NIST AI RMF for agents exposes where continuous AI risk control fails

At a glance

What this is: This is a practitioner analysis of how the NIST AI RMF applies to models and agents, with the key finding that AI risk must be governed continuously in production, not as a one-time assessment.

Why it matters: It matters because IAM, IGA, PAM and AI governance teams now have to treat agent behaviour, data access and runtime intervention as part of the same control plane.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Collibra's full analysis of the NIST AI RMF for models and agents

Context

The NIST AI RMF is a structured way to govern AI risk across the lifecycle of a model or agent, from classification to measurement to response. For AI agents, the key shift is that risk is no longer limited to outputs. It now includes what the system can access, what it can trigger, and what it can do at runtime.

The primary IAM question is whether existing governance processes can keep up when AI systems act continuously in production. A framework built for one-time assessment can describe the risk, but it cannot by itself enforce accountability, runtime boundaries or intervention across agentic workflows.

Key questions

Q: How should organisations govern AI agents that can act autonomously?

A: Treat the agent as an acting identity, not as a passive application. Assign ownership, define its reachable systems, baseline its expected behaviour and require runtime controls that can stop or constrain actions while the session is active. Governance that only documents risk cannot contain an agent that decides and acts in production.

Q: Why do AI agents complicate traditional IAM and risk review processes?

A: Because traditional IAM assumes access can be reviewed after it is granted and before it changes materially. Agents can consume data, call tools and trigger actions continuously, so the meaningful control point is runtime authorisation and intervention, not periodic certification alone.

Q: What do security teams get wrong about AI risk management frameworks?

A: They often treat the framework as documentation rather than operating model. The error is believing Govern, Map, Measure and Manage are satisfied by policy text, when they only matter if the organisation can inventory systems, observe behaviour and enforce controls in production.

Q: Who is accountable when an AI agent exceeds its intended scope?

A: The accountable party is the owner assigned through governance, supported by the teams that approved the agent’s scope and controls. If no owner can pause, review or explain the action path, accountability has been designed out of the programme instead of into it.

Technical breakdown

Govern, map, measure, manage as a continuous control loop

The NIST AI RMF is not a checklist. Its four functions are designed to work as a loop: Govern establishes accountability and policy, Map defines context and intended use, Measure turns risk into evidence, and Manage applies controls and response. The framework only works when those functions are operational, because AI risk changes after deployment. For agents, this is more demanding than model governance, since the system can initiate actions, consume data and invoke tools in production. The real architecture problem is not documenting risk. It is making the loop run continuously enough to catch drift, misuse and escalation.

Practical implication: anchor AI governance to an inventory and continuous signals, not a static approval record.

Why agent behaviour changes the risk model

A model can be evaluated once and monitored later. An agent is different because the risk sits in behaviour, not just prediction quality. That means the control surface must include action space, external tool access, data reach and runtime execution patterns. In NIST AI RMF terms, Map must capture what the agent can touch, Measure must observe what it actually does, and Manage must be able to intervene while the session is still active. This is where many programmes stall, because they still think in terms of model output rather than identity-linked runtime authority.

Practical implication: define the agent’s reachable systems and enforce runtime boundaries before broader deployment.

Policy enforced as code is the difference between guidance and control

The article correctly frames Manage as the function that closes the loop. In practice, that means controls must be enforceable, not advisory. For AI agents, policy needs to be translated into mechanisms that can pause actions, block prohibited access, and preserve evidence for audit and response. The broader lesson for identity teams is that AI governance is converging with access governance. If an AI system can decide, access and act, then identity control is no longer just authentication or entitlement review. It becomes runtime authorisation with oversight.

Practical implication: require runtime intervention and evidence capture for agent actions that exceed policy.

NHI Mgmt Group analysis

Continuous AI risk control is now an identity problem, not just a model problem. The NIST AI RMF works because it assumes risk must be managed throughout operation, not at a single approval point. That matters more once agents enter production, because the control question shifts from model quality to what the identity can access and do. NIST AI RMF and NIST Cybersecurity Framework 2.0 are the relevant anchors here. Practitioners should treat agent governance as part of the same identity control plane that already governs high-risk machine access.

Runtime authorisation for agents is the named gap: frameworks built for stable access do not fit session-level autonomy. The assumption that access is fixed long enough to review was designed for human-paced or machine-paced systems with persistent entitlement states. That assumption fails when the actor can obtain, use and discard authority inside a single runtime sequence. The implication is not simply tighter policy. It is that review-based governance stops being the primary control when the system’s decision loop outruns the review loop.

Map is the underused function because AI inventory is now a governance prerequisite. Without a complete inventory of models, agents, owners and data reach, Govern cannot assign accountability and Measure cannot establish baseline behaviour. This is where NHI governance and AI governance begin to overlap: the thing being governed is no longer just the model object, but the identity with action rights attached. Practitioners should insist on registration that captures scope, ownership and reachable systems at source.

Manage must include intervention, not just escalation. The article’s strongest operational point is that risk management only matters if it can change outcomes while the system is live. That is the same lesson identity architects learned in PAM and zero standing privilege: control that arrives after impact is not control. For agentic AI, runtime containment and evidence preservation should be treated as first-class governance requirements.

Framework translation will become the real differentiator in AI governance programmes. The market is converging on similar language around AI risk, but the operational value comes from turning that language into enforceable identity and access controls. NIST AI RMF provides the structure, while practitioners have to supply the runtime mechanics, ownership model and audit trail. The organisations that succeed will be the ones that govern agents as acting identities, not as static software assets.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That is why governance has to move from intent to runtime control, as shown in OWASP Agentic AI Top 10.

What this signals

Runtime governance gap: the next phase of AI governance is not policy expansion but control-plane integration. If the organisation cannot inventory agents, map their reach and intervene during execution, the framework will describe risk without changing it. That is why agent governance is converging with identity governance, PAM and zero standing privilege.

With 33% of organisations already reporting AI agents accessing inappropriate or sensitive data beyond intended scope, the operational question is no longer whether the problem exists but whether the programme can detect it early enough to act. That pushes AI governance toward continuous monitoring, not annual review.

Security teams should expect AI risk controls to align more closely with NIST AI Risk Management Framework and NIST Cybersecurity Framework 2.0 functions, especially where agent access intersects with sensitive systems. The practical test is whether the control can stop a live action, not just record a violation after the fact.

For practitioners

• Register every AI system with an owner and risk tier Create a single inventory that records each model or agent, its purpose, data sources, action space and accountable owner. Use that inventory as the source of truth for Govern and Map so risk classification happens at registration rather than during later audits.
• Baseline agent behaviour before production rollout Define expected actions, access patterns and escalation paths before the system is allowed into live workflows. Track drift against that baseline after deployment so Measure can detect when behaviour moves beyond intended scope.
• Enforce policy through runtime controls Translate AI policy into mechanisms that can pause execution, block prohibited access and preserve evidence when behaviour crosses threshold. Treat advisory policy as incomplete unless it can change what happens while the agent is active.
• Extend access governance to agent action space Review not only what the agent authenticates to, but what it can reach through tools, APIs and delegated permissions. If the reachable surface is not controlled, the identity programme is only governing part of the risk.

Key takeaways

• AI agents change the governing unit from a model to an identity with runtime authority.
• Continuous measurement and intervention matter more than one-time assessment once agents can act in production.
• The strongest AI governance programmes will translate framework language into enforceable access control and audit capability.

Key terms

• AI Risk Management Framework: A repeatable structure for identifying, measuring and controlling AI risk across the lifecycle of a model or agent. In practice, it creates accountability, evidence and response so AI behaviour is governed consistently rather than handled ad hoc by each team.
• Agent Action Space: The set of systems, tools, data sources and actions an AI agent can reach at runtime. For autonomous systems, this matters more than model output alone because risk is created by what the agent can actually do, not just what it predicts.
• Runtime Intervention: A control capability that can pause, constrain or stop an AI system while it is operating. It is the difference between describing a risk after the fact and changing the outcome before the agent completes an unsafe action.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Collibra: The AI risk management framework, NIST AI RMF for models and agents (with implementation steps). Read the original.