Six Intelligence Agencies Just Published the Runtime Governance Spec

On April 30, 2026, six national cyber agencies published a joint advisory on agentic AI.

NSA. CISA. ASD’s ACSC, the Australian Signals Directorate’s Australian Cyber Security Centre. Canadian Centre for Cyber Security. NCSC-NZ, the New Zealand National Cyber Security Centre. NCSC-UK, the United Kingdom’s National Cyber Security Centre.

The document is titled “Careful Adoption of Agentic AI Services.” Thirty pages. Direct, technical, and unusually specific about the controls operators need.

Most enterprise AI security guidance to date has been abstract. The risk frameworks describe categories. The compliance documents describe obligations. The vendor whitepapers describe products. This advisory describes a procurement spec.

Read it that way and the implications for AI infrastructure spend in 2026 become clear.

Who wrote it and why that matters

The five eyes intelligence-sharing alliance is the closest existing analog to an international cyber consensus. The agencies above coordinate intelligence on threats that span their borders. When they publish jointly, the document represents the position of the participating governments, not the working theory of one analyst.

This is the first joint publication from the five eyes cyber agencies specifically on agentic AI. Previous joint advisories have covered ransomware, supply chain attacks, and critical infrastructure protection. The decision to issue a joint advisory on agentic AI in April 2026 reflects what these agencies are seeing in their own networks: agent deployment outpacing the security controls that agent deployment requires.

The intended audience is critical infrastructure operators, defense contractors, and mission-critical enterprise environments. The agencies issued the advisory now because the operators in their jurisdictions are deploying agentic AI faster than they are deploying the controls to govern it.

The five named risk categories

The advisory organizes agent risk into five categories. Reading them in order:

Privilege risks. Agents inherit the access of the human principal who delegated authority to them, plus the access of any other identity they are authorized to act on behalf of. The composition of these accesses can grant an agent privileges that no human in the organization ever had. A finance agent that combines an executive’s calendar access, a contractor’s vendor portal access, and a customer service agent’s CRM access is not constrained by the boundaries any of those individuals individually face.

Design risks. Agents are implemented with shortcuts that humans would not take. The agent’s planning step can produce execution paths that bypass intended controls. The agent’s reasoning step can rationalize actions a human operator would refuse. The agent’s tool selection step can substitute a destructive tool for a constructive one if the destructive tool produces a faster path to the stated goal.

Behavior risks. Agents act on prompt content, not on intent. An adversary who can influence what enters the agent’s context window can influence what the agent does. Prompt injection through email, document content, web content, or tool output is the primary vector. The agent’s response to that injection is computational, not deliberative.

Structural risks. The architecture of an agentic system itself produces vulnerabilities. Multi-agent communication channels create lateral movement paths. Tool registries become attack surfaces. The chain of trust between an authenticated user, a delegated agent, and an executed tool call has more attack points than any prior enterprise software pattern.

Accountability risks. When the agent acts and the action produces a regulated outcome, who is accountable? The agent’s prompt author? The agent’s deployer? The human who delegated authority to the agent? The platform vendor whose model the agent used? The regulator’s answer is not yet settled, which means an enterprise that deploys agents without clear accountability binding is taking enterprise-level risk on an unsettled question.

The five categories cover the surface area an enterprise actually needs to govern. They do not map cleanly to existing security categories because agentic systems do not look like existing systems.

The recommended controls, in detail

The advisory’s prescriptive section names specific controls. Each one is a procurement requirement. Read in sequence:

Each agent constructed as a distinct principal with cryptographically anchored identity.

This is identity proofing at the agent layer. The agent must be a first-class identity, not a session of a user. The identity must be anchored cryptographically, which means private key material exists somewhere that can sign the agent’s actions. The advisory specifies cryptographic anchoring, not just identifier strings or session tokens.

The implementation pattern: each agent has a key pair. Actions taken by the agent are signed by the agent’s private key. Verification of the action proves the action originated from a specific agent identity, not just from a generic API session.

Trusted registry binding identities to authorized roles.

The registry is a directory of every agent operating in the enterprise, mapped to the human principal who delegated authority and the role scope the human authorized. The registry must be trusted, which in this context means tamper-evident and verifiable.

The implementation pattern: an authoritative directory service that catalogs every agent, the human it acts on behalf of, the authority scope, the creation timestamp, the cryptographic identity, and the deprovisioning conditions. Provisioning happens through an authenticated workflow tied to the identity proofing layer. Deprovisioning happens immediately when the authorizing human’s session ends or the role scope changes.

Authentication on every inter-agent and agent-to-service call.

Every call gets authenticated, not just the agent’s initial session. The advisory specifies inter-agent calls explicitly. When agent A calls agent B, the call carries authentication that proves the chain of authority back to a verified human principal.

The implementation pattern: signed request authentication on every call. The signature includes the calling agent’s identity, the authorization chain, and the request payload. Replay protection through nonce and timestamp. Verification at the receiving end before any action is taken.

Security controls at every point information enters or exits the system.

Inline policy at every boundary. The advisory does not use the phrase “runtime governance” but the controls it describes are exactly that.

The implementation pattern: a policy engine that inspects every prompt before it leaves the network and every response before it enters. Classification by data sensitivity. Redaction by policy. Logging with identity attribution. Tamper-evident audit trail.

Human control points throughout the agent workflow.

Designated steps in the agent workflow where a human must approve before the agent continues. The advisory does not specify which steps, because the answer depends on the use case. The principle is that fully autonomous agent operation is incompatible with regulated deployment.

The implementation pattern: configurable approval gates. Trigger conditions tied to risk score, action type, target sensitivity, or budget threshold. Asynchronous approval workflows with cryptographic provenance preserved through the approval gate.

What workflow platforms do not do

Microsoft Agent 365 and ServiceNow Action Fabric both went GA in early May 2026. Both are real governance products. Both address agent sprawl, agent registry, and workflow-level controls.

Neither product addresses the controls the joint advisory specifies.

Inline policy at every point information enters or exits the system is not what workflow platforms do. The workflow platform sits above the call between agent and model. The runtime layer sits in that call. They are different architectural positions.

This is not a critique of the workflow platforms. They are doing what they were built to do. They are not built to inspect the data path between an agent and a foundation model.

The advisory describes what is built to inspect that data path. The CISO reading the advisory is not going to satisfy these requirements by purchasing a workflow agent platform. The CISO is going to need a separate runtime governance product, integrated with the workflow platform, sitting in the call.

The procurement implications

Six national cyber agencies published a thirty-page procurement spec for the runtime plane.

Enterprises in critical infrastructure, defense, financial services, and healthcare can no longer argue they did not know what the controls should be. The advisory names them. The advisory cites authority. The advisory specifies architecture.

Three concrete implications for AI infrastructure procurement in the next twelve months:

First, the regulatory baseline just moved. Examiners at OCC, FINRA, FDA, EU AI Act conformity assessment bodies, and DoD authorization channels will reference this advisory as the current standard of practice. An enterprise that cannot show controls aligned to these recommendations is operating below the baseline that intelligence agencies just established.

Second, the workflow agent platforms become a partial answer, not a complete one. The CIO purchase of Microsoft Agent 365 or ServiceNow Action Fabric solves the agent sprawl and workflow integrity question. It does not solve the runtime plane question. The CISO purchase is separate.

Third, identity proofing at NIST IAL2/AAL2 becomes architecturally mandatory. The cryptographic anchoring of agent identity assumes a verified human principal at the source. Account-level identity that can be compromised by a credential phishing attack or fabricated by a state-sponsored remote worker pipeline is not sufficient. Biometric verification at enrollment with cryptographic session credentials becomes table stakes.

The advisory does not say APERION. It does not say any vendor. It describes the controls. The controls describe a category of product.

That category is the runtime plane. APERION builds at that layer.

Read the full Five Eyes advisory: Careful Adoption of Agentic AI Services - CISA.

The technical companion to this post: SmartFlow for Regulated Industries. How SmartFlow’s controls map to SR 11-7, FINRA 3110, FFIEC, EU AI Act, and the advisory’s recommended controls.

Tamper-evident audit logs: APERION Tamper-Evident Audit Logs technical brief. HMAC-chained verification with customer-runnable verifier.