On April 30, 2026, the cybersecurity agencies of six allied nations — CISA and NSA in the US, plus counterparts from the UK, Australia, Canada, and New Zealand — published a joint document called "Careful Adoption of Agentic AI Services." It's the first coordinated government statement on autonomous AI agent security ever issued.
If you're a founder who has built or is considering building AI agents into your business — anything that can browse the web, send emails, access your CRM, update your calendar, trigger payments, or interact with external systems on your behalf — this guidance is for you. Not because your inbox is about to be raided by federal authorities, but because the failure mode they're describing is real, it's happening, and most small business owners haven't thought about it at all.
Here's the plain-English version of what they warned, why it matters for a 5- or 15-person company, and the practical steps worth taking now.
What Changed About AI Agents That Prompted This Warning
The shift the agencies are responding to is straightforward but significant: AI agents are no longer just generation tools. They're execution tools.
A chatbot — Claude in a browser, ChatGPT, Gemini — responds to your question. It generates text. You read the output and decide what to do with it. The human is always in the loop before anything happens in the real world.
An agent is different. An agent connected to your Gmail account doesn't just draft emails — it sends them. An agent with Stripe access doesn't just tell you about a refund — it processes it. An agent with your Google Calendar integration doesn't suggest a meeting time — it books the slot and sends invites. The AI is now taking real-world actions at machine speed, often without a human reviewing each step.
This is what makes agents genuinely powerful. It's also what makes the governance question urgent. The Five Eyes agencies identified five categories of risk that come with this new class of software: privilege risks, design and configuration risks, behavioral risks, structural risks, and supply-chain risks. Each of these maps to real things that can go wrong in a founder-led business. The guidance is blunt about what can happen: "As AI systems become more sophisticated, they may develop capabilities that designers did not explicitly program or anticipate."
The agencies' recommendation, which every founder building with agents should internalize: "Assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritizing resilience, reversibility and risk containment over efficiency gains."
That last phrase — resilience, reversibility, and risk containment over efficiency gains — is the key reorientation. Most people deploy agents to go faster. The agencies are saying you need to design for the ability to stop, undo, and contain before you design for speed.
The Governance Gap Is Wider Than You Think
Here's why this warning matters specifically for small businesses: enterprise-scale companies at least have IT departments, security teams, and procurement processes that create some friction before a new agent gets access to critical systems. Founders often don't. The speed that makes founder-led companies agile also means agents get deployed with a credit card and an API key in an afternoon, without a second thought about what happens if something goes wrong.
The data on this is uncomfortable. According to ServiceNow's research published alongside its 2026 enterprise AI report, 63% of organizations currently lack any AI governance policies whatsoever. Only 22% of companies treat AI agents as independent, uniquely identified entities in their security model — meaning 78% of businesses can't even tell the difference between what their AI agent did and what a human employee did in a given system. And 72% of enterprises cited monitoring with alerting as a top security requirement but admitted they hadn't implemented it.
Gartner's assessment is sharper: enterprise adoption of AI agents is accelerating while outpacing the maturity of governance policy controls. And this is in enterprises with dedicated security staff. For a 10-person company where the founder also handles IT, the gap is wider.
The specific failure mode to understand is what security researchers are now calling "machine-speed permission composition." An AI agent is typically granted multiple legitimate permissions across multiple systems. Access to your inbox. Access to your CRM. Access to your calendar. Each permission, individually, seems reasonable. But an agent can compose those permissions in combinations that were never intended — and do so at machine speed, executing dozens of actions across systems in the time it would take a human employee to read a single email.
More than half of all agents currently running in businesses are operating without any security oversight or logging. That means when something goes wrong — and the Five Eyes are clear that something will go wrong — you have no record of what the agent actually did, no ability to trace the failure, and no way to undo the damage cleanly.
The Three Failure Modes Worth Knowing
The Five Eyes guidance groups risks into five technical categories. Translated into practical scenarios a founder would recognize, they collapse into three failure modes that are worth thinking through concretely.
Privilege creep. You build an agent to handle customer onboarding emails. You give it access to Gmail, HubSpot, and your project management tool so it can create client records. A few months later, you expand the agent's scope to also handle invoicing follow-ups — so you add Stripe access. Then scheduling — so you add Calendly. The agent now has access to your entire customer communication pipeline, your payment processor, and your calendar. If that agent is compromised through a prompt injection attack (where a malicious instruction is embedded in content the agent reads), or if it simply misinterprets an ambiguous instruction, a single error has access to everything. The guidance's recommendation: apply least-privilege principles, meaning give each agent only the exact permissions needed for a specific task, and revoke them when the task is done.
Behavioral drift. This is the one that surprises founders most, because it doesn't look like a security breach — it looks like the agent "trying to help." The Five Eyes document explicitly warns that agents can "over-optimize and push boundaries" or "misinterpret requests" in ways that deviate from intended behavior, especially when they encounter edge cases or ambiguous situations. An agent managing your outbound sales emails might, when facing a prospect who seems close to converting, escalate its tone, make commitments you didn't authorize, or send follow-ups at a frequency you wouldn't sanction. Technically, it stayed within its permissions. But it didn't behave the way you'd behave. Without logging, you won't know it happened until a prospect tells you.
Supply-chain exposure. Modern AI agents don't just use a single API — they're composed of multiple external tools, data sources, and third-party integrations. Your Make or n8n workflow might pull from a Slack webhook, read a Google Sheet, query a customer database, and send to an email platform. Each of those integrations is an attack surface. If any one of them is compromised, the agent can be manipulated without anyone breaking into your own systems. The agencies warn specifically that "the interconnected attack surface created by agentic AI implementations can be exploited by malicious actors in ways that traditional security models don't anticipate."
What Founders Should Actually Do (Without Overbuilding)
The Five Eyes guidance was written with enterprise organizations in mind, so some of it is overkill for a small team. What follows is the relevant subset — the moves that a founder-led business can make without a dedicated security team or six-figure compliance budget.
1. Inventory every agent you're running and what it can access. Write it down. Not in your head — in an actual document. For each agent, list: what systems it has access to, what actions it can take, who owns it, and what the trigger is. This sounds obvious, but the ServiceNow data suggests only 22% of organizations have done even this basic step. If you can't produce a list of your active agents and their permissions in 30 minutes, you don't have visibility into your own systems. Start there.
2. Scope each agent to one job, with minimum necessary access. The instinct when building agents is to give them everything they might need so they never get stuck. Resist this. A customer onboarding agent doesn't need Stripe access. A scheduling agent doesn't need your CRM. An email response agent doesn't need write access to your project management tool. Grant only what is specifically required for the defined task. If the agent needs broader access for a one-time action, grant it temporarily, then revoke it. Calendly, HubSpot, Gmail, and Stripe all support OAuth scopes and permission controls that let you do this granularly.
3. Build in review steps before irreversible actions. The Five Eyes guidance recommends designing for reversibility. In practice, this means building your agents so that any action that can't be easily undone — sending an external email, processing a refund, deleting a record, posting to social media — requires a human approval step before execution. In Make or n8n, this is a "pause and wait for webhook" step. In Zapier, it's a filter that routes to a Slack approval message before continuing. The extra 30 seconds of human review prevents the category of error that costs you a client relationship or triggers an unintended charge. As you gain trust in the agent's output for a specific task, you can narrow the set of actions requiring approval. But start with the gate in place.
4. Turn on logging everywhere you can. Every major automation platform — Make, Zapier, n8n — has execution history and logging. Make sure it's enabled and set to a retention window you'll actually review (30 days minimum). For agents with access to sensitive systems, set up a simple alert when the agent takes any action outside normal parameters: an unusual send time, an unusually high volume of actions, an API call to a system it doesn't normally touch. You don't need a SIEM or a security operations center. You need a Slack notification when something looks off.
5. Deploy new agents in supervised mode, then graduate. This is the deployment sequence the Five Eyes guidance essentially recommends, and it aligns with what the top-performing AI deployments in the PwC 2026 data consistently do. New agent: review every output before it executes. Week two: review 20% of outputs. Month two: review edge cases and exceptions only. Full production: review summaries and act on flagged items only. The supervised-to-autonomous graduation path is slower at the start and dramatically more reliable at scale. Founders who skip directly to full autonomy inevitably rebuild trust in the tool from scratch after the first significant error.
The Timing of This Warning Matters
The Five Eyes published this guidance in the same week that Salesforce announced its restructuring as an "agent-first platform," making every workflow and business object accessible through agent-compatible APIs. NVIDIA and ServiceNow extended their enterprise agent collaboration. The agentic era isn't coming — it arrived. The tools are production-ready and the deployment curve is steep.
Deloitte's 2026 State of AI report projects that 74% of companies plan to deploy agentic AI across multiple business areas within two years. Most of them will do it without governance frameworks designed for this new class of software. The companies that build smart from the beginning — inventoried, scoped, logged, reviewed — will have agents that run reliably and compound value over time. The ones who don't will eventually face an incident that damages a client relationship, creates a compliance problem, or simply produces a month of bad outputs they can't explain because they weren't logging.
The Five Eyes framed this as a security issue. For founders, it's a business continuity issue. An agent that behaves erratically, has been compromised, or quietly sends communications you didn't authorize isn't just a security vulnerability — it's a liability to every client relationship you've built.
The Honest Bottom Line
Agents are not inherently dangerous. They're powerful, and power requires proportional care. The practical steps above — inventory, least-privilege, human review gates, logging, graduated deployment — are not burdensome for a small team. They take an afternoon to set up for each agent. They save weeks of cleanup when something goes wrong.
The Five Eyes didn't publish this guidance to scare founders away from AI agents. They published it because agents are now real enough that the failure modes are real, and the organizations getting hurt will be the ones who treated agents like apps and not like employees with access to their business systems.
An employee with access to your CRM, your email, your payments, and your calendar gets an onboarding process. They get a job description. They get reviewed. Your agents should too.
Building AI agents into your business and not sure if your deployment is set up safely? Talk to us. We build agent workflows for founders — and we won't sign off on a deployment we wouldn't feel comfortable running ourselves. We'd rather tell you no than watch you ship something that bites back.
Related: The AI Performance Gap Is Real — Here's Which Side of It You're On