NIST AI RMF falls short as agents outpace governance

At a glance

What this is: This analysis argues that NIST AI RMF provides a useful governance structure, but it does not by itself close the operational gaps created by shadow AI, autonomous agents, and weak runtime enforcement.

Why it matters: IAM, NHI, and security teams need to understand where framework alignment stops and enforceable identity control begins, especially as agentic systems start behaving like runtime actors rather than static applications.

By the numbers:

• 40% of enterprise applications will include AI agents by 2026, up from less than 5% in 2025.

👉 Read WitnessAI's analysis of NIST AI RMF gaps for shadow AI and agents

Context

The NIST AI Risk Management Framework gives organizations a common way to talk about AI governance, but it does not automatically create control, evidence, or runtime enforcement. That distinction matters because AI risk is now showing up in identity, access, and operational decision paths, not just in model design. For IAM and NHI teams, the question is no longer whether AI should be governed, but which identity assumptions break when AI systems begin acting at runtime.

WitnessAI frames the current problem as a gap between framework alignment and operational reality. The article argues that shadow AI, agentic behaviour, and audit expectations are outpacing the cadence of most governance programmes. That is a familiar pattern in identity security: policy arrives first, then the workload changes, and only later do teams discover that the control model was built for a slower, more predictable actor.

Key questions

Q: How should security teams govern AI agents that act like non-human identities?

A: Security teams should govern AI agents as runtime identity actors when those systems can select tools, chain actions, and execute without approval gates. That means defining explicit scope, monitoring actual behaviour, and treating entitlements as a living control boundary rather than a one-time setup task. The goal is not just model oversight, but enforceable identity governance.

Q: Why does shadow AI create a governance gap for IAM and security teams?

A: Shadow AI creates a governance gap because organizations cannot manage systems they do not reliably see. If AI apps, agents, and plugin connections live outside the approved inventory, then policy, risk assessment, and monitoring all start from incomplete assumptions. IAM and security teams need discovery that captures real usage, not only sanctioned assets.

Q: What breaks when agentic AI is managed with human-style review cycles?

A: Human-style review cycles break when the actor can make and complete decisions faster than a reviewer can observe them. Agentic AI can inherit permissions, chain tool calls, and trigger downstream effects within a single execution path, leaving little useful artefact for periodic certification. In practice, the control model must shift from retrospective approval to runtime enforcement.

Q: How can organisations prove AI governance to auditors and boards?

A: Organisations prove AI governance by producing evidence that the control operated, not just that a policy existed. That evidence should include inventory records, runtime logs, policy decisions, and escalation handling for both sanctioned and unsanctioned AI use. Framework alignment helps, but auditors and boards usually want demonstrable execution, not framework language alone.

Technical breakdown

How the NIST AI RMF structures AI risk governance

The framework is organized around GOVERN, MAP, MEASURE, and MANAGE, which are outcomes rather than implementation steps. GOVERN sets accountability and policy boundaries, MAP establishes context and inventory, MEASURE assesses and monitors risk, and MANAGE turns findings into treatment, response, or decommissioning. That structure is useful because it gives enterprises a shared language for AI oversight across security, compliance, and operations. But it is deliberately voluntary and leaves the enforcement layer to the organization. In other words, the framework defines what trustworthy AI governance should cover, not how to make AI interactions technically safe in production.

Practical implication: use the framework as the governance model, then pair it with enforceable runtime controls and evidence generation.

Why shadow AI breaks inventory-based control models

Shadow AI is not just an inventory problem, it is a visibility problem. If organizations only track sanctioned applications, they miss the long tail of employee-used tools, embedded agent flows, plugins, and model interactions that never pass through formal procurement or approval. Traditional DLP, CASB, and network tools were designed for structured data and conventional traffic, so they often miss prompt-level context and AI-specific data movement. That means MAP can look complete on paper while the actual attack surface remains undercounted. In identity terms, you cannot govern what you do not reliably enumerate, and AI systems expand that blind spot quickly.

Practical implication: build a living AI inventory that includes unsanctioned tools, agent connections, and runtime usage, not just approved systems.

Agentic AI changes the meaning of AI agent governance

Agentic systems are different because they can inherit permissions, chain tool calls, and execute actions at machine speed. That shifts them from static AI risk to identity behaviour with decision authority. The article makes clear that existing frameworks assume humans are still the primary decision-makers, which becomes fragile when the actor selects actions dynamically during execution. For identity teams, the important detail is not model sophistication, but whether the system can initiate, sequence, and complete actions without human approval gates. Once that is true, the governance problem stops looking like application review and starts looking like non-human identity control with runtime behaviour.

Practical implication: classify agentic systems as runtime identity actors and govern their permissions, escalation paths, and action boundaries accordingly.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI governance built only as a framework exercise fails when execution moves faster than review. The NIST AI RMF is structurally useful, but it does not close the gap between policy intent and runtime enforcement. When AI use spreads faster than governance can inventory, monitor, and constrain it, the result is not compliance maturity but a widening control delta. Practitioners should treat framework alignment as a starting point, not proof of operational control.

Shadow AI is a MAP failure, not a visibility footnote. The article is right to frame unsanctioned usage as a governance gap rather than a tooling inconvenience. If the inventory excludes employee-used AI apps, embedded agents, and plugin ecosystems, the organization has already lost the ability to define scope credibly. The practical consequence is that AI risk reporting becomes incomplete before MEASURE even begins.

Least privilege is no longer a static provisioning question once agents can chain tools at runtime. That assumption was designed for actors whose intent is known at assignment time. It fails when the actor can combine permissions, select actions, and trigger downstream effects during execution. The implication is that entitlement thinking alone is insufficient for agentic systems, because runtime behaviour becomes the real control boundary.

Audit-defensible AI governance needs evidence, not just alignment language. A voluntary framework can describe the right outcomes and still leave boards and regulators without proof that those outcomes are operating in production. That is why the article's distinction between NIST AI RMF and certifiable structures such as ISO 42001 matters. Practitioners should assume that evidence quality will be judged separately from policy quality.

Identity governance for AI is converging with NHI governance, not replacing it. The same issues that define NHI risk, visibility, scope, lifecycle, and runtime enforcement, now apply to AI systems that behave like operational actors. The category is expanding from machine credentials to decision-capable entities, and governance teams need a single control model that spans both. Practitioners should stop separating AI governance from identity governance as if they are different disciplines.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• In the same research, enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For the broader control model, see NHI Lifecycle Management Guide for the lifecycle and governance disciplines that AI systems are now starting to inherit.

What this signals

AI governance is quickly becoming an identity governance problem. As AI systems gain runtime authority, the operational question shifts from model trust to entitlement control, lifecycle oversight, and evidence quality. Teams that already manage non-human identities will recognize the pattern immediately: the hard part is not naming the risk, it is proving that control still exists when the actor starts making decisions at execution time.

With 72% of organisations already suspecting or confirming NHI compromise in the broader identity estate, the pressure on programmes to absorb AI actors is not theoretical. The next governance step is to unify discovery, policy, and audit into one control loop that can span employees, service accounts, and machine actors without collapsing into separate exception processes.

For practitioners

• Build a living AI inventory Track sanctioned and unsanctioned AI tools, agent connectors, plugins, and model endpoints as a continuously updated record. Reconcile procurement data with network-level discovery so MAP does not rely on user attestations alone.
• Define runtime policy boundaries for agentic systems Set explicit limits on action chaining, tool use, escalation, and data access before agents are placed in production. Treat autonomous execution paths as identity controls, not just application settings.
• Separate governance evidence from governance intent Collect audit trails that show what the AI system actually did, what data it touched, and which policy decision was enforced at runtime. Use that evidence to test whether framework alignment maps to real control operation.
• Use NHI controls for AI actors where they already fit Apply access scope, lifecycle governance, and privilege review to AI systems that behave like persistent non-human identities. Pair that with control validation from the Ultimate Guide to NHIs to avoid treating AI as a separate governance island.

Key takeaways

• The article's core point is that the NIST AI RMF helps structure AI governance, but it does not itself supply runtime enforcement or complete visibility.
• The scale of the gap is growing as AI agents move into enterprise applications faster than governance programmes can adapt.
• Practitioners need to treat AI systems as identity-governed actors and build control evidence, inventory, and runtime boundaries that survive real use.

Key terms

• NIST AI Risk Management Framework: A voluntary framework for organizing AI risk governance around clear outcomes rather than fixed compliance steps. It helps enterprises define accountability, map AI context, measure risk, and manage treatment, but it does not itself provide enforcement or certification.
• Shadow AI: AI tools, agents, or model interactions used inside an organization without formal approval, inventory, or oversight. The practical problem is not only unauthorized use, but the loss of visibility needed to assess risk, assign ownership, and prove control.
• Agentic AI: AI systems that can choose actions, chain tools, and execute tasks with some degree of runtime independence. In identity governance, the key issue is that they begin to behave like non-human actors with permissions, not like passive software features.
• Runtime Enforcement: Control applied while an AI system is operating, rather than only during design or approval. For agentic systems, runtime enforcement is the difference between policy on paper and actual limitation of tool use, data access, and execution paths.

Deepen your knowledge

NIST AI RMF alignment, runtime policy, and AI inventory design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity governance into AI systems, this is a practical place to start.

This post draws on content published by WitnessAI: analysis of the NIST AI Risk Management Framework and its operational gaps. Read the original.