White Paper | 2026-03-27 | Status: draft
NIST AI Risk Management Framework: Agentic Profile
Executive Summary
The proliferation of autonomous AI agents in enterprise environments is creating a governance gap that existing AI risk frameworks do not adequately address. When an AI system acts on its own initiative — executing code, calling external APIs, spawning sub-agents, and chaining together multi-step plans over extended time horizons — the risk profile of that system differs from a generative model that responds to human prompts in a one-turn interaction. The failures are not merely more frequent; they are structurally different in kind. An agentic system can initiate irreversible real-world actions, amplify errors across delegation chains before any human can intervene, and exhibit behavioral drift that accumulates undetected until it crosses a critical threshold.
The NIST AI Risk Management Framework (AI RMF 1.0, published January 2023) has become the de facto governance vocabulary for AI risk management in the United States, with broad adoption across federal agencies, financial institutions, and technology organizations [1]. Its four-function structure — GOVERN, MAP, MEASURE, and MANAGE — provides a sound conceptual architecture for AI risk management. However, the framework was conceived at a time when production AI systems were primarily discriminative classifiers or large language models serving as conversational assistants. The 2024 companion document NIST AI 600-1, the Generative AI Profile, extended RMF to address content generation risks including confabulation, intellectual property, and harmful content [2]. Neither document contemplated agents that acquire tool-use capabilities and execute autonomously in live production environments.
This whitepaper proposes the NIST AI RMF Agentic Profile: a structured set of extensions to RMF 1.0 organized by function that together constitute a governance framework appropriate for autonomous AI deployments. The proposed extensions do not replace the existing framework; they supplement it by adding concepts, categories, and subcategories specific to agent autonomy, tool-use risk, runtime behavioral governance, and delegation chain accountability. The profile is aligned with the CSA AI Controls Matrix (AICM) — a 243-control, 18-domain framework published in July 2025 — and with the AAGATE reference architecture published by the Cloud Security Alliance in December 2025, which translates RMF principles into a Kubernetes-native runtime governance overlay for agentic systems [3][4].
The central recommendations of this paper are that organizations deploying agentic AI should extend their existing RMF programs with four categories of new capability: formal autonomy tier classification with corresponding oversight obligations (GOVERN extension); systematic tool-use risk modeling and action-consequence mapping (MAP extension); runtime behavioral metrics, autonomy calibration assessment, and delegation chain monitoring (MEASURE extension); and structured incident response for agent compromise, behavioral drift correction, and principled agent decommissioning (MANAGE extension). Organizations that implement these extensions alongside existing RMF obligations will be substantially better positioned to govern the new class of risk that autonomous AI agents introduce.
1. Introduction: NIST AI RMF and the Agentic Gap
The NIST AI Risk Management Framework represents a landmark achievement in AI governance standardization. Published on January 26, 2023, as NIST AI 100-1, it provides voluntary guidance intended to be use-case agnostic and sector-neutral, adaptable to organizations of all sizes and across all industries [1]. The framework’s four functions organize AI risk management as a continuous activity rather than a one-time compliance exercise: GOVERN establishes organizational policies and accountability structures; MAP contextualizes risk for specific AI systems and use cases; MEASURE assesses and monitors those risks through quantitative and qualitative methods; and MANAGE implements risk responses and tracks their effectiveness over time. The framework further identifies seven trustworthiness characteristics — validity and reliability, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy-enhancement, and fair bias management — against which AI systems should be evaluated [1].
The framework’s design philosophy is explicitly anticipatory. NIST described it as intended to evolve as the AI landscape changes, and it was structured around outcomes rather than prescriptions in order to remain applicable across a rapidly shifting technological context. This design foresight has proven justified, because the AI landscape has changed more rapidly than most governance frameworks anticipated. By 2025, agentic AI systems had moved from research demonstrations to production enterprise deployments at scale. The Model Context Protocol, introduced by Anthropic in late 2024, established a standard interface through which AI agents could interact with external tools, and hundreds of enterprise MCP server integrations followed within months [5]. Multi-agent orchestration frameworks — LangGraph, AutoGen, CrewAI, and others — enabled organizations to build systems in which multiple AI agents coordinate, delegate to each other, and execute complex workflows with minimal human supervision. By early 2026, organizations were deploying agents that could write and execute code, manage cloud infrastructure, process financial transactions, and conduct security operations autonomously.
The governance gap this creates is not merely a matter of scale. Agentic AI systems exhibit qualitative risk properties that lie outside the conceptual frame of both RMF 1.0 and AI 600-1. A conversational AI system fails by producing a harmful or inaccurate output; the failure is discrete, visible to the user, and contained to the interaction in which it occurs. An agentic system can fail by initiating a cascade of irreversible actions in external systems — deleting data, sending communications, modifying configurations, triggering financial transactions — before any human observes that the agent is behaving incorrectly. The temporal gap between initiation and observation is a fundamental new risk dimension. So is the structural property of delegation: when an orchestrating agent spawns sub-agents to handle sub-tasks, accountability for the overall action sequence becomes distributed in ways that existing RMF categories do not capture. Prompt injection through tool outputs, cross-session memory persistence, and tool-chain poisoning are attack vectors with no equivalent in the threat model underlying AI 600-1.
NIST has acknowledged these gaps through its February 2026 announcement of the AI Agent Standards Initiative, launched through the Center for AI Standards and Innovation (CAISI) [6]. The initiative aims to develop voluntary guidelines for AI agents addressing identity and authorization, security and risk management, and monitoring and logging. NIST has indicated that an AI Agent Interoperability Profile is planned for release in the fourth quarter of 2026. This paper is intended to serve as a practitioner-oriented complement to that emerging NIST work, proposing concrete agentic extensions to the existing RMF structure that organizations can begin implementing today.
2. Assessment of NIST AI RMF 1.0 for Agentic Fitness
NIST AI RMF 1.0 was designed with the AI development and deployment lifecycle in mind, and its structure reflects the concerns of organizations deploying AI systems with defined operational boundaries, predictable behavior envelopes, and human oversight at most interaction points. Evaluated against the requirements of agentic AI governance, the framework exhibits four structural gaps that collectively constitute what this paper terms the agentic fitness gap.
2.1 Absence of Autonomy Tier Concepts
The RMF’s GOVERN function requires organizations to establish risk tolerance policies and assign accountability for AI risk management, but it does not differentiate between AI systems based on their degree of operational autonomy. A system that generates text recommendations for human review and a system that autonomously executes multi-day workflows with external effects are both “AI systems” within the framework’s vocabulary, and they receive the same generic governance treatment. This omission is consequential because the appropriate oversight obligations, policy constraints, and accountability structures for these two types of systems differ substantially. An AI system operating at high autonomy — taking consequential actions without human approval — requires governance structures that have no analogue in the governance of a system that merely recommends.
The absence of an autonomy tier concept means that the framework provides no guidance for answering questions that are operationally urgent: at what autonomy level should human-in-the-loop oversight become mandatory? How should approval authority escalate as an agent’s planned action sequence becomes longer or more consequential? When should an agent be required to pause and request human confirmation before proceeding? These questions require a taxonomy of autonomy levels and corresponding governance requirements that the current RMF does not supply.
2.2 No Tool-Use Risk Model
The MAP function is responsible for contextualizing risk for specific AI systems, but it was designed to map the intrinsic properties of a model — its training data, intended use cases, potential harms of incorrect output — rather than the extrinsic risk introduced by the tools that an agent controls. An agentic AI system’s risk profile is not determined solely by the model’s behavior; it is determined by the interaction between the model’s behavior and the capabilities of the tools available to it. An agent with access only to read-only data retrieval tools presents a fundamentally different risk profile from an agent with access to code execution, database modification, and external communication capabilities. The current MAP function provides no conceptual framework for cataloguing tool capabilities, assessing the harm potential of each tool, or evaluating the emergent risk of tool combinations in an agent’s toolkit.
This gap has practical consequences for risk management. Organizations using the RMF to govern agentic deployments cannot use the framework’s MAP function to reason about what happens when an agent with code execution capability encounters a prompt injection attack through a tool output. The RMF’s risk contextualization machinery stops at the model boundary; it does not extend into the tool interface where a substantial fraction of agentic risk actually materializes.
2.3 Insufficient Runtime Monitoring Framework
The MEASURE function provides guidance on assessing and monitoring AI risks, but it was conceived primarily as a pre-deployment and periodic-review activity. It addresses model evaluation, bias assessment, and performance monitoring in terms suited to static systems whose behavior can be characterized at a point in time. Agentic AI systems, however, exhibit dynamic behavioral properties that require continuous runtime monitoring. An agent’s behavior may be acceptable during testing and initial deployment but drift over time as it accumulates memory, encounters novel environments, or is influenced by adversarial inputs in its operational context. Behavioral drift of this kind is not detectable through periodic audits; it requires continuous telemetry against behavioral baselines established at deployment time.
The MEASURE function also lacks metrics specific to the properties that matter most for agentic risk: the scope and velocity of actions taken by an agent in a given time window; the depth and branching factor of delegation chains; deviations from expected tool-use patterns; and the rate at which the agent requests permissions or access to resources outside its original scope. These metrics are the early warning indicators for a class of failures — runaway agents, compromised agents, and gradually drifting agents — that the current MEASURE framework has no vocabulary to capture.
2.4 No Delegation and Oversight Boundary Framework
The RMF addresses accountability in general terms: organizations should assign clear roles and responsibilities for AI risk management, and those responsible for AI systems should be identifiable and accountable. But the framework does not address the structural challenge of accountability in multi-agent architectures, where a single human-initiated request may be executed through a chain of agent delegations in which no single agent is responsible for the full action sequence. When an orchestrating agent delegates a sub-task to a sub-agent that then invokes an external tool with adverse effects, attributing responsibility under the current RMF framework requires interpretive effort that the framework does not actually facilitate. The framework provides no concept of delegation boundary, no guidance on how authority should be scoped as it passes through delegation chains, and no mechanism for ensuring that oversight obligations follow delegated actions into sub-agent layers.
3. Assessment of NIST AI 600-1 for Agentic Fitness
NIST AI 600-1, the Generative AI Profile published in July 2024, adapts the RMF to the specific risks of generative AI systems [2]. The profile identifies twelve risk areas: CBRN Information or Capabilities, Confabulation, Dangerous and Violent or Hateful Content, Data Privacy, Environmental Impacts, Harmful Bias and Homogenization, Human-AI Configuration, Information Integrity, Information Security, Intellectual Property, Obscene or Degrading Content, and Value Chain and Component Integration. For each risk area, the profile provides more than 200 suggested actions organized by RMF function, making it substantially more operational than the base framework.
Evaluated for agentic fitness, AI 600-1 exhibits four structural limitations that are distinct from those of the base framework.
3.1 Scoped to Content Generation
The twelve risk areas identified in AI 600-1 are organized around a central concern: what harmful or undesirable content might a generative AI system produce? This framing is appropriate for systems whose primary function is generating text, images, or other media in response to human requests, but it is inadequate for agentic systems whose primary risks arise not from what they say but from what they do. The Information Security risk area comes closest to addressing agentic concerns, noting that prompt injection can use generative AI to exploit vulnerabilities in interconnected systems. However, this entry treats information security as a property of the model’s outputs rather than as a property of the agent’s actions in an operational environment. The distinction matters enormously: an agent that is successfully prompt-injected does not merely produce a harmful output; it executes a harmful action, potentially with irreversible real-world consequences.
3.2 No Action-Consequence Modeling
AI 600-1 does not include any risk area corresponding to the harm potential of autonomous actions. There is no category for the risk that an agent takes an irreversible action based on incorrect reasoning, nor for the risk that an agent’s action in one system triggers cascading effects in interconnected systems. The closest analogue in the profile — Human-AI Configuration — addresses the risk that humans misconfigure or over-rely on AI systems, but it frames this as a concern about human behavior rather than as a property of the agent’s action capability. A profile adequate for agentic systems would need to include an action-consequence risk area that addresses the scope, reversibility, and interconnectedness of the actions an agent can execute.
3.3 No Multi-Step Planning Risk Assessment
Generative AI systems produce outputs through a single inference step. Agentic systems produce outcomes through multi-step planning cycles in which each step conditions the next and early errors compound over the sequence. AI 600-1 provides no guidance for assessing the risks introduced by this sequential, compounding structure. A plan that appears reasonable at its first step may become problematic when executed through ten subsequent steps; a model that is marginally misaligned with its operator’s intent may produce a minor deviation in a single turn but substantial harm across a long action sequence. Assessing these multi-step planning risks requires different evaluation methodologies and different metrics than those adequate for single-turn generative systems.
3.4 No Control Plane Security Framework
The Value Chain and Component Integration risk area in AI 600-1 addresses the security risks introduced by third-party components in the AI development pipeline — datasets, pre-trained models, and similar inputs. This is a meaningful concern, but it does not extend to the security of the operational control plane through which an agent executes. In agentic architectures, the control plane — the infrastructure through which agents receive instructions, communicate with each other, invoke tools, and receive results — is itself a significant attack surface. Prompt injection through tool outputs, agent impersonation in multi-agent communication channels, and malicious tool registration in agent tool registries are all control plane attacks that have no representation in AI 600-1. Organizations deploying agentic systems at scale face a category of infrastructure security risk that the profile’s value chain framing does not capture.
4. Proposed Agentic Extensions by RMF Function
The agentic extensions proposed in this section are intended to supplement, not replace, the existing RMF 1.0 structure. Each extension is identified as belonging to one of the four RMF functions and is cross-referenced to existing RMF categories and subcategories where applicable. The extensions introduce new categories and subcategories that do not currently exist in the framework; suggested identifiers for formal integration use the prefix “AG” (Agentic) within the existing category naming convention.
4.1 GOVERN Extensions
The GOVERN function is cross-cutting, intended to establish the policies, processes, and accountability structures that inform and are infused throughout the other three functions. Extending GOVERN for agentic AI requires two principal additions: a formal autonomy classification system with associated governance requirements, and a structured accountability framework for delegation chains.
4.1.1 Autonomy Tier Policy (AG-GV.1: Autonomy Tier Classification)
Organizations deploying agentic AI should be required under their RMF programs to formally classify each deployed agent according to an autonomy tier that reflects both the agent’s operational independence and the consequences of its potential failures. This paper proposes a four-tier classification aligned with the operational characteristics that drive governance requirements. Tier 1 agents operate in fully supervised mode, generating outputs that require human approval before any action is taken. Tier 2 agents operate with constrained autonomy, executing pre-approved action types within a predefined scope but requiring human escalation for actions outside that scope. Tier 3 agents operate with broad autonomy within a defined operational boundary, taking actions autonomously but subject to continuous monitoring and bounded by hard constraints on resource access, action scope, and time horizon. Tier 4 agents operate at full autonomy within a constrained environment, capable of spawning sub-agents, acquiring new tool capabilities, and executing long-horizon plans with minimal human interaction.
The governance obligations associated with each tier should escalate with the tier level. Tier 1 deployments require governance structures equivalent to those adequate for non-agentic generative AI. Tier 2 deployments require formal action scope documentation, approval authority delegation policies, and defined escalation triggers. Tier 3 deployments require continuous behavioral monitoring, defined response playbooks for behavioral anomalies, and documented fail-safe conditions. Tier 4 deployments require all of the above, plus formal oversight board review at defined intervals, documented decommissioning procedures, and independent security testing of the agent’s decision-making under adversarial conditions. This tier framework directly addresses the autonomy gap identified in Section 2.1 and provides the organizational vocabulary needed to make governance obligations proportionate to agentic risk.
4.1.2 Oversight Boundary Framework (AG-GV.2: Delegation Accountability)
The GOVERN function should require organizations to formally document the oversight boundaries for every agent deployment, including the boundaries that apply to delegated agent actions. An oversight boundary specification for an agentic system should address four elements: the scope of actions the agent is authorized to take without human approval; the conditions under which the agent must pause and escalate to human oversight; the scope of delegation authority the agent holds (i.e., the conditions under which it may spawn or task sub-agents and what authorities those sub-agents may receive); and the accountability lineage that connects every agent action to a responsible human officer within the organization.
Accountability lineage is particularly important in multi-agent architectures because the depth and branching of delegation chains can otherwise create diffusion of accountability. Organizations should be required to maintain an agent accountability register that documents, for each deployed agent: the business owner accountable for the agent’s behavior; the technical owner responsible for its security posture; the lineage of delegation authority (i.e., which human principals authorized the agent’s deployment and with what authorities); and the conditions under which the accountability chain is reviewed and updated. This register serves both internal governance purposes and the external accountability obligations that regulators and auditors will increasingly require of organizations operating autonomous AI.
4.1.3 Agent Lifecycle Governance (AG-GV.3: Agent Inventory and Lifecycle)
The RMF already includes GV.1.6, which requires organizations to maintain an inventory of AI systems resourced according to risk priorities. For agentic systems, this requirement should be extended to mandate lifecycle governance that tracks not only what agents exist but what authorities they hold, what tools they can access, what delegation relationships they participate in, and when their authority should be reviewed or revoked. Agent inventories for agentic deployments should be dynamic, capable of capturing the fact that agents may spawn ephemeral sub-agents whose existence and actions must still be attributable to an accountable principal. Organizations operating at Tier 3 or Tier 4 autonomy should be required to maintain real-time agent registries integrated with their identity and access management infrastructure.
4.2 MAP Extensions
The MAP function establishes contextual understanding of AI risk by mapping each AI system’s intended use, potential impacts, and risk factors. Extending MAP for agentic AI requires adding tool-use risk modeling and action-consequence mapping as formal risk contextualization activities.
4.2.1 Tool-Use Risk Inventory (AG-MP.1: Agent Tool Risk Classification)
Organizations should be required to produce and maintain a tool risk inventory for each agentic deployment that documents every tool available to the agent, classified according to its risk profile. Tool risk classification should address four dimensions: consequence scope (the breadth of real-world effects that the tool can produce, ranging from read-only to destructive); reversibility (whether the effects of a tool invocation can be undone, and at what cost); authentication requirements (what credentials the tool uses and what access those credentials grant); and compositional risk (whether the combination of this tool with other tools in the agent’s toolkit creates emergent risk that exceeds the risk of any individual tool).
The consequence scope dimension is particularly important for establishing proportionate controls. Read-only tools — those that retrieve but do not modify information — present a fundamentally different risk profile from write tools, and write tools present a different risk profile from execute tools. Execute tools — code execution, command execution, and API calls with side effects — carry the highest inherent risk and should require the most stringent authorization controls. An agent’s tool risk inventory should be reviewed as part of every security assessment and updated whenever new tools are added to the agent’s toolkit.
4.2.2 Action-Consequence Mapping (AG-MP.2: Agent Action-Consequence Analysis)
Beyond individual tool risk, organizations should be required to perform action-consequence mapping for agent deployments operating at Tier 2 autonomy and above. Action-consequence mapping is a structured analysis that identifies the sequences of tool invocations the agent might execute in pursuing its objectives, maps each sequence to its potential real-world consequences, and identifies the failure modes — model errors, adversarial inputs, environmental changes — that could trigger unintended consequence paths. The output of this analysis is a consequence graph: a directed graph in which nodes represent agent states and edges represent tool invocations with their associated consequence probabilities and severity ratings.
Consequence graphs provide the contextual foundation for risk management decisions about action authorization, monitoring trigger design, and fail-safe configuration. An agent operating within a well-characterized consequence graph is substantially easier to govern than one whose action-consequence relationships have not been formally analyzed. Organizations should integrate action-consequence mapping into their AI risk assessment processes and review these maps when agent capabilities are extended, when operational context changes significantly, or when an incident suggests that the map did not accurately capture actual agent behavior.
4.2.3 Multi-Agent Interaction Risk (AG-MP.3: Multi-Agent Topology Risk)
In deployments involving multiple coordinating agents, organizations should perform a topology risk analysis that maps the interaction patterns between agents, identifies the trust boundaries between them, and assesses the risk of compromise propagation through the agent network. Multi-agent topology risk includes: the risk that a compromised sub-agent can influence the behavior of an orchestrating agent through manipulated results; the risk that an adversary who controls one agent in a network can leverage inter-agent communication channels to influence others; and the risk that emergent behaviors arise from agent interactions that were not anticipated during individual agent testing. Topology risk analysis should be required for any deployment in which an agent can receive inputs from other AI agents rather than exclusively from human principals.
4.3 MEASURE Extensions
The MEASURE function addresses how organizations assess and monitor AI risk through quantitative, qualitative, and mixed methods. Extending MEASURE for agentic AI requires adding runtime behavioral metrics, autonomy calibration assessment, and delegation chain monitoring as core measurement activities.
4.3.1 Runtime Behavioral Metrics (AG-MS.1: Agentic Behavioral Telemetry)
Organizations operating agents at Tier 2 autonomy and above should be required to collect and analyze a defined set of runtime behavioral metrics that serve as early indicators of compromise, behavioral drift, and unintended operation. A minimum required telemetry set for Tier 2 and higher deployments should include: action velocity (the rate at which the agent invokes tools in a given time window, with deviations from baseline flagged as potential anomalies); permission escalation rate (the frequency with which the agent requests access to resources or capabilities outside its initial authorization scope); cross-boundary invocations (tool calls that cross defined organizational or security boundaries, such as requests to external systems not in the agent’s original tool inventory); delegation depth (the maximum depth of sub-agent delegation chains initiated by the agent); and exception rates (the frequency with which the agent encounters errors, unexpected tool responses, or plan failures that require replanning).
These metrics provide the observational foundation for the MANAGE function’s behavioral drift correction and incident response capabilities. Without continuous behavioral telemetry, organizations cannot distinguish a well-functioning agent from one that is drifting, compromised, or operating outside its intended parameters. The metrics should be evaluated against baselines established during controlled deployment testing, and organizations should maintain dynamic baselines that account for legitimate behavioral variation across operational contexts while remaining sensitive to anomalous patterns.
4.3.2 Autonomy Calibration Assessment (AG-MS.2: Autonomy-Outcome Correlation Analysis)
Organizations should periodically assess whether an agent’s current autonomy tier is calibrated to its demonstrated performance and the organization’s risk tolerance. Autonomy calibration assessment compares the agent’s track record of autonomous decisions — their accuracy, their alignment with intended objectives, and the frequency and severity of deviations — against the risk tolerance thresholds associated with its current tier classification. An agent that consistently demonstrates accurate judgment within its operational domain may be eligible for promotion to a higher autonomy tier with reduced oversight requirements. An agent that exhibits higher-than-expected error rates, unexpected behaviors, or evidence of adversarial influence should be demoted to a lower tier with increased oversight, regardless of its original classification.
This calibration activity provides a feedback loop between the MEASURE function and the GOVERN function’s autonomy tier policies, ensuring that governance obligations remain proportionate to demonstrated agent behavior rather than fixed at deployment-time classifications. Organizations should conduct autonomy calibration assessments at minimum annually for Tier 2 deployments, quarterly for Tier 3 deployments, and monthly for Tier 4 deployments, with additional assessments triggered by significant incidents or operational context changes.
4.3.3 Delegation Chain Monitoring (AG-MS.3: Delegation Chain Integrity)
In multi-agent deployments, organizations should monitor the integrity of delegation chains to detect unauthorized authority expansion, unexpected delegation patterns, and attempts by sub-agents to acquire authorities they were not granted. Delegation chain monitoring should track: the depth and breadth of actual delegation chains compared to planned delegation topologies; any instance in which a sub-agent invokes capabilities or accesses resources beyond its authorized scope; cross-agent communication patterns that deviate from expected interaction topologies; and the consistency of authority claims by sub-agents against the registry of authorities granted at delegation time. This monitoring provides visibility into the aspects of multi-agent risk that are most difficult to observe through traditional application security tooling and most consequential when they materialize as security incidents.
4.4 MANAGE Extensions
The MANAGE function implements risk responses, tracks their effectiveness, and maintains plans for responding to residual risks. Extending MANAGE for agentic AI requires adding structured incident response for agent compromise, a systematic approach to behavioral drift correction, and principled agent decommissioning procedures.
4.4.1 Agent Compromise Incident Response (AG-MG.1: Agentic Incident Classification and Response)
Organizations should develop and maintain incident response playbooks specifically designed for the incident types unique to agentic AI, including agent compromise (an agent under adversarial control), behavioral hijack (an agent following injected instructions rather than its legitimate directives), runaway agent (an agent that has exceeded its authorization scope through error or manipulation), and delegation chain compromise (an adversary who has introduced a malicious agent into a multi-agent network). For each incident type, the playbook should define: detection criteria based on behavioral telemetry thresholds; immediate containment actions including the conditions under which the agent should be suspended or terminated; forensic investigation procedures that account for the ephemeral and distributed nature of agent actions; and remediation steps that address both the immediate incident and the governance or architectural weaknesses that enabled it.
The containment action design is particularly important for agentic incident response because the window between incident detection and harmful action completion is often very short. Organizations operating high-autonomy agents should implement pre-authorized automatic containment responses — including automated agent suspension or kill-switch activation — for the highest-severity incident patterns rather than relying on human-in-the-loop containment decisions that may arrive too late to prevent harm.
4.4.2 Behavioral Drift Correction (AG-MG.2: Drift Detection and Remediation)
Behavioral drift — the gradual change in an agent’s behavior patterns away from its established baseline — is a risk category with no direct analogue in the MANAGE function as currently defined. Organizations should implement a drift correction process that distinguishes between acceptable behavioral variation (legitimate adaptation to changing operational context) and problematic drift (deviation from intended operating parameters that has not been authorized through the governance process). When drift is detected through the behavioral telemetry defined in MEASURE extension AG-MS.1, the organization should follow a defined remediation path that includes: drift characterization (identifying the dimensions and magnitude of the behavioral change); root cause analysis (determining whether the drift originates from model behavior, environmental changes, data distribution shifts, or adversarial influence); and remediation selection (choosing between re-anchoring through fine-tuning or system prompt adjustment, scope reduction to reduce the behavioral surface area, autonomy tier demotion, or agent redeployment from a known-good state).
4.4.3 Agent Decommissioning (AG-MG.3: Principled Agent Retirement)
The MANAGE function should include formal guidance on agent decommissioning: the process by which an agent is retired from operation in a manner that addresses the distinctive risks of decommissioning autonomous systems. Agent decommissioning must address several concerns that do not arise in traditional software retirement: the disposition of any persistent memory or learned state that the agent has accumulated during operation; the revocation of all credentials, API keys, and tool access authorities held by the agent; the notification of any external systems or services that maintained trust relationships with the agent’s identity; the preservation of audit logs capturing the agent’s complete action history for the retention periods required by the organization’s compliance obligations; and the assessment of any downstream agents or systems that depended on the decommissioned agent, which may require updates to their trust configurations and operational parameters.
5. Alignment with AAGATE
The AAGATE (Agentic AI Governance Assurance and Trust Engine) reference architecture, published by the Cloud Security Alliance on December 22, 2025, provides a concrete technical instantiation of many of the governance principles proposed in this paper [3]. AAGATE translates the high-level requirements of NIST AI RMF into a Kubernetes-native runtime architecture that enforces governance policies continuously and at machine speed. The alignment between the proposed agentic profile extensions and the AAGATE architecture is direct and systematic, and organizations implementing AAGATE will find that they have simultaneously addressed a substantial portion of the extension requirements proposed here.
The Governing-Orchestrator Agent (GOA) is AAGATE’s decision-making center, analogous to the central nervous system of the governance architecture. The GOA receives continuous security telemetry from all other AAGATE components, classifies incidents using Carnegie Mellon SEI Stakeholder-Specific Vulnerability Categorization (SSVC) logic, and activates “millisecond kill-switch” responses when security threats are detected. This component directly implements the containment capabilities required by AG-MG.1 (Agent Compromise Incident Response), providing the automated containment responses that human-in-the-loop processes cannot deliver at the speed required by high-autonomy deployments. The GOA also enforces the autonomy tier policies defined under AG-GV.1, translating tier-associated governance requirements into enforceable runtime policies.
The Janus Shadow-Monitor Agent (SMA) functions as an embedded red-team evaluator, assessing agent actions before they are executed against a continuous model of expected behavior and authorized action patterns. The SMA’s pre-execution evaluation capability directly implements the behavioral drift detection requirements of AG-MG.2 and the delegation chain integrity monitoring of AG-MS.3, providing a layer of adversarial simulation that identifies potential policy violations before they materialize as incidents. The SMA’s name is an apt metaphor: like the two-faced Roman god, it simultaneously observes what the agent is about to do and what the consequences of that action are likely to be.
The Tool-Gateway Chokepoint implements the single control point through which all external interactions — API calls, database operations, file access — are funneled and audited. This architectural element directly implements the tool-use risk model requirements of AG-MP.1 (Agent Tool Risk Classification), ensuring that every tool invocation is visible, auditable, and subject to policy enforcement. The Tool-Gateway Chokepoint makes it operationally feasible to enforce the authorization controls that tool risk classification requires: rather than attempting to enforce these controls in the agent itself (which may be compromised or manipulated), AAGATE enforces them at the infrastructure level where they cannot be bypassed through adversarial influence on the model.
The Agent Name Service (ANS) maintains a verifiable registry of all agents using Decentralized Identifiers (DIDs) and SPIFFE (Secure Production Identity Framework for Everyone) credentials. ANS directly addresses the agent inventory requirement of AG-GV.3 and the delegation chain integrity requirements of AG-MS.3, providing the identity foundation needed to attribute actions to specific agents in multi-agent deployments. By maintaining verifiable identity for every agent rather than relying on implicit trust based on network position, ANS implements a zero-trust identity model that is robust against agent impersonation and delegation chain injection attacks.
The alignment between the AAGATE architecture and the proposed agentic profile extensions is summarized in the mapping table in Section 6. Organizations that implement AAGATE as their runtime governance infrastructure will satisfy the technical requirements of the proposed extensions; organizations that prefer alternative implementation approaches should ensure that their chosen architecture addresses each of the four structural capabilities that AAGATE embodies: millisecond containment, pre-execution behavioral assessment, chokepoint-enforced tool authorization, and verifiable agent identity.
6. Mapping Table
The table below cross-references RMF functions and subcategories, proposed agentic extensions, relevant AICM v1.0 control domains, and primary CSAI deliverables or reference architectures. This table is intended as a practical implementation planning reference for organizations extending their existing RMF programs.
| RMF Function | Existing Subcategory | Proposed Agentic Extension | AICM v1.0 Domain | CSAI/AAGATE Component |
|---|---|---|---|---|
| GOVERN | GV.1.3 (Risk tolerance levels) | AG-GV.1: Autonomy Tier Classification | Governance, Risk, and Compliance | AAGATE GOA Tier Policy Engine |
| GOVERN | GV.1.5 (Ongoing monitoring roles) | AG-GV.1: Oversight obligation schedules by tier | Governance, Risk, and Compliance | AAGATE GOA |
| GOVERN | GV.2.1 (Accountability structures) | AG-GV.2: Delegation Accountability Register | Accountability and Transparency | AAGATE ANS |
| GOVERN | GV.2.3 (Leadership risk tolerance) | AG-GV.2: Oversight Boundary Framework | Governance, Risk, and Compliance | AAGATE GOA Kill-Switch |
| GOVERN | GV.1.6 (AI system inventory) | AG-GV.3: Agent Lifecycle Registry | Supply Chain Transparency | AAGATE Agent Name Service |
| MAP | MP.2.1 (AI system impact assessment) | AG-MP.1: Tool Risk Classification | Application and Interface Security | AAGATE Tool-Gateway Chokepoint |
| MAP | MP.2.3 (AI risk categorization) | AG-MP.2: Action-Consequence Analysis | Model Security | AAGATE Janus SMA |
| MAP | MP.3.1 (AI system context) | AG-MP.3: Multi-Agent Topology Risk | Application and Interface Security | AAGATE eBPF Mesh |
| MEASURE | MS.1.1 (AI risk metrics) | AG-MS.1: Agentic Behavioral Telemetry | Security Monitoring and Incident Response | AAGATE UEBA/Kafka Pipeline |
| MEASURE | MS.2.5 (AI testing and evaluation) | AG-MS.2: Autonomy Calibration Assessment | Model Security | AAGATE Janus SMA |
| MEASURE | MS.3.1 (Monitoring AI systems) | AG-MS.3: Delegation Chain Monitoring | Accountability and Transparency | AAGATE ANS + eBPF Mesh |
| MANAGE | MG.2.2 (Risk response implementation) | AG-MG.1: Agentic Incident Response Playbooks | Security Monitoring and Incident Response | AAGATE GOA + Kill-Switch |
| MANAGE | MG.3.1 (AI risk feedback loops) | AG-MG.2: Behavioral Drift Detection and Remediation | Security Monitoring and Incident Response | AAGATE Janus SMA + UEBA |
| MANAGE | MG.4.1 (Residual risk management) | AG-MG.3: Agent Decommissioning Procedures | Governance, Risk, and Compliance | AAGATE ANS Credential Revocation |
7. Implementation Guidance
Organizations with existing RMF programs face a practical question: how should they extend their current governance structures to address the agentic extensions proposed in this paper? The answer depends significantly on whether the organization has existing agentic AI deployments, what their autonomy tiers are, and how mature their RMF implementation is. This section provides a structured implementation path applicable to organizations at different starting points.
For organizations at the earliest stage of RMF implementation who are simultaneously beginning to deploy agentic AI, the most efficient approach is to integrate the agentic extensions into the RMF program from the outset rather than implementing the base framework and then retrofitting agentic considerations. The autonomy tier classification system (AG-GV.1) should be established as a governance policy before any Tier 2 or higher agent is deployed, because the oversight obligations it triggers need to be in place before deployment rather than added after the fact. Similarly, tool risk classification (AG-MP.1) is substantially easier to complete before an agent is deployed, when tool selection decisions are still being made, than after deployment when tool configurations are already in production.
For organizations with mature RMF programs who are expanding into agentic AI, a phased implementation approach is appropriate. The first phase should focus on GOVERN extensions: establishing the autonomy tier classification policy, developing the oversight boundary framework, and extending the AI system inventory to capture the agent-specific attributes required by AG-GV.3. These GOVERN extensions establish the vocabulary and accountability structures that all subsequent extensions depend on. The second phase should address MAP extensions for existing and planned agent deployments, producing tool risk inventories and action-consequence maps for each deployment and reviewing them against the GOVERN-established risk tolerance thresholds. The third phase should implement the MEASURE extensions — behavioral telemetry infrastructure, autonomy calibration assessment processes, and delegation chain monitoring — for agents operating at Tier 2 autonomy and above. The fourth phase should develop and exercise the MANAGE extensions — incident response playbooks, drift correction processes, and decommissioning procedures — through tabletop exercises and, for Tier 3 and Tier 4 deployments, live drills.
Organizations implementing technical controls to support these extensions should evaluate AAGATE and similar runtime governance architectures as the most efficient path to satisfying the MEASURE and MANAGE extension requirements. Implementing behavioral telemetry, delegation chain monitoring, and automated containment capabilities independently through custom tooling is substantially more resource-intensive than adopting a reference architecture specifically designed for this purpose. The AAGATE architecture’s alignment with the proposed extensions, documented in Section 5 and the mapping table in Section 6, means that organizations adopting AAGATE can trace their technical controls directly to specific RMF extension requirements, facilitating both internal audit and regulatory review.
One implementation consideration deserves particular emphasis: the relationship between the agentic profile extensions and the organization’s existing identity and access management infrastructure. The agent inventory, delegation chain monitoring, and credential revocation requirements of AG-GV.3 and AG-MG.3 are most efficiently implemented when agents are registered in the organization’s existing identity management systems and their credentials are managed through existing privileged access management tooling. Organizations that treat agent identities as a separate category managed outside their IAM infrastructure create fragmentation that impairs both governance and security response. Agents should be treated as non-human identities subject to the same lifecycle management, privilege minimization, and monitoring obligations as service accounts and other non-human principals.
8. Relationship to NIST AI 100-1 and Future NIST Guidance
The relationship between this paper’s proposed agentic profile and the NIST AI 100-1 base document is straightforward: the agentic profile is a companion document, not a replacement. NIST AI 100-1 provides the foundational conceptual framework and the seven trustworthiness characteristics that apply to all AI systems. The agentic profile proposes extensions to address agent-specific risk properties that the base document does not cover. Organizations using this profile should apply it in conjunction with AI 100-1, not as an alternative to it.
The relationship to NIST AI 600-1 is similarly complementary but more complex. AI 600-1 addresses the specific risk properties of generative AI systems, many of which are present in agentic AI deployments because most current agentic systems are built on generative foundation models. The twelve risk areas in AI 600-1 — including Confabulation, Information Integrity, Data Privacy, and Information Security — remain relevant to agentic systems. Organizations deploying agents built on generative models should apply both AI 600-1 and this agentic profile, using AI 600-1 to govern the model’s content generation behavior and this profile to govern the agent’s autonomous action behavior.
The most significant relationship, however, is with NIST’s emerging AI Agent Standards Initiative. NIST CAISI announced this initiative in February 2026, explicitly acknowledging the governance gap that this paper addresses [6]. The initiative is expected to produce voluntary guidelines for AI agents covering identity and authorization, security and risk management, and monitoring and logging, with an AI Agent Interoperability Profile planned for the fourth quarter of 2026. The extensions proposed in this paper are aligned with the focus areas CAISI has identified, and the paper’s framing of autonomy tiering, tool-use risk, runtime monitoring, and delegation accountability is consistent with the conceptual directions indicated in NIST’s preliminary communications about the initiative.
There is also a developing relationship between the proposed agentic profile and NIST’s ongoing work on AI safety more broadly. NIST’s March 2026 report on AI monitoring — referenced in CAISI’s announcement — makes explicit that monitoring for agentic systems must span functionality, operations, security, compliance, and human factors, going substantially beyond uptime monitoring of the kind adequate for traditional software [6]. This framing validates the multi-dimensional behavioral telemetry approach proposed in MEASURE extension AG-MS.1 and suggests that forthcoming NIST guidance is likely to formalize similar requirements.
Organizations implementing this agentic profile should monitor the NIST AI Agent Standards Initiative for official guidance that may supersede, refine, or formalize the extensions proposed here. The CSA AI Safety Initiative will update this document as official NIST agentic AI guidance matures, maintaining alignment between the proposed extensions and the evolving regulatory and standards landscape. The goal is not to pre-empt official NIST guidance but to provide practitioners with actionable governance extensions today, in the substantial window between the emergence of agentic AI production deployments and the publication of the official standards those deployments require.
References
[1] National Institute of Standards and Technology. “Artificial Intelligence Risk Management Framework (AI RMF 1.0).” NIST AI 100-1. January 26, 2023. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf
[2] National Institute of Standards and Technology. “Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile.” NIST AI 600-1. July 26, 2024. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
[3] Cloud Security Alliance. “AAGATE: A NIST AI RMF-Aligned Governance Platform for Agentic AI.” December 22, 2025. https://cloudsecurityalliance.org/blog/2025/12/22/aagate-a-nist-ai-rmf-aligned-governance-platform-for-agentic-ai
[4] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.0.” July 2025. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
[5] Model Context Protocol Specification. Anthropic, 2024–2025. https://spec.modelcontextprotocol.io
[6] National Institute of Standards and Technology, Center for AI Standards and Innovation. “Announcing the AI Agent Standards Initiative for Interoperable and Secure Innovation.” February 2026. https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure
[7] National Institute of Standards and Technology. “AI RMF Core — NIST AI Resource Center.” https://airc.nist.gov/airmf-resources/airmf/5-sec-core/
[8] Cloud Security Alliance. “Introducing the CSA AI Controls Matrix: A Comprehensive Framework for Trustworthy AI.” July 10, 2025. https://cloudsecurityalliance.org/blog/2025/07/10/introducing-the-csa-ai-controls-matrix-a-comprehensive-framework-for-trustworthy-ai
[9] NIST CAISI. “AI Agent Standards Initiative.” 2026. https://www.nist.gov/caisi/ai-agent-standards-initiative
[10] Cloud Security Alliance. “The Agentic Trust Framework: Zero Trust Governance for AI Agents.” February 2, 2026. https://cloudsecurityalliance.org/blog/2026/02/02/the-agentic-trust-framework-zero-trust-governance-for-ai-agents
[11] Vanta. “An Extensive Guide to the NIST AI RMF.” 2025. https://www.vanta.com/resources/nist-ai-risk-management-framework
[12] CipherNorth. “NIST AI 600-1 and AI RMF: Managing Risk in Generative AI.” 2025. https://www.ciphernorth.com/blog/nist-ai-risk-management-framework-rmf