In late winter, two developments arrived within weeks of each other. Amazon expanded its Health AI agent, integrated with One Medical, to over 200 million Prime members, giving the system autonomous authority to interpret lab results, manage appointments, and support prescriptions around the clock, without a clinician involved in every routine interaction. That same week, a Booz Allen Hamilton threat report found that the average time for an attacker to gain initial access and begin moving laterally across a network had dropped to under 30 minutes, with the fastest cases measured in seconds.
These two developments represent two curves that have now crossed, and the space between them is, for the moment, largely ungoverned.
Agentic AI, software that does not merely respond to queries but takes autonomous actions, makes decisions, and initiates processes on behalf of organizations, has moved from pilot programs to operational infrastructure in little over a year.
In healthcare, AI agents are embedded in clinical decision support, patient routing, lab results interpretation, and medication management. In financial services, they handle fraud detection, loan origination approvals, and real-time trading decisions. In industrial and operational technology environments, AI systems are managing energy distribution, manufacturing process controls, and facility operations. Google’s AlphaEvolve agent, which recovered 0.7 percent of Google’s worldwide computing resources and sped up a critical Gemini infrastructure component by 23 percent, illustrates the pattern at its most consequential: AI is now optimizing the very systems it runs on.
Healthcare, financial services, and energy are among the 16 critical infrastructure sectors designated under the DHS framework. When AI agents become embedded in the operational layer of those sectors, when they shift from tools that humans use to systems that act on behalf of organizations, the security model changes in ways that current frameworks are still working to absorb.
A compromised AI agent inside a hospital’s clinical workflow is not a traditional malware incident. It is a corrupted decision-maker operating inside critical infrastructure. An attacker does not necessarily need to breach the underlying network. They need to reach the agent. In some cases, they do not need to reach it at all: by embedding malicious instructions in content the agent is processing, through a technique called prompt injection, they can induce the agent to take harmful autonomous actions. That vector is no longer theoretical.
In September 2025, Anthropic publicly documented the first large-scale cyberattack in which an AI system executed the majority of the operation autonomously. A Chinese state-sponsored group used Claude Code, Anthropic’s AI coding agent, to infiltrate approximately 30 global targets spanning financial institutions, government agencies, large tech companies, and chemical manufacturers.
The attackers manipulated Claude by disguising the operation as legitimate cybersecurity testing, inducing the agent to map network topology, identify high-value systems, and conduct lateral movement without sustained human involvement, in addition to a range of other activities that cover the entire attack chain. Anthropic detected and disrupted the campaign, banned the accounts, and shared findings with authorities. The operation succeeded because the agent itself performed the reconnaissance and intrusion work that previously required sustained human effort.
Booz Allen Hamilton’s March 2026 threat report puts the timeline dimension in precise terms. Average attacker breakout time dropped to under 30 minutes in 2025, down from weeks, months, or days in prior years, with the fastest measured cases completed in seconds. Adversaries are using AI to automate reconnaissance, accelerate vulnerability identification, craft social engineering at scale, and execute lateral movement before most security operations centers have completed initial triage. Cloudflare’s concurrent threat intelligence report found adversaries increasingly weaponizing legitimate cloud services, identity tokens, and APIs, turning the trusted infrastructure organizations pay for into the attack vehicle itself.
Defensive operations still run on human timelines: days to detect, days to remediate, weeks to patch. When the target is a traditional IT system, that gap is severe but manageable with the right investment. When the target is an AI agent with access to patient records, treatment protocols, financial transaction logic, or industrial control parameters, the consequences of that gap extend beyond data loss to physical outcomes. HiddenLayer’s 2026 AI Threat Landscape Report found that one in eight reported AI breaches is now linked to agentic systems. The vulnerabilities specific to agents, including injected malicious inputs, tool misuse, privilege escalation, memory poisoning, and cascading failures across interconnected agent networks, do not map cleanly onto existing intrusion detection frameworks. An agent taking harmful autonomous actions can look indistinguishable from an agent doing its job until the outcome is apparent. The attack surface agentic AI creates is not just larger than the one traditional software created. It is structurally different.
The federal government has moved to engage this problem seriously. In November 2024, DHS published a Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure, the first framework of its kind, addressing all 16 critical infrastructure sectors across five stakeholder roles and three vulnerability categories: attacks using AI, attacks targeting AI systems, and AI design and implementation failures. In December 2025, CISA and international partners from six allied nations released joint guidance on the secure integration of AI in operational technology environments, with specific attention to the risks posed by AI agents deployed in systems that directly control physical processes. Both documents reflect genuine analytical work on a technically complex, rapidly evolving problem, and both provide a meaningful foundation for what comes next.
The harder challenge is structural. A GAO assessment released in December 2024 found that DHS’s risk assessment guidance for critical infrastructure sectors did not yet fully address both the probability and the potential harm of AI-related attacks, the two dimensions any operational risk model needs to generate actionable guidance. GAO recommended that DHS update its guidance to close that gap. DHS agreed with the recommendation and has committed to providing additional guidance addressing the remaining gaps. That work is underway. The broader question that policymakers, sector regulators, and critical infrastructure operators are working through is what follows voluntary frameworks in the highest-consequence sectors, and how quickly the gap between deployment pace and governance capacity can be closed. AI deployment moves at market speed. Governance, by design, moves more deliberately. In most sectors, that gap resolves through iterative policy development. In critical infrastructure, the stakes of the interim period are higher, and the urgency is correspondingly greater.
Three changes would substantially reduce the risk within existing policy authority, without waiting for comprehensive legislation, which will take time. First, DHS and CISA should move from voluntary guidance to mandatory minimum security requirements for AI agents deployed in critical infrastructure. Those requirements should include, at minimum, prompt injection protections, documented human-override mechanisms for consequential decisions, audit logging for all autonomous agent actions, and isolation architecture that limits the blast radius when an agent is compromised. The existing frameworks provide the conceptual foundation. The next step is giving that foundation operational force.
Second, critical infrastructure operators in the highest-consequence sectors should be required to conduct AI-specific risk assessments that address both likelihood and impact of agent compromise, consistent with GAO’s outstanding recommendation to DHS. The current sector frameworks, NIST CSF, ICS-CERT guidance, HIPAA security rules, do not address the agentic decision-making layer. They should be formally supplemented with AI-agent-specific requirements before large-scale deployment in high-consequence sectors proceeds.
Third, the Sector Risk Management Agencies responsible for each of the 16 critical infrastructure sectors should receive explicit authority and dedicated resources to assess AI agent deployments within their sectors and establish sector-appropriate security standards. Generalized principles will not be sufficient across 16 distinct infrastructure domains with different risk profiles, legacy system architectures, and threat environments. Healthcare and energy require different approaches. What they share is an urgent need for an approach.
The private sector is not waiting. Booz Allen’s launch of an agentic cyber defense product suite at the RSA Conference this week, built specifically to match the speed of AI-enabled attacks, is a market signal: the risk is real enough that sophisticated federal contractors are building products to address it, absent any regulatory requirement that their customers buy them. That pattern, where industry response outruns regulatory expectation, is precisely the condition that produces preventable failures in critical infrastructure security.
The deployment curve and the attack curve have crossed. The governance work underway is consequential and needs to move faster. The question is whether the floor gets established before an adversary demonstrates, at scale in a high-consequence sector, what happens when it is not yet there.
Views expressed in this article are the author’s alone and do not represent the positions or policies of the U.S. government or the Central Intelligence Agency.
