Skip to content
woolly.me
← Articles
Article

Agent governance can't wait for the standards

NIST's AI RMF, ISO 42001, and the EU AI Act were all written before tool-calling agents, and the CSA says its own standards land through 2027. Build now.

Last updated

The frameworks everyone points to for AI governance were written for a different technology. That’s the finding of a Cloud Security Alliance research note from April 2026: NIST’s AI RMF 1.0, ISO/IEC 42001:2023, and the EU AI Act were all architected before autonomous, tool-calling agents existed, and the CSA’s own agentic-AI standards roll out through December 2027. Its recommendation, verbatim in spirit: build internal agentic-AI governance now rather than wait for the standards bodies, using the near-term resources that do exist, namely the OWASP Agentic Top 10, NCCoE’s work, and the CSA’s AI Controls Matrix.

Put differently, by the time the official answer ships, your agents will have been in production for two or three years. Whatever governed them in the meantime was your governance, whether you designed it or not.

Organizations have started acting on that arithmetic. In Flexera’s 2026 State of the Cloud survey, 47% of large enterprises are establishing dedicated AI governance teams or leaders, and security and compliance risk is the most-cited challenge for scaling AI workloads, named by 53% of respondents, ahead of data quality at 40%. Those are large-enterprise figures, and mid-size companies mostly won’t fund a dedicated governance team. They don’t need to. They need the working version: a named owner and a small set of controls that live in the platform instead of in a document.

Governance that compiles

I’m skeptical of governance programs that produce documents, because I’ve watched what actually constrains an agent in production, and it’s never a PDF. The day job runs agentic tooling against live infrastructure daily, and everything that deserves the word “governance” there is enforced in the pipeline: an adversarial production-safety review, an automated create-only gate that runs before any apply, and a human approving every production-affecting change, with nothing reaching production until it proves out in dev. An agent can’t be argued into compliance. It can only be gated.

So the internal governance function, sized for a mid-size company, is four artifacts, each of which either exists in infrastructure or doesn’t exist.

An inventory. Every agent, what model and framework it runs on, what credentials it holds, what it can read, what it can write, and whether it can spawn or task other agents. This list is the prerequisite for every other decision, and almost nobody has it; the numbers behind that claim, and the identity layer that fixes it, are their own article.

An approval path. A defined route by which an agent goes from someone’s experiment to a production principal, with security sign-off recorded. In Gravitee’s 2026 survey of 900+ executives and practitioners, only 14.4% of organizations reported that all their agents were deployed with full security and IT approval, which is a governance gap wearing a security costume.

Capability gates, in the deploy path. The rules about what agents may do belong in code that runs, not prose that’s read: permission boundaries that scope each agent to its task, policy checks that run before changes apply, autonomy granted per capability with write access earned last. These are the same platform layers that make a company AI-ready in the first place; governance is what you call them when someone asks who’s in charge.

A review artifact. Some regular, written look at what the agents actually did: incidents, near-misses, permission drift, agents that stopped being used but kept their access. Thirty minutes a month reading the audit logs your identity layer produces. This is the piece that makes the other three improve instead of rot.

The standards will arrive anyway

When the CSA’s agentic standards land through 2027, and the larger frameworks revise after them, companies that built the internal function will map their existing controls onto the new checklist in an afternoon. Companies that waited will start from a memo. That’s the whole trade, and it’s lopsided: everything above is work you’d want for operational sanity even if no standard ever shipped, because an ungoverned agent with write access is an incident with a start date nobody picked yet.

Standards bodies write down what worked. Be one of the places it worked.

Questions this raises

Should we wait for official AI agent standards before building governance?
No, and the Cloud Security Alliance says so more forcefully than I do. Its April 2026 research note says the major frameworks (NIST AI RMF 1.0, ISO/IEC 42001, the EU AI Act) were architected before autonomous tool-calling agents existed, and CSA's own agentic standards roll out through December 2027. Agents are in production now. The CSA's advice is to build internal governance immediately using what exists: the OWASP Agentic Top 10, NCCoE work, and the CSA AI Controls Matrix.
Who should own AI agent governance?
The platform organization, with security as a partner, because the controls that make governance real are platform controls: identities, permission boundaries, policy gates in the deploy path, audit logs. A governance document without those is a memo. In Flexera's 2026 survey, 47% of large enterprises are standing up dedicated AI governance teams or leaders; mid-size companies usually can't fund a dedicated team, which is fine, because the working version is a named owner plus gates enforced in the pipeline.
Is agent governance a security project or a platform project?
Platform, mostly. The decisions are governance decisions: which agents may exist, what each may touch, who approves autonomy. But every one of them is enforced, or ignored, in infrastructure: an approval workflow is a pipeline gate, a permission boundary is IAM, an inventory is tooling. Teams that treat it as a policy-writing exercise get a document. Teams that treat it as a platform buildout get behavior.

Consulting

Dealing with this on your own infrastructure?

I take contract and consulting engagements on exactly this kind of work.

Get in touch