Skip to content
Mon–Sun, 7:30 am – 8 pm UK
[email protected]
03333 404 600
ReadyToday
HomeProgrammes
Services
AI TrainingEnablement & TrainingAutomation & SystemsStrategy & ArchitectureCybersecurity & ResilienceInfrastructure & HardwareWeb & App Development
Sectors
Hybrid / Mobile WorkforcesSmall & Growing BusinessesEducation
Pricing
Resources
Blog / InsightsGuidesCase studies (patterns)Video tutorialsTooling spotlightsTech news feed
AboutContactLogin
Menu
Call 03333 404 600HomeProgrammes
Services
AI TrainingEnablement & TrainingAutomation & SystemsStrategy & ArchitectureCybersecurity & ResilienceInfrastructure & HardwareWeb & App Development
Sectors
Hybrid / Mobile WorkforcesSmall & Growing BusinessesEducation
Pricing
Resources
Blog / InsightsGuidesCase studies (patterns)Video tutorialsTooling spotlightsTech news feed
AboutContactLogin
Resources
  1. Home
  2. Resources
  3. Blog
  4. NCSC and the Five Eyes Just Warned About Agentic AI. Here's What UK Schools, Charities and SMBs Should Actually Do Before Switching It On.

NCSC and the Five Eyes Just Warned About Agentic AI. Here's What UK Schools, Charities and SMBs Should Actually Do Before Switching It On.

ContactServices
20 May 2026Boris Didov

On 18 May 2026 the NCSC reissued joint guidance with CISA, the NSA and its Australian, Canadian and New Zealand counterparts on the 'Careful Adoption of Agentic AI Services.' Agentic AI - AI that does not just answer questions but plans, decides and takes actions inside your IT environment - is now arriving inside the SaaS that UK schools, charities and SMBs already pay for. We unpack what changes about the risk picture, why the procurement signal is invisible, and what to do across the next 30, 60 and 90 days before switching it on across the organisation.

Key takeaways

  • On 18 May 2026 the NCSC reissued the Five Eyes' 'Careful Adoption of Agentic AI Services' guidance, paired with a UK-specific NCSC blog. Agentic AI is now mainstream enough that the safe-use guidance applies to organisations that buy SaaS, not only to those that build models.
  • Agentic AI is different from conversational AI in one decisive way: agents take actions on your behalf, often under the user's credentials, with standing access to data and tools. Every familiar LLM risk - prompt injection, data leakage, hallucination - still applies, but the worst-case outcome is now an action rather than a draft.
  • For UK schools, charities and SMBs, agentic capabilities are arriving inside Microsoft 365, Google Workspace, the LMS, the finance system and the helpdesk - not as new procurement. Make a one-page inventory in the next 30 days of where agents are switched on, what they can read, what they can do, and the named human who reviews their actions.
  • Tighten access and credentials in the next 60 days: least privilege for every agent, scoped or short-lived API keys instead of long-lived service accounts, and phishing-resistant authentication for any admin who can switch agents on or off. The NCSC's default-to-passkeys recommendation now applies twice over to those roles.
  • Write a one-page agentic-AI acceptable-use note and run a 30-minute tabletop with senior leadership on a single 'the agent did something we did not intend' scenario in the next 90 days. The Cyber Resilience Pledge's board-level cyber-ownership action is the standing scaffolding for this work.

On 18 May 2026, the NCSC reissued joint guidance with its Five Eyes counterparts — CISA and the NSA in the United States, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and New Zealand's NCSC — on the "Careful Adoption of Agentic AI Services." The thirty-page document, first published on 1 May, has now been formally picked up by the UK NCSC and paired with a UK-specific blog titled "Thinking carefully before adopting agentic AI." The renewed call is the loudest official signal so far that agentic AI is no longer a research-lab curiosity and that the safe-use guidance now applies to organisations that buy software, not just to organisations that build it.

For ReadyToday's audience — UK schools, multi-academy trusts, colleges, charities and SMBs — that matters now because agentic AI is no longer something you have to deliberately go and procure. It is arriving inside the productivity, finance, HR, helpdesk and learning platforms you already pay for. Microsoft Copilot is being upgraded with "agent" workflows. Google Workspace has Gemini agents inside Gmail, Drive and Calendar. Canvas, Bromcom, ParentPay, Iris and Sage are all in some stage of shipping AI assistants that can do work without being asked twice. The decision in front of small UK organisations this quarter is no longer "should we use AI?" — it is "should we let these tools take actions on our behalf, and if so, with what guardrails?"

What "agentic" actually means, and why the guardrails change

The shorthand is useful. Generative AI generates: it writes a draft, summarises a document, classifies a record, suggests a reply. An agentic system goes a step further. It plans a sequence of steps, chooses tools to use, calls into other systems, and acts — sending the reply, updating the record, raising the purchase order, refunding the customer, booking the room. The NCSC's blog puts it succinctly: agents do not just generate content or predictions, they decide and act on your behalf.

That single shift changes what cybersecurity needs to look at. With a conversational assistant, the worst-case outcome of a prompt injection or a hallucination is usually a bad draft that a human discards before it goes anywhere. With an agent, the same prompt injection can result in an email sent, a calendar invite accepted, a Drive file shared with an outside address, or a refund issued — all under the user's credentials, all logged as that user's activity, all without the user having seen any of it.

The NCSC and its partners frame the resulting risk picture as a combination of three things. First, every familiar Large Language Model failure mode (jailbreaking, prompt injection, hallucination, data leakage through prompts) still applies. Second, agentic systems take broader access — to data, to tools, to external APIs — than the assistants that came before them, and tend to keep that access standing for longer. Third, the autonomy and complexity make behaviour harder to predict and test; the same agent can take different paths to the same goal on different runs, which makes change control and audit harder than for the deterministic software they sit alongside.

Written by Boris Didov

Explore more

Quick paths to the essentials: services, pricing, and a straightforward way to start.

  • HomeStart here
  • ProgrammesOngoing programmes
  • ServicesOutcomes & delivery
  • SectorsEducation & SMB
Powerful Tech. Delivered.
PrivacyCookiesTermsContact
[email protected]·03333 404 600
© 2026 Didov Limited trading as ReadyToday·UK-based · Privacy-aware by default

Why this lands harder on UK schools, charities and SMBs

There are three reasons the agentic AI conversation hits the ReadyToday audience differently from the way it hits a five-thousand-person enterprise with a twenty-five-person security team.

First, the procurement signal is invisible. Small organisations rarely buy "an agentic AI platform." They buy a familiar SaaS — Microsoft 365, Google Workspace, the LMS, the finance system, the HR system, the helpdesk tool — and the agentic capability lights up in a routine update. By the time staff are asked whether they want to "let Copilot draft, send and follow up on your behalf," the contractual decision has already happened and the technical access has already been provisioned. The recent Canvas LMS breach is a reminder of how quickly a supplier-side change in default behaviour can propagate to every customer at once.

Second, the default permissions are usually broad. Most SaaS-embedded agents are wired up at install time with the same permissions as the most-privileged user who switched them on. A school office administrator who turns on a finance-system agent typically grants that agent every access right she has, including access to data she rarely actually touches herself. Small organisations almost never have the role-engineering capacity to bring those permissions back down to least privilege before the agent goes live.

Third, the oversight model has not caught up. The 2025/2026 Cyber Security Breaches Survey found that only a minority of UK organisations have a formal incident-response plan, and very few have a board-level cyber owner. The agentic guidance assumes both, plus a defined human-in-the-loop checkpoint for every consequential action. We covered the gap in board-level oversight when we wrote about the renewed Cyber Resilience Pledge earlier this month; the new agentic guidance is essentially the same Action 1 (board-level cyber ownership) restated for the new technology generation.

What to do this quarter

The good news is that the NCSC and the Five Eyes have effectively published the checklist. Almost none of it requires new spend; it asks for explicit decisions in places where most small UK organisations have so far been making decisions by default.

Inside the next 30 days, find out where agentic AI already is. Open every SaaS your organisation pays for, find the AI or agent settings, and write down whether they are on, off, or pending rollout. The list will almost certainly be longer than expected. For each agent that is on, record three things: the data it can read, the actions it can take, and the human (named, not "the team") who reviews what it has done. If no name fits, switch the agent off until one does. This is the single highest-leverage piece of work for an SMB, school or charity this quarter, because it makes the rest of the guidance actually applicable.

Inside 60 days, tighten access and credentials. Apply least privilege so that every agent has the minimum data and tool access it needs, for the shortest time it needs it. Avoid long-lived API keys and service-account credentials wherever the vendor offers short-lived or scoped alternatives — the same principle that applies to any AI proxy or gateway you might already run in front of these models. Move every administrative account that can create, modify or approve agents onto phishing-resistant authentication. The NCSC's April 2026 default-to-passkeys recommendation, which we walked through in the post on the NCSC passkeys announcement, now applies twice over to anyone who can switch an agent on or off.

Inside 90 days, write the rules down and rehearse them. Produce a one-page agentic-AI acceptable-use note. Cover what agents are allowed to do without human review (typically: low-risk reads, summarisation, drafting), what they are not allowed to do without review (anything that sends, shares, pays, schedules or commits the organisation externally), and what the escalation path is when staff are unsure. Run a thirty-minute tabletop with senior leadership on a single scenario: the AI assistant inside our finance system, LMS or inbox sent an email or shared a file we did not intend — who finds out, who decides what to tell affected people, and how do we turn it off without losing the rest of the platform? This is the agentic-AI equivalent of the supplier-incident tabletop we recommended after the Canvas breach.

A note on AI governance you already have

If your organisation has an AI acceptable-use note from 2024 or 2025, it almost certainly assumes the model is being driven manually by a human at a keyboard. The 18 May guidance is a useful prompt to reread that document with agents in mind: where it says "the user should review the output before sending," ask whether your tools still give the user that chance. We covered the wider governance pattern — categorising data, role-based guidance, low-risk pilot rollouts — in our earlier post on AI governance for real-world teams; the agentic guidance does not replace any of it, but it adds a new column to every row in the table.

Five takeaways

  1. On 18 May 2026 the NCSC reissued the Five Eyes' "Careful Adoption of Agentic AI Services" guidance, paired with a UK-specific NCSC blog. Agentic AI is now mainstream enough that the safe-use guidance applies to organisations that buy SaaS, not only to those that build models.
  2. Agentic AI is different from conversational AI in one decisive way: agents take actions on your behalf, often under the user's credentials, with standing access to data and tools. Every familiar LLM risk - prompt injection, data leakage, hallucination - still applies, but the worst-case outcome is now an action rather than a draft.
  3. For UK schools, charities and SMBs, agentic capabilities are arriving inside Microsoft 365, Google Workspace, the LMS, the finance system and the helpdesk - not as new procurement. Make a one-page inventory in the next 30 days of where agents are switched on, what they can read, what they can do, and the named human who reviews their actions.
  4. Tighten access and credentials in the next 60 days: least privilege for every agent, scoped or short-lived API keys instead of long-lived service accounts, and phishing-resistant authentication for any admin who can switch agents on or off. The NCSC's default-to-passkeys recommendation now applies twice over to those roles.
  5. Write a one-page agentic-AI acceptable-use note and run a 30-minute tabletop with senior leadership on a single 'the agent did something we did not intend' scenario in the next 90 days. The Cyber Resilience Pledge's board-level cyber-ownership action is the standing scaffolding for this work.

If you would like help running an agentic-AI inventory across the SaaS your organisation already pays for, tightening the permissions and credentials behind those agents, or rehearsing a tabletop on the kind of failure mode the NCSC and Five Eyes are describing, the ReadyToday cybersecurity resilience team can work alongside your internal IT this quarter. To talk through what would fit your school, charity or business, book a discovery call.

PricingClear baselines
  • ResourcesGuides & insights
  • AboutHow we work
  • ContactGet in touch
  • LoginCustomer portal