Governance stops being effective when it covers only model prompts and responses because agents also exchange tool calls, delegated tasks, and event-driven context. That leaves blind spots in authorisation, logging, and policy enforcement exactly where the most consequential actions can occur.
Why This Matters for Security Teams
When governance stops at LLM traffic, it protects the conversation but not the action. Agents do not just generate text. They invoke tools, inherit context, request tokens, chain workflows, and pass decisions into systems that can change infrastructure, data, or access. That means prompt logging alone leaves the highest-risk events outside policy, review, and incident response.
This gap is already visible in current research. In the 2026 Infrastructure Identity Survey, only 44% of organisations said they had policies to manage AI agents, while 67% still relied heavily on static credentials. That aligns with guidance from the NIST AI Risk Management Framework and the OWASP Agentic AI Top 10, both of which treat agent behaviour, not just model output, as the real control surface.
In practice, many security teams encounter unauthorised tool use only after an agent has already written, moved, or exposed something it should never have touched.
How It Works in Practice
Effective governance for agentic systems needs to shift from message inspection to runtime control of identity, intent, and execution. The model prompt is only one event. The full chain also includes tool calls, retrieval requests, delegated tasks, event triggers, and downstream API actions. Security teams should treat each step as an authorisation decision, not a passive log entry.
A practical design usually combines workload identity, short-lived credentials, and policy evaluation at request time. For example, an agent should present cryptographic workload identity, such as SPIFFE or OIDC-backed identity, so the platform can verify what the agent is, not just what it asked for. Access should then be issued just in time, scoped to a single task, and revoked automatically when the task ends. That reduces the blast radius of compromised prompts, poisoned context, and over-broad delegation.
- Log tool calls and action results separately from prompt and response content.
- Authorize each action against current context, not only role membership.
- Use ephemeral secrets and rotate or revoke them after the task completes.
- Apply policy-as-code so decisions can be evaluated consistently at runtime.
The NHI-focused research in OWASP NHI Top 10 and Top 10 NHI Issues reinforces the same lesson: identity, delegation, and credential handling are the control points that determine whether an agent remains bounded or becomes an operator with hidden reach. These controls tend to break down when agents orchestrate multiple tools across separate trust zones because each system sees only a small, locally valid action.
Common Variations and Edge Cases
Tighter agent governance often increases latency and operational overhead, so organisations have to balance safety against the speed that makes agentic systems useful. Best practice is evolving, and there is no universal standard for every workflow yet.
The hardest edge cases appear in multi-agent pipelines, long-running jobs, and environments where agents act on behalf of users with changing context. A single static role cannot represent that behaviour well. In those settings, current guidance suggests using narrower task-based grants, explicit approval gates for high-impact actions, and separate controls for read, write, and execute privileges. The NIST Cybersecurity Framework 2.0 and the CSA MAESTRO agentic AI threat modeling framework both support this move toward runtime-aware, layered control.
One important exception is monitored read-only use cases. If an agent only retrieves and summarizes data, the governance burden is lower, but it does not disappear. The moment retrieval can trigger a tool, write to a system, or call another agent, traffic-only controls are no longer enough. The most common failure mode is assuming that an LLM boundary is also an authority boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Agent tool use and delegated actions are the core blind spot here. |
| CSA MAESTRO | MAESTRO covers runtime agent risk, identity, and action control. | |
| NIST AI RMF | AIRMF maps directly to governing behaviour, accountability, and monitoring. |
Apply AI RMF to control agent behaviour, logs, and escalation paths at runtime.
