The news
CISA, the NSA, and cybersecurity agencies from four allied nations jointly published guidance Friday on the safe deployment of agentic AI — systems that can plan, take actions, and execute multi-step tasks without human sign-off at each stage. The document identifies five categories of risk: over-permissioned access, design flaws, unpredictable behavior, cascading failures across connected agents, and accountability gaps when something goes wrong. The agencies' core message: apply your existing security frameworks — zero trust, least-privilege, defense-in-depth — don't wait for a new discipline to emerge.
Our take
This guidance was written for critical infrastructure and defense. But the risk categories it identifies map almost perfectly onto what GTM teams are building right now.
Take privilege. Marketing ops teams spinning up AI agents to update CRM records, enrich contacts, or trigger outreach sequences are routinely granting those agents far broader access than the task actually requires. "Give it read/write on the CRM" is the path of least resistance. It's also how a misconfigured agent trashes a year's worth of lead data in an afternoon.
Behavioral risk is the one that blindsides teams the most. An agent pursuing its goal — say, "enrich and route this lead" — will find paths its builder never anticipated. Agents will technically complete their task while skipping the validation logic entirely because nothing explicitly stops them. The output looked right. The downstream data was wrong for months.
The accountability gap is where agentic GTM workflows get genuinely scary. Unlike a broken Zap that fails loudly, a misbehaving agent often fails quietly — writing bad data, routing leads incorrectly, or firing sequences on the wrong segment. The logs exist, but they're not the kind marketing ops is used to reading.
The agencies' recommendation — fold agents into existing governance structures, don't treat them as a separate category — is the right call. For GTM teams, that means before you deploy an agent, you should be able to answer: What does it have access to? What happens if it does something unexpected? Who gets the alert, and how fast?
Most teams building agent workflows right now cannot answer those questions. That's the problem.
So now what?
Before shipping any GTM agent into production, run it through this short checklist:
- Least privilege: Does this agent need write access, or will read + a human confirmation step work?
- Failure mode: If it goes sideways, what's the blast radius? CRM records? Live sequences? Billing data?
- Audit trail: Can you replay what the agent did and why — in terms your ops team can actually read?
- Kill switch: Is there a way to pause or roll back the agent without an engineer on call?
Agents that can't pass this checklist aren't ready for production. They're ready for a sandbox.
---