Skip to content
Sign In Subscribe
Article

Agentic AI Security Risks Are Growing Faster Than State and Local Defenses

Federal agencies and tech providers are accelerating AI security programs but organizations responsible for water systems, emergency services, and local government operations are struggling to keep pace. (Article includes an infographic to help security teams understand the operational challenges.)

 and  George V. Hulme
5 min read

A coalition of state chief information security officers, homeland security advisers, and technology officials sent a letter last week to the chief executives of OpenAI, Anthropic, Microsoft, and Google making a strong argument: while federal agencies and private-sector tech giants get early access to AI security pilots and cyber defense programs, those organizations that are actually responsible for keeping the lights on, the water running, the local courts functioning, the emergency lines answered are largely being left out.

States and localities aren’t asking to cut in line. They’re asking not to be forgotten.

Subscribe to the CYBR.SEC.Media newsletter

On May 1, CISA, along with the Australian Signals Directorate’s Australian Cyber Security Centre, the NSA, Canada’s Centre for Cyber Security, and the national cyber agencies of New Zealand and the United Kingdom published a joint guide titled Careful Adoption of Agentic Artificial Intelligence Services. The guidance is the most substantive international treatment yet of the security risks specific to agentic AI: systems that don’t just respond to queries but reason, plan, and take autonomous action across interconnected systems, data sources, and infrastructure.

The guide identifies five core risk categories: privilege risks, design and configuration risks, behavioral risks, structural vulnerabilities in multi-agent architectures, and accountability gaps; and offers detailed mitigations at every stage of the AI system lifecycle. The document is built for developers, vendors, and operators who have the staff and infrastructure to act on it.

A lack of budget for critical infrastructure

That last point matters because a meaningful portion of the organizations operating the nation’s most consequential infrastructure don’t have the resources necessary to act.

Bill Moore, CEO at Xona Systems, explains how OT environments were built without security in mind. These systems are old, difficult, or impossible to patch, and in many cases were never designed to be networked. The true air gap, he notes, doesn’t really exist. What exists instead are varying degrees of segmentation. While some organizations are getting better, many remain inadequate.

In that environment, Moore continues, organizations are introducing AI models capable of finding vulnerabilities faster than human red teams can, and the most advanced frontier models may not be necessary to cause serious disruption in OT networks because current-generation models are sufficient.

Moore also detailed a sizable maturity gap, as many smaller municipalities are grappling with getting the basics right, such as multi-factor authentication deployments. While zero trust architectures, which the CISA guide explicitly recommends for agentic AI deployment, remain aspirational for organizations where the IT function, let alone security operations, might be a single contractor working part-time. “When you tell those organizations to implement sandboxed testing environments, run red team exercises, or deploy secondary validation agents for high-risk actions, you’re describing a program that requires staff they simply don’t have,” Moore says.

Related:

AI Becomes The Insider Threat On The Plant Floor, Supply-Chain Collapse; Critical Infrastructure Under Fire; and Too Much Noise
As supply chains fracture, hacktivists hammer critical infrastructure, and vendor noise drowns out clarity, it’s the steady voices of the security community that are helping defenders navigate the chaos.
CYBR.SEC.MediaBill Brenner
AI-Generated Code Is Already Running Critical Infrastructure
Embedded systems are already running AI-generated code. Security leaders now face scale, speed, and regulatory risk gaps.
CYBR.SEC.MediaGeorge V. Hulme
AI and Deepfakes: The New Cyber Weapon
AI-powered deepfakes are becoming a dangerous cyber weapon. Discover how attackers use them, the risks they pose, and how organizations respond
CYBR.SEC.Media, and CYBR.SEC.Media

The resources gap

This is where the states’ letter and the CISA guidance collide. CISA guidance is prescriptive and reasonable for organizations with the resources to execute. What it can’t do is conjure the resources to do it. And the states’ letter identifies the access gap without a clear resolution to the underlying capacity gap.

The response to that gap is starting to take shape, though unevenly and with no guarantee of funding. On the legislative front, the most significant vehicle is the PILLAR Act (H.R. 5078), which passed the House by voice vote last November and would reauthorize the State and Local Cybersecurity Grant Program through 2033, explicitly adding OT and AI-based systems to the list of eligible infrastructure for the first time. A Senate companion bill was introduced in December but has yet to move. Still, this act doesn’t provide a budget. The National Association of State Chief Information Officers executive director acknowledged that while passage matters, so does budget. He said in a statement that “continued and predictable funding for SLCGP is critical to sustaining a ‘whole-of-state’ approach to cybersecurity.”

Two narrower bills address specific critical infrastructure providers. The Rural and Municipal Utility Cybersecurity Act (H.R. 7266) would reauthorize the DOE program that delivers advanced cybersecurity tools and technical assistance directly to rural electric cooperatives and small municipal utilities, and authorizes $250 million over five years, prioritizing utilities with limited cybersecurity resources. It cleared the full House Energy & Commerce Committee in March. The Pipeline Cybersecurity Preparedness Act and the Energy Threat Analysis Center Act advanced alongside it, part of a cluster of infrastructure-specific cyber bills moving through committee simultaneously.

At the state level, some governments are acting without waiting for Washington. West Virginia adopted legislation in early April authorizing its state CISO to establish statewide cybersecurity policies and a unified standards framework, replacing agency-by-agency practices with centralized oversight. The ITIF, in a recommendations brief published late last month, has put forward a more structural set of proposals: minimum product standards and vendor liability, cooperative purchasing to reduce costs for smaller jurisdictions, a unified federal breach-reporting framework, and regional incident response teams that could offer surge capacity to entities that cannot sustain one internally. None of this is law. None of it is funded. But it represents where serious policy thinking on the capacity gap has arrived.

The CISA guidance sets the right technical baseline. Now the harder question is whether the policy and funding structures will follow, because the organizations with the least capacity to defend themselves are, in many cases, protecting infrastructure that the rest of the country depends on.

The challenge isn’t a lack of knowledge about what to do, and it’s not wholly a technology problem. It’s a resource and talent problem.

Related

Latest

Cybersecurity Is More Than Keyboards and Dashboards
blog

Cybersecurity Is More Than Keyboards and Dashboards

Cybersecurity is more than keyboards, dashboards, and job titles. At CYBR.SEC.Community, we’re researching the broader ecosystem of roles, skills, and people that make this community work—and why that broader view should encourage more people to find their place in it.

 and  Michael Farnum