## Weekly signal

The May 4-12, 2026 week was a clear pivot point for agentic AI safety. The conversation is no longer mainly about whether agents are risky. The useful work is now about how to govern agents as operational actors: who they are, what they can touch, how they are monitored, when they must ask for approval, and how quickly they can be stopped.

The strongest signal came from a cluster of public-sector guidance, standards work, and vendor launches that all converged on the same architecture: identity plus least privilege plus runtime observability plus bounded execution. For builders, this means agent safety is becoming an engineering requirement. For buyers, it means procurement questions should move beyond model quality and ask for agent inventories, delegation controls, telemetry, and incident response hooks.

This briefing covers developments published during May 4-11, plus announced May 12 activity where explicitly scheduled.

## What changed

1. Five Eyes agencies published agent-specific security guidance.

The United States, United Kingdom, Canada, Australia, and New Zealand released joint guidance on the careful adoption of agentic AI services. Although the guidance was released just before the week and was widely digested during it, it is the most important baseline for teams deploying agents now.

The guidance is useful because it names the distinct risk profile of agents. It calls out privilege risks, insecure design and configuration, behavioral risks such as goal misalignment and specification gaming, structural risks from interconnected components, and accountability risks caused by opaque decision chains. The agencies recommend incremental deployment, continuous reassessment against changing threat models, strong governance, explicit accountability, monitoring, and human oversight.

For builders, the key implication is that autonomy changes the control problem. A chatbot can say the wrong thing. An agent can take the wrong action, call a tool, move data, spend money, or alter a system. That makes rollback, approval boundaries, and auditability part of the product design, not an enterprise add-on.

2. Agent identity and access management became the safety layer to watch.

CoSAI released two agentic security papers after RSAC 2026, including work on Agentic Identity and Access Management and the future of agentic security. The most practical point is that each agent needs a trustworthy, machine-readable identity that can be authenticated, authorized, delegated, monitored, and revoked. CoSAI also emphasizes that valid credentials alone are not sufficient: an agent can be technically authenticated while still pursuing an unsafe or unauthorized outcome.

Cisco’s May 4 announcement that it intends to acquire Astrix Security reinforces that this is moving from research into enterprise security budgets. Cisco framed the acquisition around discovering and securing AI agents and non-human identities, including excessive privileges and real-time threats, with planned integration into Cisco Identity Intelligence, Secure Access, and Duo.

The builder takeaway is that service accounts are not enough. Agents need owner mapping, purpose binding, short-lived credentials, scoped permissions, and behavior monitoring. If multiple agents share one token, you lose attribution. If agent credentials do not expire or cannot be revoked quickly, you have created a standing privilege risk.

3. Major enterprise platforms shipped agent governance controls.

Microsoft Agent 365 became generally available and expanded controls for discovering, observing, governing, and securing agents across local, SaaS, cloud, and endpoint contexts. Microsoft also added network-layer inspection and controls for Copilot Studio agents and endpoint agents, including controls intended to detect unsanctioned AI usage, restrict connections, filter risky file movement, and block prompt-based attacks before harmful actions occur.

Google Workspace launched an AI control center in the Admin console for enterprise customers. It gives admins a centralized view of security and governance settings for generative AI and agent actions, more granular auditing for Gemini and agentic solutions accessing Workspace data, and controls tied to data protection rules, classification labels, trust rules, and compliance settings.

ServiceNow expanded AI Control Tower with discovery, runtime observability, governance, security, and measurement across AI systems, agents, and workflows. The most safety-relevant additions are runtime visibility into agent behavior, scoped permissions and least-privilege enforcement, and the ability to shut down an agent in real time when it goes off script or exceeds permissions. ServiceNow also added an AI Gateway for Model Context Protocol transactions to provide real-time controls for agentic workloads.

These launches are not all equivalent, and teams should not assume a vendor control plane solves governance by itself. But they show what enterprise customers are now asking for: agent inventory, access graphs, policy enforcement, audit trails, MCP visibility, and a kill switch.

4. Cyber-capable models intensified the dual-use safety debate.

The UK AI Security Institute published an evaluation of OpenAI’s GPT-5.5 cyber capabilities. It found GPT-5.5 was one of the strongest models it had tested on cyber tasks and the second model to solve one of its multi-step cyber-attack simulations end-to-end. On AISI’s expert-level cyber tasks, GPT-5.5 reached a 71.4% average pass rate, compared with 68.6% for Anthropic’s Mythos Preview in the cited comparison.

OpenAI then expanded Trusted Access for Cyber and announced GPT-5.5-Cyber in limited preview for vetted defenders responsible for critical infrastructure. OpenAI describes the access model as identity- and trust-based: verified defenders get reduced friction for legitimate workflows such as vulnerability triage, malware analysis, binary reverse engineering, detection engineering, and patch validation, while safeguards continue to block credential theft, stealth, persistence, malware deployment, and exploitation of third-party systems. OpenAI also said individual users of its most permissive cyber models will need phishing-resistant account security starting June 1, 2026.

This is directly relevant to agent safety because cyber work is tool-heavy, multi-step, and often agentic. The practical risk is not only that a model can answer dangerous questions. It is that a model with tools can chain reconnaissance, exploit development, validation, and reporting. Access tiers, identity checks, approved-use scoping, and misuse monitoring are becoming the safety pattern for dual-use agent capabilities.

5. OpenAI published a concrete Codex safety playbook.

OpenAI’s May 8 post on running Codex safely inside its own workflows is one of the more actionable vendor posts of the week. It describes controls for coding agents that can review repositories, run commands, and interact with development tools. The controls include sandboxing, approvals, network allow/deny policies, managed configuration, secure handling of CLI and MCP OAuth credentials, command rules, and agent-native telemetry.

The most useful detail is the telemetry model. OpenAI says Codex can export logs for user prompts, tool approval decisions, tool execution results, MCP server usage, and network proxy allow/deny events. It also describes using Codex logs with a security triage agent to understand not only what happened but the surrounding user and agent intent.

That should be the default pattern for high-trust coding agents. Traditional endpoint logs tell you a process started or a file changed. Agent-native logs help explain why the agent attempted the action and whether it matched the user’s request, the approval path, and the policy boundary.

6. U.S. frontier model testing broadened.

The U.S. Center for AI Standards and Innovation at NIST announced agreements with Google DeepMind, Microsoft, and xAI for pre-deployment evaluations and targeted research on frontier AI capabilities and security. CAISI said the agreements allow government evaluation before public release, post-deployment assessment, and work with models that may have reduced or removed safeguards for testing.

This is not agent-specific by itself, but it matters because frontier models are increasingly agent-capable. Pre-deployment testing that includes cyber, autonomy, tool use, and safeguard bypass behavior will shape what enterprises can expect from system cards, procurement reviews, and future standards.

## What to do with it

First, build an agent inventory. Track every agent, owner, purpose, model, tool set, data source, credential, MCP server, external network path, and allowed action. If you cannot list your agents, you cannot govern them.

Second, assign each agent a unique identity. Do not let agents share human credentials or generic service accounts. Use short-lived credentials, scoped permissions, and explicit delegation records. Map every agent to an accountable human or team.

Third, set blast-radius tiers. Read-only agents, internal workflow agents, external-facing agents, coding agents, finance agents, and cyber agents should not share the same approval and logging rules. Any agent with write access, deploy access, spend authority, customer communication, or external network access needs stronger controls.

Fourth, log agent-native evidence. Capture prompts, plans, tool calls, approval decisions, network events, credential use, MCP activity, outputs, and policy decisions. Feed those logs into SIEM and compliance systems. Review logs for intent drift, prompt injection, unexpected tool use, and repeated approval escalations.

Fifth, test the stop path. Every production agent needs disable, revoke, quarantine, and rollback procedures. Practice them. A kill switch that no one has tested is not a control.

Finally, update procurement. Ask vendors whether agents have unique identities, least-privilege enforcement, MCP and tool-call visibility, configurable approvals, sandboxing, network controls, audit logs, and incident export. The winning vendors this week are not just selling smarter agents. They are selling controllable agents.