An Agentic Shield? Using AI Agents to Enhance the Cybersecurity of Digital Public Infrastructure

By Sarosh Nagar and David Eaves

Growing global interest in digital transformation and artificial intelligence represents a profound opportunity to transform the relationship between citizens and their government, as highlighted in the recent joint press release by the previous, current, and future G20 presidents ahead of this year's summit. Digital public infrastructure (DPI) — which seeks to drive public and private innovation by making public digital systems essential to society — is at the heart of this push towards digital transformation. DPI acts as a platform layer that ensures inclusion and access to facilitate core activities that can further enable services from e-commerce to telehealth services. To date, DPI has included several digital solutions, with the most common being digital payment, identification, and data exchange systems. Equally important, DPI requires a set of safeguards and rules to ensure they are inclusive and safe. The United Nations Digital Public Infrastructure Universal Safeguards lays out some of the most comprehensive technical and legal patterns that define what such safeguards should look like.

As DPI systems gain widespread use, they also increasingly become a target for hostile actors seeking to undermine these systems’ functions. Thus, improving the cybersecurity of DPI is a vital priority for governments and firms worldwide, and one tool that holds particular promise in this regard is AI agents. AI agents are a subset of AI systems that are capable of undertaking autonomous actions without human involvement, like interpreting data and responding to the environment. For example, an AI system capable of autonomously planning a vacation for its user would be considered an agent. To date, most discourse about agents focuses on systems built by firms for consumer or enterprise use. By contrast, relatively little discussion has focused on what agents might mean for digital public infrastructure, especially for improving DPI's security. And while the US DPI Universal Safeguards is silent on the use of AI as a tool, its operational principle states that “DPI should incorporate and continually upgrade security measures, such as encryption or pseudonymization, to protect personal data. A legal framework should fill the gaps where technical design may be insufficient for data security.” This piece outlines a vision for how agents could help fulfill this principle, enhancing the security of DPI to facilitate its broader public value.

AI as a Shield for DPI

DPI creates public value by facilitating valuable interactions like digital payment and identification. However, DPI's use in these important domains also makes it a lucrative target for an ever-evolving landscape of cybersecurity threats. Hostile state or non-state actors could launch cyberattacks against DPI by facilitating runs of unauthorized code or exploiting software vulnerabilities to expose individuals’ personally identified information (PII) and freeze vital financial transactions, as the former happened in India in September 2023. In turn, the scale of DPI as national infrastructure means that such large-scale attacks could induce significant damage to national economies and government structures. On a smaller, day-to-day scale, there also exist risks that authorized users could abuse DPI for their own goals. Such was the case in Estonia, for example, where X-Road, the Estonian DPI platform to help government agencies and private exchange sensitive data, has strong security protocols to ensure only authorized users can access sensitive data but has seen limited incidents where some authorized users have abused their authority, such as when a medical worker improperly helped police access their spouse's records. These incidents, while limited, create breaches of trust that risk making citizens more hesitant to use DPI.

Across these domains, however, AI agents could serve as a powerful “shield” to enhance the security of DPI. Against the first class of large-scale attacks, for example, AI agents could serve as a preventative tool to identify critical vulnerabilities that hostile actors could exploit. Google DeepMind, for example, recently used an AI agent to detect a “0-day vulnerability,” or a security flaw that even the software's developer did not find. In addition, building off Anthropic's work with current frontier large language models (LLMs), AI agents could also red team or test other software systems, running simulated attacks, which can help organizations better prepare for such attacks in the real world. In addition to this preventative role, AI agents could also defend in real-time against hostile cyber operations using their autonomous capabilities, similar to what the Japanese firm Fujitsu has done. Such real-time defense agents could identify unauthorized code runs and isolate compromised services in response, allowing them to limit the disruption caused by attacks against DPI.

Meanwhile, at the smaller yet still important day-to-day scale, AI agents could secure the sensitive data exchanged across DPI systems to build citizens’ trust in and drive the adoption of these systems. For example, to counter abuses by authorized users, as happened in Estonia, AI agents could be unleashed on data exchange systems to autonomously review and alert individuals, firms, and governments to instances where users tried to access sensitive data in domains not relevant to their work. Certain open-source software (OSS) offerings already perform this function, but incorporating AI agents into these workflows would greatly speed up this process, allowing these actors to block these users’ unauthorized actions. AI agents could also perform similar functions in domains outside monitoring users’ access to sensitive data, such as by autonomously looking through digital identification and payment transactions to identify fraudulent actors. The result of these measures would be to bolster citizens’ trust that the data they share via DPI is secure, encouraging broader adoption of these systems.

Of course, there are a number of barriers to realizing this vision. Most immediately, AI agents used in cyber defense are themselves vulnerable to their own classes of hostile cyber operations. For example, backdoor attacks against the retrieval-augmented generation (RAG) mechanism that allows agents to recall useful knowledge could significantly hinder these systems’ ability to identify authorized users’ abusive access to sensitive data or detect unauthorized code runs. Maliciously aligned authorized users could also launch prompt injection attacks against AI agents, feeding the system prompts designed to cause agentic failure. Even without hostile interference, there are risks that AI agents may hallucinate and fail to perform a function for their user effectively or, worse yet, perform an inadvertently harmful function. The impact of this latter risk may also scale with the number of tasks that an AI agent is instructed to perform autonomously because it increases the number of chances that an agent may fail to function without human oversight. There are also more mundane concerns, like interoperability challenges with agents, but these highlight some of the diverse risks that may emerge with AI agents’ use in cybersecurity.

What Governments Should Do

As the recent $56 million fundraising round of the startup /dev/agents shows, the private sector is waking up to the immense potential of AI agents, and now governments should, too, especially for securing DPI systems. While technical challenges may hinder the most ambitious applications, given the limited data about AI agents in DPI, government teams like the United States Digital Service ought to begin building and piloting simple AI agents for tasks like securing data exchange systems or red teaming broader DPI systems. To mitigate risk, these agents should be piloted in low-risk use cases and with obvious failsafes — for example, if a cybersecurity agent repeatedly fails to perform a given task, creating control systems so the agent autonomously shuts down might be wise. Over time, however, the iterative learning process will help states gradually deploy ever-complex agents to secure their digital public infrastructure.

Simultaneously, governments and companies should also recognize that deploying AI agents in cybersecurity highlights a need to improve the understanding and security of the multi-agent systems themselves. States and firms should fund more research into multi-agent evaluations and agentic red-teaming to ensure that cyber defense agents are robust against hostile actors and capable of performing their core functions. Much multi-agent research still remains to be done in this regard, so substantial state or private support could play a vital role in catalyzing the growth of the field. Together, the result would ensure AI agents can form a valuable shield to defend DPI and ensure its benefits.