## Weekly signal

Agentic AI security shifted from model safety to operational control of agents: identity, permissions, data boundaries, runtime monitoring, and auditability. The most useful theme this week was simple: if an agent can read sensitive data, call tools, invoke APIs, or spawn other agents, it must be governed like a non-human worker with its own identity and blast radius.

## What changed

1. Five Eyes agencies set the baseline for cautious agent adoption. The United States NSA and CISA, Australia’s ASD ACSC, Canada’s Cyber Centre, New Zealand’s NCSC, and the United Kingdom’s NCSC issued joint guidance on agentic AI services. It calls out five risk spaces: privilege, design/configuration, behavior, structural complexity, and accountability. The practical message is to start with low-risk use cases, enforce least privilege, monitor continuously, and keep human oversight for sensitive actions.

2. Microsoft made Agent 365 generally available. Microsoft positioned Agent 365 as a control plane for agent sprawl across Microsoft, local, SaaS, and cloud agents. The release emphasizes shadow-agent discovery, registry-based inventory, Entra identity controls, Purview data protection, Defender threat detection, and network controls for agent traffic. Microsoft also previewed local-agent discovery for tools such as OpenClaw and future support for Claude Code and GitHub Copilot CLI.

3. Google Cloud pushed agent identity into IAM. Google announced Agent Identity as a first-class principal, built on SPIFFE, plus Agent Gateway, Identity-Aware Proxy for Agents, Context-Aware Access for Agents, VPC Service Controls for Agent Identity, and Model Armor coverage for prompt injection, tool poisoning, and sensitive-data leakage. This is a clear move from generic service accounts toward agent-specific authorization and data-exfiltration controls.

4. AWS shipped a managed MCP Server. AWS made its MCP Server generally available, giving coding agents authenticated access to AWS through IAM, SigV4, CloudTrail, CloudWatch metrics, and sandboxed server-side scripts. The most important security angle is separation between human and agent permissions: teams can let users perform mutating actions while restricting MCP-server agent access to read-only or narrower scopes.

5. CoSAI released agentic identity and swarm-security research. The OASIS-hosted Coalition for Secure AI published papers on agentic identity/access management and the future of agentic security. It highlights machine-readable agent identity, delegated permissions, intent-based authorization, semantic data leakage, ephemeral environments, dynamic credentials, and Agent Detection and Response.

## What to do with it

Create an agent inventory now. Assign every production or pilot agent an owner, identity, allowed tools, data classification, credential type, and kill path. Replace shared service accounts with agent-specific credentials where possible. Route agent-to-tool access through gateways or policy enforcement points. Log prompts, tool calls, data access, and actions in a way security and compliance teams can review. For builders, treat MCP servers, skills, plugins, and agent tools as supply-chain components, not harmless configuration.