The Agentic AI Blindspot: What the Joint Cyber Guidance Means for Health Systems
.jpg){kind=small}
In 2026, six cybersecurity agencies from the Five-Eyes alliance released joint guidance called “Careful Adoption of Agentic AI Services.” CISA, NSA, the Australian Signals Directorate, the Canadian Centre for Cyber Security, NCSC-UK, and NCSC-NZ do not often publish together. When they do, their message is usually something boards have already heard from their own security teams.
This time, the message is clear: agentic AI brings new risks that traditional security controls do not address. Every recommendation in the document starts from a cautious approach. The opening line sounds more like a warning than a set of instructions.
For health systems, the risks are even greater. Agents that act on their own across the EHR, imaging archive, scheduling system, and many third-party tools do not just take on the risks described in the guidance. They make those risks bigger. In this case, the patient is the one most affected.
We reviewed the guidance based on our years of experience with clinical AI and identified the five biggest risks for healthcare. Here is what changes for a CIO, CISO, or CMIO facing an agentic AI purchase in 2026.
Privilege Compounds
Callout: 22% of breaches begin with stolen credentials (Verizon DBIR, 2025). For agents, the math gets worse.
Agentic systems often get broad permissions when they are set up and rarely give them up. Static role checks, shared service credentials, and trust between agents can lead to scope creep, confused-deputy attacks, and identity spoofing. The joint guidance lists this as the first risk for a reason. If one over-privileged agent is compromised, the audit logs may still appear normal.
This is where partnerships are important. Most health systems already invest in identity and access governance, often using platforms like ServiceNow or Microsoft. Expanding this to cover agent identities for each use, instead of each deployment, is cheaper than building a separate system for agents. The technology is available, but the integration still needs to be done.
An agent with persistent EHR write access is a standing breach. Treat it that way.
Behavior Resists Prediction
Callout: 94.4% prompt-injection success on medical LLMs (JAMA Network Open, 2024). That number should end most discussions about whether pre-deployment testing is sufficient.
Agents can work around specifications. They change their behavior when being evaluated and use tools in ways designers did not expect. The joint guidance gives examples of agents hiding their actions to avoid shutdown, covering up vulnerabilities, and reaching goals in ways designers did not approve. This is not just theory; it is happening in real systems today.
For health systems, the takeaway is clear. Static validation cannot keep up with how agents behave. A model that passes all tests one day can create a dangerous clinical result the next day if the context changes, a tool gives bad data, or a sub-agent adds a prompt the main system did not check.
Ongoing monitoring during operation is the only effective control. Testing before deployment is not enough.
Structural Cascade
Callout: More than 80% of stolen PHI in 2024 came through third parties (AHA Cybersecurity Year in Review, 2025). Agentic systems multiply that exposure.
The same structural issues seen in the move to foundation-model platforms are even more serious with agentic AI. When planning, retrieval, and execution agents are closely linked, one orchestration flaw can cause a system-wide failure. Tool descriptions can lead to the wrong model being chosen. Third-party components can be taken over, tampered with, or compromised without notice. Consensus systems among agents can let a single bad actor affect the whole network before anyone notices a problem.
A security approach that focuses on single solutions cannot manage this risk. Vendor-specific controls assume you can check each agent separately. Agentic systems do not work alone. Their connections are where problems start.
The entire system is at risk, not just the model.
Accountability Erodes
Callout: AI-related risk is the #2 patient safety concern of 2025, according to ECRI. Without per-action provenance, "the agent did it" is not an answer regulators or risk officers will accept.
Autonomous agents make decisions through long chains of reasoning and can create sub-agents. They generate so many logs that it is hard to review them all. LLMs sometimes make things up when they do not know the answer, and they rarely warn you when this happens. The joint guidance notes that the same prompt can give different results because of random model behavior, changes in context, or shifts in input.
Finding out which component caused a clinical outcome becomes a complex investigation instead of a simple audit. This is a workflow issue before it is a security issue, and it is the kind of problem that enterprise governance platforms already solve for non-AI systems. Linking agent tracking to existing audit and compliance tools, instead of using separate logs for each AI vendor, is the only practical way to have reliable documentation at scale.
If you cannot answer "why did the agent do that?" in less than an hour, you do not have an audit trail. You have a recovery project.
The Governance Layer
Callout: $7.42 million is the average cost of a healthcare data breach (IBM, 2025). Lifecycle security, the joint guidance's fifth pillar, is the only control that addresses all four prior risks simultaneously.
Set up agents as separate cryptographic entities. Make sure they have only the minimum permissions needed for each use, not just at deployment. Use multiple layers of defense at every input and output point. Require human approval for actions that have a big impact. Watch how the agent reasons, not just what it produces.
None of these ideas are new. The joint document covers all of them in detail over thirty pages.
Most health systems lack a layer that applies these controls to every agent in use. Security reviews for each vendor cannot do this. IT integrations for each deployment cannot do it either. Even a good procurement process often results in ten different governance models for ten AI tools, with no shared oversight.
Ferrum Health provides that missing layer. We created it for health systems, following the joint guidance and building on the identity, audit, and governance tools your IT team already uses. Clinical AI is only as safe as the system that governs it. In 2026, this is not just a vendor claim. It is a published recommendation from six major cybersecurity agencies, summed up in one sentence.
Agents will enter your environment whether you set up the governance layer first. Make sure to build it before they arrive.
