CSA Releases Addendum on Securing Agentic AI

Introduction

Agentic artificial intelligence (“AI“) is emerging as the next stage in the use of AI systems. A significant development from traditional AI systems, agentic AI systems are capable of planning, performing, critiquing, and iterating across multiple steps to achieve specified objectives with a greater degree of autonomy. While this presents opportunities for increased efficiency and enhanced decision-making, it also introduces additional risks, particularly in respect of oversight and accountability.

In light of the above, the Cyber Security Agency of Singapore (“CSA“) has released an addendum to the existing Guidelines and Companion Guide on Securing AI Systems (“Addendum“). The Addendum sets out practical measures and controls that system owners may consider when securing their adoption of agentic AI systems. It was released on 17 June 2026, following a public consultation period from 22 October 2025 to 31 December 2025. For background information on the Guidelines and Companion Guide on Securing AI Systems, please refer to our October 2024 Legal Update titled “CSA Launches Guidelines on Securing Artificial Intelligence Systems“.

While the Addendum is intended for informational purposes and is not mandatory, prescriptive or exhaustive, it provides a useful reference point for organisations assessing the cybersecurity and governance risks arising from agentic AI deployments.

This Update summarises the key aspects of the Addendum and the practical implications for organisations developing or deploying AI agents.

Framework for Understanding Agentic AI Systems

CSA notes that system owners should understand how agentic AI systems operate, as well as the considerations needed for safe and effective deployment. To support this, the Addendum introduces a comprehensive taxonomy for describing agentic AI through:

  1. Baseline components: The foundational elements that enable an agentic AI system to function. These comprise: (i) the Large Language Model (“LLM“); (ii) instructions; (iii) tools; (iv) memory; and (v) protocols, which work together to transform user inputs into executed tasks.
  1. Baseline system designs: The system design elements that determine how agents are connected, coordinated, and orchestrated to solve tasks. These include: (i) system architecture; (ii) roles and access controls; and (iii) system workflows and autonomy. 
  1. Capabilities: The general classes of actions that an agentic AI system can perform. Although these capabilities are expected to evolve over time, they can presently be grouped into three broad classes: (i) cognitive capabilities; (ii) interaction capabilities; and (iii) operational capabilities.

Security Threats to Agentic AI Systems

The Addendum identifies three broad layers of risks:

  1. Classical cybersecurity risks: Agentic AI systems still depend on underlying software infrastructure and components and are therefore subject to threats such as remote code execution and “SQL injection“.
  1. Inherited risks from LLM components: As the “brain” of an agent is an LLM, agentic AI remains susceptible to threats such as prompt injection, jailbreaking and data leakage. For more details, please refer to section 2.2.2 of the “Companion Guide on Securing AI Systems“.
  1. New risks specific to agentic AI systems: The agent’s autonomy and access to tools introduce new attack surfaces and the following risks: (i) rogue actions, which may occur when an agent performs unintended and potentially harmful tasks due to ambiguous or malicious instructions, with risks amplified as the agent’s capabilities expand; and (ii) sensitive data disclosure through agent manipulation, which occurs when attackers exploit agents to reveal private information when agentic workflows are executed, e.g. the agent is guided through a series of seemingly legitimate actions that ultimately leak protected information, or attackers manipulate the agent to include sensitive data in its responses.

Further information is provided in Annex A of the Addendum, which sets out a more detailed breakdown of threats to agentic AI systems.

Securing Agentic AI Systems

The Addendum confirms that the two key principles to securing AI systems laid out in CSA’s Guidelines and Companion Guide on Securing AI Systems remain relevant for agentic AI systems, including: (i) taking a lifecycle approach; and (ii) starting with a risk assessment. Given the dynamic nature of agentic AI systems, the Addendum contains additional recommended considerations to support the risk assessment.

  1. Conducting a risk assessment, focusing on security risks to agentic AI systems: Organisations should conduct a risk assessment based on the industry best practices, frameworks, and published guides identified in the Addendum, and should focus on the security risks related to AI systems. For agentic AI systems, organisations should also: (i) assess the autonomy level of the system; (ii) perform threat modelling, which can be complemented by taint tracing, a methodology to track how untrusted data moves through the system; and (iii) identify the risks associated with the agent’s capabilities.
  1. Prioritising areas to address: Such prioritisation can be done based on likelihood, impact, available resources, and risk appetite.
  1. Identifying and implementing the relevant actions to secure agentic AI systems: For further information, section 4.2 of the Addendum sets out various controls to address risks across all stages of the lifecycle, including planning and design, development, deployment, and operations and maintenance. For organisations procuring Software-as-a-Service agentic AI solutions, the threat modelling and risk assessment processes outlined in the Addendum will help organisations to articulate specific security concerns to vendors and seek support on appropriate mitigations and transparency on existing controls. This reflects the growing interest in an approach to sharing responsibility for AI security, which remains under development, and which may be similar to the well-defined shared responsibility model for use of cloud services.
  1. Evaluating residual risks for mitigation or acceptance: This process should be conducted periodically throughout a system’s operational lifetime and not treated as a one-off exercise.

Concluding Words

The Addendum serves as a timely reminder that AI governance and cybersecurity frameworks need to remain adaptive. Agentic AI clearly illustrates how quickly the risk profile of an AI system can change when the system moves beyond generating content to planning, invoking tools, and taking actions with varying degrees of autonomy.

For organisations developing or deploying AI solutions, it is important to periodically re-evaluate threat models and controls as AI capabilities, use cases, and deployment arrangements continue to evolve. The Addendum is a useful starting point for that exercise, and organisations would do well to monitor further developments in this space as regulatory and industry guidance continues to mature.

If you have any queries on the above, please reach out to our team set out on this page.

For regional Technology, Media & Telecommunications matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunications Practice for more information.


 

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.

CONTACTS

Brunei, Singapore,
+65 6232 0751
Singapore,
+65 6232 0786
China, Singapore,
+65 6232 0738

Country

SECTORS

Share

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Asia. All Rights Reserved. All trademarks are property of their respective owners.