AI/ML

Before Your Next AI Agent Acts: The Five-Control Readiness Test from the Five Eyes Guidance

Six Five Eyes agencies published agentic AI security guidance. Five controls, a 10-question readiness scorecard, and a weekly build list for deployers.

By Meetesh Patel

16 min read

If your company has deployed any AI agent, copilot, or automated assistant that takes actions without a human approving each one, your oversight model almost certainly doesn't match the speed at which the agent operates.

On April 30, 2026, six cybersecurity agencies across the Five Eyes alliance (the U.S., U.K., Canada, Australia, and New Zealand) published "Careful adoption of agentic AI services," 29 pages of operational guidance that treats AI agents as a separate risk class from chatbots and maps the controls companies need before agents act, not after something goes wrong.

Issue 04 of The Thursday Redline gave operators the short version: five controls, five owners, five concurrent records.

This article is the reference version. It explains why those controls matter, how they map to the Five Eyes guidance and the EU AI Act's deployer obligations, where the G7 SBOM for AI leaves the gap the Five Eyes guidance fills, and how to use the build list as a deployment-readiness test before your next agent acts.

Question Zero: Should This Agent Be Allowed to Act at All?

Before the five-control build list, there is a threshold question.

Should this agent be allowed to act at all?

If the task is sensitive, hard to reverse, low-value, or better handled by narrower automation, the safer answer may be no. The Five Eyes guidance is not an invitation to deploy agents and wrap controls around them later. It is a caution to decide where agentic AI belongs before it starts acting.

The five controls that follow are what a "yes" answer to Question Zero requires. Each control creates evidence. The readiness scorecard later in this article tests whether that evidence exists.

What Triggered the Agentic AI Control Push in 2026?

What Did the Six Agencies Actually Publish on April 30?

Six agencies, five governments: the Australian Signals Directorate's Australian Cyber Security Centre, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the U.K. National Cyber Security Centre. The guidance refers to them collectively as the authoring agencies.

The guidance distinguishes agentic AI from generative AI on four properties: tool use, memory, planning, and underspecified objectives. An agent doesn't just answer a prompt. It takes a goal, plans steps, calls external tools, reads and writes to systems of record, and executes without a human in front of each action. The Five Eyes treats that profile as a distinct risk class because the failure modes are different. A chatbot gives a bad answer. An agent takes a bad action.

The guidance organizes those failure modes into five risk categories: privilege risks (scope creep, identity spoofing, confused-deputy attacks where one agent inherits another's permissions without authorization), design and configuration risks (stale permissions, poor segmentation), behavior risks (goal misalignment, deceptive behavior, prompt injection), structural risks (cascading hallucination, rogue agents, compromised third-party components), and accountability risks (opaque delegation chains, invisible sub-agent actions, no single point of attribution).

The scenario on page 9 is illustrative. An update agent told to "apply the patch and clean up the firewall logs" dutifully deletes the firewall logs because its permissions allow it. The failure isn't the AI. The failure is that the AI had write access to the logs in the first place, and nothing checked the action against a scope boundary before it executed.

How Did the Digital Omnibus Change the EU AI Act Deadlines?

The May 7, 2026 Digital Omnibus on AI provisional agreement, the AI strand of the broader Digital Omnibus simplification package, changed the compliance timeline for high-risk AI systems.

Standalone high-risk systems under Annex III move from August 2026 to December 2027. High-risk AI embedded in regulated products under Annex I moves to August 2028. Article 50 transparency obligations tighten to December 2026.

Formal adoption and OJEU publication are still pending.

The legal duties are unchanged. Under the EU AI Act (Regulation (EU) 2024/1689), Article 14 requires effective human oversight by design, meaning the ability to intervene must be built into the system before deployment, not added later. Article 26 puts deployer obligations on the company running the system: use per the provider's instructions, assign a competent person for oversight, ensure input data relevance, monitor for serious risks, and retain logs for at least six months under Article 26(6). Article 72 requires post-market monitoring.

The deadlines moved. The build did not get shorter.

What Did the G7 SBOM for AI Leave Out, and Who Filled the Gap?

The G7 Cybersecurity Working Group's "Software Bill of Materials (SBOM) for Artificial Intelligence: Minimum Elements" (May 2026) considered and rejected "level of decision making or autonomy of an AI system" as a required element (p. 23). The group concluded that autonomy may be addressed differently across jurisdictions through safety requirements.

Less than two weeks earlier, the Five Eyes published 29 pages on precisely that gap. Page 18 of the Five Eyes guidance closes the loop, referencing CISA's SBOM minimum elements as the procurement-diligence standard for agentic AI third-party components. The two documents form a system: the G7 SBOM is the procurement-diligence list for AI components, and the Five Eyes guidance is the operational discipline for the systems whose components that SBOM describes. Together, they cover what to check before you buy and how to run what you've bought.

What Are the Five Controls a Deployed AI Agent Must Have?

If the answer to Question Zero is yes, the company needs five operational controls before the agent deploys. Each control produces a concurrent record. The readiness scorecard below tests whether the evidence exists.

The operating thesis behind all five controls is the velocity gap: an AI agent making hundreds or thousands of decisions per hour cannot be reviewed decision-by-decision by a human. The Five Eyes guidance names this explicitly: its human-in-the-loop requirement (p. 22) exists alongside a description of agents that "operate without continuous human intervention" (p. 4). The EU AI Act says the same thing differently: Article 14 requires human oversight "by design," not by downstream review queue.

If oversight exists only after the agent has acted, it isn't oversight. It's reconstruction. Joseph Desmond Cruel of LucidGrid, in a comment thread on Issue 03's LinkedIn post, put this cleanly: "If that human-in-the-loop record isn't concurrent, it's just a story told after the fact."

That is the test each control answers.

1. Stop authority. Who can halt the agent's next action, within seconds? The build is an agent-authority register naming the human stop-authority holder per agent, with a stop control wired to halt within a stated mean time to respond (Five Eyes p. 22; EU AI Act Article 14, Article 26(2)). The evidence is a timestamped log of every stop event fired, every stop event attempted, and every action the stop authority chose not to halt. The failure mode: manual stop authority on an agent making 10,000 decisions per hour is theater if it can't fire on the agent's timescale.

2. Agent identity. Does each agent have its own cryptographic identity, and does every action carry that identity? The build is per-agent credentials, mutual TLS (a protocol where both sides of a connection verify each other's identity cryptographically), and just-in-time credentials for high-impact calls (Five Eyes p. 15; NIST SP 800-207, the NIST zero-trust architecture standard). The evidence is an action log where every entry names the agent's identity, not a shared service account. The failure mode: post-incident, the log reads "service-account-x performed 47 actions" with no attribution. The diligence answer becomes a story instead of a record.

3. Scope enforcement. What is each agent allowed to do, and is every action checked against that list before execution? The build is a per-agent allow list of tools, APIs, and data scopes, with default-deny for anything off the list (Five Eyes p. 18; EU AI Act Article 26(1)). The evidence is an enforcement log of every allow and deny decision, tied to the rule that fired. The failure mode: broad write access granted "for productivity" turns a prompt injection or vendor swap into broad damage with no per-call check to prevent it.

4. Drift detection. Can you detect goal drift, identity drift, or scope creep before the next action, not after the incident? The build is a monitoring layer with anomaly detection on identity changes, privilege changes, goal drift, and tool calls outside expected patterns (Five Eyes pp. 21-22; EU AI Act Article 26(5), Article 72; NIST AI RMF Manage). The evidence is anomaly events with time-to-detection and time-to-halt, retained at least six months under Article 26(6). The failure mode: logs capture user prompts and final outputs but miss the inter-agent step that caused the harm. At 10,000 decisions per hour, the monitoring layer is the oversight, not the review queue downstream.

5. Rollback. Can you roll the agent back to a known-good version, and is every rollback documented? The build is versioned deployments with a rollback playbook executable within a stated recovery time (30 minutes for high-impact agents) and fail-safe defaults on uncertain inputs (Five Eyes pp. 17, 20; EU AI Act Article 26(5)). The evidence is rollback events with cause, scope, recovery time, and the named human who approved them. The failure mode: when behavior degrades, the only option is full vendor-side intervention measured in days, with no internal record of what changed.

A company that has not started can usually build the first version in a week: register the agents, assign stop authority, issue identities, define scope, and test rollback. A company that already has controls but no records should budget longer because it has to instrument the evidence layer, not just document the policy.

The Five Eyes guidance is voluntary. It carries no direct enforcement mechanism. But for companies deploying high-risk AI systems under the EU AI Act, these controls map directly to binding duties under Articles 14, 26, and 72, with the Annex III standalone deadline now set at December 2027 under the May 7 political agreement. For companies raising capital, they map to the diligence questions investors and board members are already asking about AI governance posture. The guidance is voluntary. The obligations it maps to are not.

Is Your AI Agent Ready to Deploy? A 10-Question Test

The five controls above explain what has to exist. This 10-question scorecard turns those controls into a yes-or-no deployment decision for each AI agent in your organization.

For each agent, answer yes or no:

  1. Is this task appropriate for an agent, rather than narrower automation?
  2. Is the agent listed in a register with owner, vendor, access scope, and decision velocity?
  3. Is a human stop-authority holder named?
  4. Can the stop fire on the agent's timescale?
  5. Does the agent have its own identity?
  6. Is every action checked against an allow list before execution?
  7. Does monitoring capture inter-agent steps, not just prompts and outputs?
  8. Is rollback tested and documented?
  9. Are vendor terms, audit rights, and termination rights stored with the contract file?
  10. Is the evidence produced concurrently, not reconstructed later?

8-10 yes answers: deployment-ready for controlled use.

5-7 yes answers: limited pilot only. Build the missing controls before expanding scope.

0-4 yes answers: do not deploy as an agent yet. Start with the safer workflow.

Who Is Responsible for These Controls at Your Company?

For Founders

For many 50-person companies, the first version is a week of engineering and operations work. The longer you wait, the more agents accumulate without a register, an owner, or a stop authority. The diligence question from your next investor round is no longer "do you use AI" but "show me who owns each agent, what each one can access, and how fast you can shut it down." The build list is cheaper to ship now than to reconstruct under diligence pressure later.

For Business Owners and Operators

The operational gap is not "we need an AI governance program." It's that your existing zero-trust posture stops at human users and never extended to non-human actors. Each agent is a non-human principal that needs its own identity, scoped permissions, observability, and a kill switch that fires at its pace. If your IT lead can't produce the agent register by Friday, that's the first signal that the controls are missing.

For Investors and Boards

The readiness scorecard maps to diligence questions you should already be asking portfolio companies and management teams. A company that scores 8-10 with artifacts, not explanations, has concurrent oversight. A company that scores 0-4 has reconstruction, or nothing at all. That difference shows up in incident response, insurance renewal, and regulatory examination.

What Should You Do This Week?

  1. Build the agent register. One page: every AI agent, copilot, and automated assistant, listed by name, vendor, scope of access, deployer, stop authority, and decision velocity.
  2. Name stop authority. One human per agent, ratified by the CEO at the next leadership meeting. If no one owns the stop, the agent comes off the register.
  3. Split agent identities from shared service accounts. Any agent without its own cryptographic identity gets paused until one is issued.
  4. Cut broad write access. Default-deny with explicit allow lists for permitted tools, APIs, and data scopes. Broad access granted for convenience is the attack surface the Five Eyes guidance targets first (p. 18).
  5. Instrument inter-agent logs. Capture tool calls, delegation chains, and intermediate decisions, not just user prompts and final outputs.
  6. Test rollback. Document the playbook, execute it once, and record the recovery time. Thirty minutes for high-impact agents is the working target.
  7. Open the vendor agreement. Read indemnification, audit rights, and termination for cause against the Five Eyes procurement-diligence list (p. 18) and the G7 SBOM minimum elements. Save the vendor's current terms of service alongside the contract file.

Frequently Asked Questions

Does the Five Eyes agentic AI guidance apply to my company?

The Five Eyes guidance is voluntary, not a binding regulation. It applies to any organization deploying AI agents, copilots, or automated assistants that take actions without a human approving each one. If your company uses AI tools that call external APIs, write to systems of record, or execute multi-step workflows without per-action human approval, the guidance treats those tools as agentic AI and the five-control framework applies. Company size does not determine applicability; deployment pattern does.

What is the difference between the Five Eyes agentic AI guidance and the EU AI Act?

The Five Eyes guidance (April 30, 2026) is voluntary operational guidance from six cybersecurity agencies across five governments. The EU AI Act (Regulation (EU) 2024/1689) is binding law with enforceable deadlines. The Five Eyes guidance describes five operational controls for agentic AI. The EU AI Act's Articles 14, 26, and 72 impose deployer obligations that map to those same controls: human oversight by design, competent oversight personnel, input data relevance, risk monitoring, and log retention for at least six months. The controls are the same work; the enforcement mechanism differs.

How long does it take to build the five-control framework?

For a company starting from scratch, the first version of the five-control framework can typically be built in about a week: register the agents, assign stop authority, issue identities, define scope, and test rollback. Companies that already have some controls in place but lack concurrent records should budget longer because they need to instrument the evidence layer, not just document the policy.

When is the EU AI Act high-risk deadline after the May 2026 Omnibus?

The May 7, 2026 Digital Omnibus on AI provisional agreement moved the high-risk AI compliance deadline for standalone systems under Annex III from August 2026 to December 2027. High-risk AI embedded in regulated products under Annex I moves to August 2028. Article 50 transparency obligations tighten to December 2026. Formal adoption and OJEU publication are still pending, so the revised dates are contingent on final adoption.

What should I do first if my company has AI agents running today?

Build the agent register. List every AI agent, copilot, and automated assistant by name, vendor, scope of access, deployer, stop authority, and decision velocity. If no one in your organization can name who has stop authority over each agent, that's the first gap to close. The Five Eyes guidance and the EU AI Act both require that a named human can halt an agent's actions at the speed the agent operates, not after the fact.

Closing Perspective

Agentic AI security is not a new discipline. It's an existing one that most companies haven't finished building. The Five Eyes guidance says this in the introduction (p. 7) and again in the conclusion (p. 25): the work folds into zero trust, identity and access management, continuous monitoring, and incident response. The gap for most companies is that their security posture was designed for human users and never extended to agents that decide at machine speed.

What I keep coming back to is how small the actual build is and how few companies have done it. A 50-person company can often ship the first version in a week. The hard part isn't the engineering. The hard part is the first conversation where someone asks, "Who can stop this agent?" and no one in the room knows the answer.

If formal adoption confirms the revised timeline, the Annex III high-risk deadline moves to December 2027. The build list stays the same whether you ship it on your own timeline or on a regulator's.

This article is for informational purposes only and does not constitute legal advice. Every company's situation is different, and you should consult with qualified legal counsel before making compliance decisions based on the developments discussed here.

Sources

  • Five Eyes joint guidance: Australian Signals Directorate's Australian Cyber Security Centre, U.S. Cybersecurity and Infrastructure Security Agency, U.S. National Security Agency, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and U.K. National Cyber Security Centre, "Careful adoption of agentic AI services," April 30, 2026.
  • G7 SBOM for AI: G7 Cybersecurity Working Group, "Software Bill of Materials (SBOM) for Artificial Intelligence: Minimum Elements," May 2026.
  • EU AI Act: Regulation (EU) 2024/1689, Articles 14, 26, and 72, and Annex III; Article 113 phased application.
  • Digital Omnibus on AI: Council of the European Union, "Artificial Intelligence: Council and Parliament agree to simplify and streamline rules" (Digital Omnibus on AI provisional agreement, the AI strand of the broader Digital Omnibus simplification package), May 2026.
  • NIST AI RMF: National Institute of Standards and Technology, "AI Risk Management Framework (AI RMF 1.0)," January 2023.
  • NIST Zero Trust: National Institute of Standards and Technology, Special Publication 800-207, "Zero Trust Architecture," August 2020.
  • CISA SBOM: Cybersecurity and Infrastructure Security Agency, "2025 Minimum Elements for a Software Bill of Materials (SBOM)," August 2025.
More from SparkPoint

AI/ML

Colorado Just Killed Its Own AI Law. Should You Stop Complying With State AI Rules?

Colorado's AI Act lasted one month. On February 1, the state's sweeping algorithmic discrimination law took effect, requiring risk assessments and impact statements for high-risk AI systems.

4 min read

AI/ML

Your CFO Just Called to Approve a Wire Transfer. It Wasn't Your CFO.

Deepfake fraud losses hit $1.1B in 2025. One company lost $25.6M from a single AI-generated video call. Here's the 6-point verification protocol every company needs.

4 min read

AI/ML

Your AI Claims Could Be Securities Fraud. The SEC Just Made That Very Clear.

In 18 months, the SEC escalated from $400K fines to parallel criminal prosecutions for AI misrepresentation. Here's where the line is.

11 min read

View all SparkPoint articles
Related Practice and Industry

Where this work sits in the firm.

Practice

AI Governance

AI compliance, vendor terms, and board reporting.

Practice

IP Strategy

Protect and grow IP assets.

Industry

AI and Machine Learning

Structuring AI product and deployment.
Contact

If this touches the work in front of you, start a conversation.

Send a short note about what changed, what you are building, and where legal judgment needs to sit closer to the work.

Contact Consilium Law

Disclaimer. This article is provided for informational purposes only and does not constitute legal advice. Readers should consult independent counsel before acting on any analysis. The views expressed are solely those of the author and do not necessarily reflect the views of Consilium Law LLC.