guidance on securing AI agents, the autonomous systems that do not just answer questions but take actions on their own, using tools, accessing systems, and completing multi-step tasks without a human directing each step. The very existence of the guidance signals that AI agents have arrived as real infrastructure, powerful enough to be worth attacking and defending.

For a small business, a 30-page government security framework aimed largely at critical infrastructure might seem irrelevant, and most of its detail genuinely is beyond what you need. But buried in it are a couple of risks that apply to anyone using AI agents at all, including a small business running a single agent to handle support or process documents, and understanding them is worth a few minutes because the consequences of ignoring them can be real. This article extracts the parts that actually matter for you, explains them in plain language, and gives you the one simple principle that defends against both, so you can use AI agents confidently rather than either fearfully or carelessly.

The five-second answer

Five countries' cybersecurity agencies issued joint guidance on securing AI agents, and two risks matter for a small business. First, privilege creep: an agent gradually accumulates more access to your systems and data than its task actually needs, often unnoticed. Second, prompt injection: malicious instructions hidden inside content an agent reads, like a web page, document, or email, hijack it into doing something you never intended. The core defence for both is one principle, least privilege: give each AI agent only the minimum access it needs for its specific task, nothing more, and review that access regularly. Combined with being careful about what untrusted content your agents act on, this simple discipline lets a small business use AI agents safely without needing a security team.

What was published

In 2026 the Five Eyes alliance, an intelligence-sharing partnership between the United States, United Kingdom, Canada, Australia, and New Zealand, released a joint guidance document on the secure adoption of AI agents, co-authored by the cybersecurity agencies of all five countries including the US CISA and NSA and the UK NCSC. The document, whose framing is careful adoption rather than avoidance, identifies more than twenty distinct security risks associated with deploying autonomous AI agents and prescribes practical controls for designing, deploying, and governing them, particularly in high-impact settings.

The deliberate choice of the phrase careful adoption rather than something more alarmist is worth noting, because it captures the intended message precisely. The agencies are not warning businesses away from AI agents, which they clearly regard as valuable and worth deploying. They are saying that agents need to be deployed thoughtfully, with security designed in from the start rather than bolted on later, because the autonomy that makes agents useful also creates new ways for things to go wrong. It is a call for competence, not caution, which is exactly the right framing for a small business too.

Most of the document's detail is aimed at organisations deploying agents in critical infrastructure and high-stakes systems, and a small business does not need to absorb the full framework. But the underlying risks it identifies are not exclusive to critical infrastructure, because they arise from the fundamental nature of how AI agents work, which means the most important of them apply in a scaled-down form to any business using agents at all. The task for a small business is not to implement a 30-page framework but to understand the handful of risks that genuinely reach you and apply the simple defence, which is what the rest of this article does.

Why AI agents need security thought at all

It helps to understand why agents specifically warrant this attention, when ordinary AI chat does not raise the same concerns. The difference is action. A chatbot answers a question and stops, so the worst it can do is give a bad answer, which a human can simply disregard. An agent, by contrast, takes actions in the real world: it accesses your systems, reads and writes data, uses tools, sends messages, and completes tasks on its own, which means a mistake or a manipulation does not just produce a bad answer, it produces a bad action with real consequences that may already have happened before anyone notices.

This is the same distinction we drew in our piece on why autonomous bookkeeping needs oversight, applied to security: giving a system the power to act is genuinely valuable, and it is exactly that power that has to be managed. An agent that can book jobs, move data, or send communications on your behalf is doing real work, and the flip side of that usefulness is that it needs boundaries, because a capability to act usefully is also a capability to act harmfully if it accumulates too much access or is manipulated into misusing it.

None of this is a reason to avoid AI agents, which are one of the most valuable applications of AI for a small business. It is simply a reason to deploy them with a little thought about what they can access and what content they act on, the same way you would think about what keys to give a new employee or what authority to delegate. The security concern is not exotic or technical at its heart; it is the ordinary, sensible question of not giving any single actor, human or AI, more power over your business than its job requires, and watching what instructions it follows.

Risk one: access that quietly grows

The first risk that genuinely applies to a small business is what the guidance calls privilege accumulation, or privilege creep. The problem is that AI agents tend to gather permissions over time that were never explicitly granted for their current job. The access an agent needed for one task gets carried forward and reused for unrelated tasks, and because no human is watching each expansion, the scope of what the agent can reach quietly grows well beyond what any single task actually requires, until an agent set up for a narrow purpose has broad access nobody consciously decided to give it.

The danger of this is straightforward: the more an agent can access, the more damage a mistake or a manipulation can do. An agent with narrow access that goes wrong can only affect its narrow domain, but an agent that has quietly accumulated broad access to your systems and data can, if it errs or is hijacked, affect far more than its actual job ever touched. Privilege creep turns a small, contained risk into a large, sprawling one, not through any dramatic failure but through the gradual, unnoticed expansion of what a single agent is allowed to reach.

For a small business the practical form of this risk is easy to picture: an AI agent you set up to handle one specific thing gradually gets connected to more of your systems and data as you extend what it does, without anyone stepping back to ask whether it still needs everything it can now reach. The fix, covered in the defence section below, is equally simple, but the first step is just being aware that access tends to creep, so that you actively manage it rather than letting it silently expand, which is precisely the unnoticed drift the guidance warns about.

Risk two: hijacked by hidden instructions

The second risk that reaches a small business is more adversarial and, once understood, genuinely eye-opening: indirect prompt injection. The idea is that an AI agent often reads external content as part of its work, a web page, a document, an email, a customer message, and an attacker can hide malicious instructions inside that content, designed to be read by the agent and to redirect its behaviour. The agent, unable to fully distinguish between the content it is supposed to process and instructions embedded within that content, can be tricked into following the hidden commands, doing something you never intended.

A concrete way to picture it: suppose you have an AI agent that reads incoming emails and takes actions based on them. An attacker sends an email containing hidden text instructing the agent to, say, forward sensitive information or take some harmful action, and if the agent naively follows instructions found in the content it reads, it may obey the attacker rather than you. The guidance specifically notes that public web pages are already being seeded with hidden instructions designed to hijack AI agents that read them, which means this is not a theoretical future risk but an active technique.

This risk is particularly worth understanding because it is counterintuitive, since the attack comes not through your systems being broken into in the traditional sense but through the ordinary content your agent was designed to read, weaponised against it. It connects to the broader point that AI introduces genuinely new categories of risk that do not map neatly onto old security thinking, a theme we touched on in our piece on shadow AI governance for small teams. The defence, again, is manageable, but it starts with knowing that content an agent reads can carry instructions meant to hijack it.

The simple defence

The core defence against both risks is a single principle the guidance emphasises above all others: least privilege. Give each AI agent only the minimum access it needs to do its specific task, nothing more, and make those permissions expire or come up for review regularly rather than persisting and accumulating indefinitely. An agent that can only reach exactly what its job requires can do only limited damage if it errs or is hijacked, which directly contains both the privilege-creep risk and the fallout from any successful prompt injection. Least privilege is the one habit that does the most work.

Applying this as a small business does not require a security team, just a little deliberate thought when you set up and maintain each agent. When you deploy an AI agent, consciously decide what it genuinely needs access to for its actual task and grant only that, resisting the convenient temptation to give it broad access just in case. Then periodically revisit what your agents can reach and trim anything that has crept in beyond what the current job requires, treating access as something to actively manage rather than set once and forget. This modest discipline is the practical heart of the entire guidance for a business your size.

Two supporting habits round it out. Be thoughtful about what untrusted content your agents act on automatically, applying extra caution or human review where an agent processes content from outside sources that could carry hidden instructions, especially before it takes consequential actions based on that content. And keep a human in the loop for the actions that genuinely matter, so an agent cannot take a high-stakes step entirely on its own, which is the same oversight principle we apply throughout our writing on AI. Together, least privilege plus caution about untrusted content plus human oversight of consequential actions lets a small business use AI agents safely, and setting up exactly this kind of sensible, secure automation is what our 49 euro audit is built to help with.

The bottom line

Five countries' intelligence and cybersecurity agencies jointly issuing guidance on securing AI agents is a marker that agents have become real, valuable infrastructure worth defending, and the guidance's deliberate framing of careful adoption rather than avoidance is exactly right for a small business too. Most of the framework targets critical infrastructure, but two of its risks reach any business using AI agents: privilege creep, where an agent quietly accumulates more access than its task needs, and prompt injection, where hidden instructions in content an agent reads hijack its behaviour.

The reassuring truth is that the core defence against both is one simple principle, least privilege: give each agent only the minimum access its specific task requires and review that access regularly, supported by caution about what untrusted content agents act on and human oversight of consequential actions. This modest discipline does not require a security team, and it lets a small business capture the genuine value of AI agents, which are among the most useful applications of AI available to you, without exposing itself to the risks that the world's cybersecurity agencies thought worth a joint warning. Use agents, and give them exactly the access their job needs and no more.

Want AI agents set up to be both useful and secure from the start? The 49 euro audit shows you how

Sources

Quick answers

Common questions.

Want this in your business?

The €49 audit shows you exactly which automations would pay back fastest in your specific operation.

€49 entryFull AI audit + strategy call included

Reserve your auditNo commitment. No contracts. Just clarity.