On 1 May 2026, six cybersecurity agencies of the Five Eyes alliance published Careful Adoption of Agentic AI Services — a 30-page document and the first coordinated government guidance specifically addressing agentic AI. The co-authors include CISA, the NSA, Australia's ASD ACSC, the Canadian Centre for Cyber Security, the UK's NCSC, and New Zealand's own National Cyber Security Centre (NCSC).
The document's core message: build agentic AI like infrastructure that will be audited. Define its access. Record what it does. Contain what it can affect.
For NZ businesses deploying voice AI — and the MSPs and resellers helping them — the bar has just been formally set by five of the world's largest intelligence communities, with New Zealand's name on the document.
What the guidance actually says
The document identifies 23 risks across five categories and maps more than 100 best practices against them. The five risk categories are: privilege, design and configuration, behavioural, structural, and accountability.
"Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains."
— Careful Adoption of Agentic AI Services, Five Eyes agencies, 1 May 2026
Channel partners — MSPs and integrators — are explicitly named as responsible actors, not neutral conduits. The guidance places classical security obligations (least-privilege access, defence-in-depth, strong identity, continuous monitoring) squarely on the partner layer.
Why this matters for NZ businesses using voice AI
A voice AI agent that books appointments, sends SMS, or writes to a calendar is an agentic AI system by the Five Eyes definition — it holds tools, acts autonomously on instructions, and connects to external systems.
For end businesses, the question shifts from "does it answer the call" to: what does it have access to, what can it affect, and can I see what it did. For MSPs and resellers, the platform architecture they deliver on is part of the security posture they own.
The guidance is not a regulation. But with New Zealand's NCSC as co-author, it is the clearest signal yet of where procurement and audit expectations are heading.
How dareena.ai maps to the five risk categories
dareena.ai's architecture was not designed in response to this guidance — the decisions below predate 1 May 2026. But they were designed against the same underlying principles.
Privilege risk
The guidance recommends least-privilege access, strong identity, and scoped permissions. dareena.ai enforces per-tenant scoping at every API endpoint. Identity is separated across three tiers — tenant portal, wholesaler admin, and platform admin — with no cross-contamination between tiers. OAuth tokens for Connections are all held on NZ infrastructure and are never exposed to the agent runtime.
Design and configuration risk
The guidance flags exposed credentials, configuration drift, and default-permissive setups. dareena.ai uses separate staging and production environments — development credentials cannot reach production. No secrets are embedded in code. API documentation is gated to the appropriate level. Deterministic CI lint pinning prevents configuration drift across deployments. These practices are all regularly audited.
Behavioural risk
The guidance focuses on goal misalignment and emergent unexpected behaviour. dareena.ai's Skills system is the primary containment mechanism — every action the agent can take is a defined skill with an explicit trigger and completion signal. The agent does not invent tool calls; available tools are bounded by the active skill's scope. Persona and skill behaviour are tenant-configurable; the agent runtime is not.
Structural risk
The guidance addresses cascading failures across multi-component stacks. dareena.ai runs a single-agent architecture — no multi-agent orchestration layer where a compromised orchestrator can redirect other agents. The boundary between the agent and the Connections layer is explicit, with audit logging on every connector call. The production infrastructure runs active/active edge nodes, so a single component failure does not cascade.
Accountability risk
The guidance requires decisions to be auditable, attributable, and reproducible. Every call is recorded — with tenant-configurable disclosure to callers, as covered in our IPP 3A piece — and the full transcript, sentiment, and intent are stored per call. The billing audit trail links every event to its source, with provenance fields on every billing record. That is the substantive alignment with the guidance: decisions made by the agent are traceable after the fact, by the tenant, without needing to ask the platform.
That discipline extends to infrastructure evaluation. dareena.ai runs a structured testing harness for voice and speech-to-text model variants: human testers dial in, the harness rotates variants between calls, a rating skill captures scores, and the output is a structured report joining variant assignments to call telemetry. Infrastructure decisions are evidenced, not intuited.
The wholesaler model as a Five Eyes-aligned distribution pattern
The Five Eyes document names the channel — MSPs, integrators, resellers — as the layer responsible for applying classical security principles to AI agent deployments. That reflects where accountability actually sits: at the partner who scoped, configured, and delivered the solution.
dareena.ai's wholesale-only model means there is always a named, accountable partner between the platform and the end business. A wholesaler signs a partner agreement, configures tenants under their account, and applies their own governance on top. The chain of accountability the guidance recommends — clear ownership at each layer, scoped permissions between layers, audit at every boundary — is the same chain the architecture already implements.
dareena.ai Platform
Wholesale Partner
End Business
Built before the guidance, aligned with it now
dareena.ai's architecture was not built in response to the Five Eyes guidance. The wholesale-only positioning, Skills bounding, per-tenant data scoping, and NZ data sovereignty decisions all predate 1 May 2026. The guidance crystallises the same principles the platform already operates on.
If you are an MSP, telco, or reseller evaluating voice AI for your customer base, get in touch at wholesale@dareena.ai.
Related reading
IPP 3A and AI — Indirect Data Collection for NZ Businesses — how the NZ Privacy Act's indirect collection principle applies to voice AI, and what tenant-configurable disclosure looks like in practice.
Diverse Skills, One Prompt — Voice AI Agent Architecture — the architectural case for modular skills over monolithic system prompts, and why it matters for behavioural predictability.
Skills — How AI Receptionists Run Workflows — how Capture Schemas and Completion Actions turn a bounded skill into a structured data event and an automated action.