NIST CSF 2.0 for agentic AI needs new identity profiles

At a glance

What this is: This is an analysis of how NIST CSF 2.0 can be adapted for autonomous systems, with the core finding that AI agents break the framework’s human-centric assumptions.

Why it matters: It matters because IAM and NHI teams need machine-enforceable governance, least privilege, and auditability for agents that act without waiting for human approval.

By the numbers:

• 70% of organisations have given their AI systems greater access than they would give a human employee performing the same job.
• 76% incident rate for organisations with over-privileged AI, compared to 17% for those enforcing least-privileged access for AI systems.

👉 Read Teleport's analysis of NIST CSF 2.0 and agentic AI profiles

Context

Agentic AI changes the identity problem because the software itself can authenticate, call tools, and take actions that used to require a human operator. For NHI governance, that means the control plane must account for autonomous behaviour, not just service accounts and API keys. NIST CSF 2.0 remains useful, but only if teams translate its human assumptions into machine-enforceable policy.

Teleport frames the issue through NIST CSF 2.0 and the Cyber AI Profile, which is the right lens for practitioners because the gap is structural rather than cosmetic. If an agent can trigger infrastructure changes, access databases, or move through incident workflows, then governance, identity, detection, and response all need explicit agent-specific design. That starting point is typical for mature teams, but the required level of tailoring is still uncommon.

Key questions

Q: How should teams adapt NIST CSF 2.0 for AI agents?

A: Teams should translate CSF 2.0 into an AI-specific profile that defines agent scope, approval thresholds, logging requirements, and recovery actions. The framework still works, but only if governance, identity, and monitoring are rewritten for autonomous behaviour. That means treating each agent as a managed NHI with explicit limits, not as a human user with extra automation.

Q: Why do AI agents create a bigger IAM risk than traditional service accounts?

A: AI agents can chain actions, move across systems, and operate at machine speed, so a single over-privileged identity can create a larger blast radius than a conventional service account. The key difference is autonomy: agents do not just authenticate, they decide and act. That makes task-level access and strong approval gates much more important.

Q: What is the difference between least privilege for humans and least privilege for AI agents?

A: Human least privilege usually maps to a job role, while AI-agent least privilege must map to a task, a time window, and a specific allowed action. Agents often combine planning and execution in one workflow, so broad roles are too loose. The practical standard is short-lived, operation-specific access with a clear stop condition.

Q: When should organisations require human approval for an AI agent action?

A: Require human approval when the action could change infrastructure, expose sensitive data, move laterally across systems, or trigger a business-critical workflow that is hard to reverse. Approval is also warranted when the agent’s decision depends on ambiguous input or external data that cannot be trusted at face value. High-consequence actions need a human stop point.

Technical breakdown

Why CSF 2.0 needs a Cyber AI Profile for agents

CSF 2.0 is organised around Govern, Identify, Protect, Detect, Respond, and Recover, but those functions were built around systems that human operators supervise directly. Agentic AI changes the operating model because the “user” can be software that makes decisions, invokes tools, and chains actions across environments. The Cyber AI Profile mechanism exists to map those six functions to a specific technology context, which is exactly what autonomous systems require. Without that tailoring, controls stay too abstract to govern tool use, escalation, or decision logging.

Practical implication: build an AI-specific profile that rewrites CSF outcomes into agent-scoped controls, not human-user assumptions.

How agent identity breaks conventional IAM patterns

Agentic systems do not behave like human identities because they can create multiple sessions, operate across systems, and act at machine speed. That makes broad service-account permissions dangerous, especially when the same identity is reused across tasks or environments. The control issue is not just authentication, but scope: what the agent is allowed to do, what it must never do, and when a human must approve the next step. In NHI terms, each agent instance should be treated as its own identity with constrained entitlements and short-lived credentials.

Practical implication: move from role-centric access to task-level authorization with distinct credentials for each agent instance.

What continuous detection must capture for autonomous systems

Traditional monitoring watches logins, endpoints, and access volumes, but agentic AI needs behavioural visibility. A useful detect layer records what the agent accessed, what it decided, what alternatives it considered, and whether the action stayed inside expected bounds. That is because normal behaviour for an agent can shift with prompt changes, model updates, or new data inputs. In practice, decision trails matter as much as access logs, and anomaly detection must be calibrated per agent type rather than per human user baseline.

Practical implication: instrument decision trails and per-agent baselines so suspicious autonomy is visible before it becomes incident response.

Threat narrative

Attacker objective: The attacker wants to turn trusted agent behaviour into a scalable execution path that bypasses human review and expands access faster than defenders can react.

1. Entry occurs when an autonomous agent receives excessive access or is manipulated through prompt injection, allowing it to act through approved tools.
2. Escalation follows when the agent uses that access to expand into adjacent systems, modify resources, or trigger privileged workflows at machine speed.
3. Impact is achieved when the agent performs unintended actions that alter infrastructure, expose data, or create a persistent governance blind spot.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

CSF 2.0 is only useful for agentic AI when organisations treat autonomy as an identity problem. The framework still works as a governance scaffold, but autonomous systems force teams to translate policy into machine-enforceable access decisions. That shifts the centre of gravity from compliance language to operational control, which is where NHI programmes already have an advantage. Practitioners should treat agent governance as an identity design problem first.

Least privilege for AI agents must be task-scoped, not role-scoped. A role model assumes stable job boundaries, while agents often combine planning, tool use, and execution inside one workflow. That creates a much larger blast radius when access is inherited from older service-account patterns. Teams that keep role-based thinking in place will overgrant by default, so the practical conclusion is to enforce short-lived, operation-specific access.

Decision logging is now part of identity assurance. For agents, it is no longer enough to know which account called which API. Security teams need to know why the action happened, what inputs shaped it, and whether the behaviour stayed inside policy. That expands auditability from access records into behavioural evidence, which is essential for incident reconstruction and governance reviews. Practitioners should make decision trails a first-class control.

Identity blast radius is the right named concept for agentic AI governance. The article makes clear that the real risk is not just that an agent exists, but that one identity can touch infrastructure, data, and incident workflows across environments. Once that blast radius expands, traditional controls become reactive instead of preventive. Teams should measure and reduce the maximum damage any one agent identity can cause.

NIST’s Cyber AI Profile validates a direction the market was already taking. Formal profile mechanisms give practitioners a way to align AI-specific risks with an existing framework instead of building parallel governance models. That reduces ambiguity, but it also exposes how incomplete current IAM and monitoring practices are for autonomous systems. The field is moving toward profile-based control design, and practitioners should do the same.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader control model, see OWASP NHI Top 10, which maps the most common agentic application risk patterns.

What this signals

Identity blast radius: as agent usage spreads, security teams should expect the next control failure to come from over-scoped autonomy rather than stolen credentials alone. With 92% of organisations agreeing that governing AI agents is critical but only 44% implementing policies, the execution gap is now bigger than the awareness gap, according to AI Agents: The New Attack Surface report.

That makes AI governance a programme issue, not just a tooling issue. If agents can act across infrastructure, incident response, and data systems, then IAM, security engineering, and compliance need a shared operating model for approvals, telemetry, and rollback.

Practitioners should also align these controls with NIST Cybersecurity Framework 2.0 and the NIST AI Risk Management Framework, because profile-based governance will become the default language for audit and assurance.

For practitioners

• Inventory every AI agent and its scope of action Document each agent, the systems it can reach, the data it can read, and the actions it can trigger. Map those capabilities to existing governance controls so that gaps in the current NHI model are visible before you expand usage.
• Enforce task-level least privilege Replace broad inherited permissions with short-lived, narrowly scoped credentials that expire after each operation. This is the practical control pattern when agents can chain tool calls faster than a human can intervene.
• Require human approval for high-consequence actions Define which agent actions can proceed autonomously and which must stop at an approval gate. Make the approval rule explicit for infrastructure changes, data movement, and any workflow that could create irreversible impact.
• Instrument decision trails, not only access logs Capture the inputs, alternatives, and final action for each agent decision so responders can reconstruct why the agent behaved as it did. Pair that with centralized logging to keep multi-cloud and third-party activity auditable.
• Test agent failure and misuse scenarios regularly Run exercises that simulate prompt injection, privilege misuse, and autonomous misfires. Validate that kill switches, rollback paths, and degraded-mode operations work without depending on the failed agent to recover itself.

Key takeaways

• Agentic AI turns CSF 2.0 into an identity governance problem, because autonomous systems can act without waiting for human approval.
• Over-privileged AI is already producing measurable incidents, which means task-scoped access is now a baseline control rather than a maturity goal.
• Teams that want CSF 2.0 alignment should inventory agents, constrain their blast radius, and add decision trails before expanding deployment.

Key terms

• Cyber AI Profile: A Cyber AI Profile is a tailored version of a security framework that maps generic outcomes to the risks of AI systems. In practice, it helps teams translate governance, protection, detection, and response requirements into controls that make sense for autonomous agents and other AI-enabled workflows.
• Identity blast radius: Identity blast radius is the maximum damage a single identity can cause if it is misused, over-privileged, or compromised. For agents, it includes what systems can be reached, what data can be touched, and how far autonomous actions can spread before a human intervenes.
• Decision trail: A decision trail is the record of inputs, choices, and outputs that led an AI agent to take an action. It goes beyond access logs by showing why the agent behaved a certain way, which is essential for auditability, incident reconstruction, and policy enforcement.

What's in the full article

Teleport's full post covers the operational detail this analysis intentionally leaves at the framework level:

• The section-by-section mapping of Govern, Identify, Protect, Detect, Respond, and Recover to agent-specific controls
• Practical examples of how to scope agent permissions at task level rather than role level
• Details on the Cyber AI Profile and the NIST AI Agent Standards Initiative that shape this guidance
• Teleport's implementation-oriented recommendations for monitoring, kill switches, and recovery paths

👉 Teleport's full post covers the CSF function-by-function guidance and agent control examples.

Deepen your knowledge

NIST CSF 2.0 adaptation for autonomous systems is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are mapping agent governance into an existing identity programme, it is worth exploring.