Six Five Eyes cyber agencies published unusually blunt agentic AI guidance in May 2026, and the SearchLeak Copilot flaw proved them right six weeks later. Here is the Texas SMB playbook for adopting AI agents without handing over the keys.
On May 1, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) and the NSA, together with cyber agencies from the United Kingdom, Australia, Canada, and New Zealand, jointly published Careful Adoption of Agentic AI Services. Six agencies across the Five Eyes alliance do not co-sign a document because a technology is mildly interesting. They co-sign because the risk is real and moving faster than most organizations' controls. The new CISA agentic AI guidance is unusually blunt for a government document: do not hand AI agents broad access, start with low-risk use cases, and enforce least privilege like you mean it.
Six weeks later, the warning proved out in public. On June 15, 2026, Varonis Threat Labs disclosed SearchLeak (CVE-2026-42824), a one-click attack chain that turned Microsoft 365 Copilot into a data exfiltration tool -- capable of pulling emails, MFA codes, password-reset links, and SharePoint files out of a tenant with nothing more than a victim clicking a link. Microsoft has since closed the hole on its backend.
If you run a business in Houston, Austin, or anywhere in between, this pair of events is your planning memo. Here is what the guidance says, what SearchLeak proved, and a checklist you can execute without a federal budget.
First, terms. Agentic AI is not a chatbot that answers questions. It is AI that takes actions: reads your inbox, searches your file shares, fills out forms, executes multi-step workflows, calls other software. Copilot, custom AI agents, browser assistants, autonomous ticket-triage bots -- all of it. The autonomy is the point, and the autonomy is the risk.
The guidance explicitly names small and medium businesses in its intended audience, per CISA's own resource page. This is not just a critical-infrastructure memo. The agencies flag the risks in plain language: prompt injection inherited from the underlying models, an expanded attack surface from every tool and integration an agent can touch, privilege creep when agents get broad permissions, cascading failures when one agent's output feeds another, and reduced accountability when nobody can explain why an autonomous system did what it did.
Three recommendations from CISA's announcement do the heavy lifting:
That is the whole doctrine in three lines. If your business is deploying agents with no governance framework behind them, that is the gap our AI security and governance service exists to close.
SearchLeak is the proof the agencies did not have to wait long for. According to Varonis Threat Labs, which discovered and disclosed the flaw on June 15, 2026, the attack chained three weaknesses in Microsoft 365 Copilot Enterprise:
One click on a plausible-looking Microsoft link, and Copilot would obediently rummage through everything the victim could access -- email, calendar invites, MFA codes, password-reset links, SharePoint and OneDrive files -- and smuggle it out through image requests. The Hacker News reported that Microsoft scored the flaw 6.5 while the National Vulnerability Database rated it 7.5. Both numbers undersell how ugly "your MFA codes walked out the door" reads in an incident report.
Strip away the plumbing and the core failure is simple: a large language model cannot reliably tell the difference between data it is processing and instructions it should follow. A prompt injection attack on AI assistants exploits exactly that -- hide instructions where the AI will read them, and it does the attacker's bidding with the victim's permissions. Varonis noted the same one-click technique has now worked across multiple Copilot iterations, as reported by The Hacker News. This is a class of bug, not a one-off.
The straight answer: this specific hole is closed. Microsoft remediated CVE-2026-42824 server-side, and no customer action was required. If you are wondering whether to rip out Copilot -- no. That is an overreaction, and it is not what CISA recommends either.
But do not confuse patched with solved. Two things remain true. First, prompt injection as a class is unsolved, and every AI assistant wired into your data is a target. Second -- and this is the part most vendors will not say out loud -- SearchLeak could only steal what the victim's account could already reach. Copilot did not break any permissions; it obeyed them. If your SharePoint is a decade of oversharing where everyone can read everything, an AI assistant turns that quiet mess into a fast, searchable, exfiltratable one. The blast radius of the next SearchLeak is set by your permissions hygiene today.
Every serious recommendation in the guidance collapses into one discipline: least privilege for AI agents. Treat every agent like a new hire you have not fully vetted. It gets its own identity -- not a shared service account, and never an admin credential. It gets access to exactly the data its job requires and nothing else. Its actions get logged and reviewed. When it needs elevated access for a task, that access is granted temporarily and revoked automatically.
That is privileged access management doctrine applied to software actors, and it is the same discipline we implement for human accounts through our privileged access management service. The tooling differs; the principle does not. Nobody -- carbon or silicon -- gets standing access they do not need.
AI agent risk management for a Texas business does not require a federal budget. It requires doing these eight things, roughly in order:
Here is our blunt read from The Woodlands: the agencies did small businesses a favor. Most guidance documents hedge; this one draws lines. Do not give agents broad access. Start small. Least privilege, always. SearchLeak then demonstrated, on one of the most widely deployed AI assistants in the business world, exactly what ignoring those lines costs.
The businesses that get this right will not be the ones that banned AI. They will be the ones that adopted it deliberately, with the same controls they would demand of any contractor touching their books. If you want a second set of eyes on your AI exposure before an auditor, an insurer, or an attacker provides one, book a meeting with our team -- headquartered in The Woodlands, with a Round Rock office serving Austin -- or start with our free IT assessment. The red lines are drawn. Getting on the right side of them is the job now.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.