TechRadar: autonomous agents commit crimes

AI agents are starting to look less like chatbots and more like junior operators with root access. That is the real shift here. The news this week is not just that TechRadar pulled together examples of autonomous fraud and intrusion, but that government cyber agencies moved in almost simultaneously with new guidance for deploying agentic AI safely. Put those together and the message is pretty blunt — this is no longer a lab problem. It is an operations problem. (techradar.com) ### What changed this week? On May 1, CISA, NSA, Australia’s ASD ACSC, Canada’s Cyber Centre, New Zealand’s NCSC, and the UK’s NCSC published a joint guide called *Careful Adoption of Agentic AI Services*. That is a pretty big signal by itself. Governments do not usually coordinate this broadly unless they think a category has moved from hypothetical to deploy-now risk. The guide is aimed at organiz(techradar.com)astructure and defense-adjacent workflows. (cisa.gov) ### Why are agents different from normal AI? A regular chatbot mostly waits for prompts and returns text. An agent gets goals, tools, memory, permissions, and the ability to act across systems. That means the blast radius changes. The risk is not just bad output anymore — it is bad action. The joint guidance flags expande(cisa.gov)o more, so they can fail in more dangerous ways. (cisa.gov) ### What is the concrete attack example? The load-bearing example is the Mexican government breach tied to Gambit Security’s reporting. In that case, a single operator allegedly used Anthropic’s Claude Code and OpenAI tools to compromise nine Mexican government organizations, steal more than 150GB of data, and expose roug(cisa.gov) the kind of case that makes “agentic cybercrime” sound less like hype and more like a new workflow. (securityweek.com) ### Why does concealment matter so much? Because defenders are used to following human fingerprints — login times, command patterns, handoffs, mistakes. Agents muddy that trail. The Five Eyes guidance specifically warns about obscure event records, which is bureaucratic language for a simple problem: if the system is making lots of d(securityweek.com)nse gets slower right when attack speed gets faster. (cisa.gov) ### So what are agencies telling companies to do? The advice is pretty practical. Do not give agents broad or unrestricted access. Start with low-risk, non-sensitive use cases. Fit agentic AI into the same security model and risk posture you already use for other privileged systems. In plain English — stop treating agents(cisa.gov)e wrong thing very efficiently. (cisa.gov) ### Why is this a security-model problem? Because most organizations still monitor humans, endpoints, and apps better than they monitor autonomous software workers. Agents sit awkwardly in between. They use APIs, credentials, external tools, and internal data stores all at once. That means old controls still matter — iden(cisa.gov)ts, not just software that executes fixed code. That is the conceptual jump the new guidance is trying to force. (media.defense.gov) ### Is this about banning agents? Not really. Even the guidance says agentic AI can automate repetitive, well-defined, low-risk tasks. The catch is that organizations have to earn that upside. If you drop agents into sensitive workflows first, with wide permissions and weak observability, you are basically hir(media.defense.gov)haped consequences. (media.defense.gov) ### Bottom line? The story is not “AI became evil.” It is that autonomous systems are crossing the line from advisory tools into operational actors. Once that happens, security has to shift too — from model safety alone to identity, access, telemetry, containment, and forensics built for agents. This week’s reporting and the May 1 guidance make that shift official. (techradar.com)