Zenity joins CoSAI as agentic AI standards take shape

At a glance

What this is: Zenity’s CoSAI participation highlights that agentic AI standards, reference architectures, and secure design patterns are being written before most enterprises have a governance model in place.

Why it matters: IAM, NHI, and security teams need to track standards formation now because the controls that govern autonomous agents will influence procurement, architecture reviews, and audit expectations across identity programmes.

By the numbers:

• The coalition includes more than 45 sponsor organizations, including Google, Microsoft, NVIDIA, IBM, and Meta.
• A Gartner poll of 147 CIOs and IT leaders found that 24% had already deployed AI agents, 50% were actively experimenting, and 17% planned to deploy by the end of 2026.
• Gartner’s 4Q25 forecast projects agentic AI spending overtaking chatbot and assistant spending by 2027 on its way to $752.7 billion by 2029.

👉 Read Zenity's analysis of CoSAI and agentic AI security standards

Context

Agentic AI governance is the discipline of controlling software entities that can decide, choose tools, and execute actions with limited or no human intervention. The article argues that the standards, design patterns, and governance language for these systems are being developed now, which means current enterprise controls are already behind the curve for agentic AI identity.

For IAM and NHI programmes, the problem is not simply access provisioning. It is how decision-making software authenticates, invokes tools, inherits context, and interacts with sensitive systems under policies that were designed for humans or static workloads. That is a typical starting position for the market, not an edge case, which makes standards alignment an immediate programme issue rather than a future concern.

Key questions

Q: How should security teams govern AI agents that can invoke multiple tools in one session?

A: Security teams should govern AI agents as decision-making identities, not just tool users. That means defining tool access, context scope, and escalation limits together, then monitoring the full execution chain for unexpected combinations of actions. If those controls are split across teams or policies, the agent can move faster than review cycles and create impact before anyone intervenes.

Q: Why do agentic AI systems create new identity governance risks?

A: Agentic AI systems create new identity governance risks because they do not simply authenticate and wait for commands. They can decide what to do next, select tools, and execute actions across connected systems. That makes the core control question about delegated authority and runtime behavior, not only about issuance, login, or static entitlements.

Q: What breaks when IAM controls are applied to autonomous agents without runtime governance?

A: IAM controls break when they assume access can be reviewed after the fact. Autonomous agents may consume, chain, and release privileges within a single decision cycle, leaving little stable state for recertification or manual review. Without runtime governance, the programme sees the permission grant but misses the consequential action sequence.

Q: Who should be accountable for agentic AI security standards in enterprise programmes?

A: Accountability should sit with the teams that own identity architecture, security governance, and risk acceptance, not only with AI engineering. Agentic AI standards will influence procurement, audit, and control design, so leadership must decide who maps standards to policy, who signs off exceptions, and who validates runtime enforcement in production.

Technical breakdown

Why agentic AI standards are becoming an identity issue

Agentic AI standards are increasingly about identity because agents do not just consume services, they initiate actions across systems. That shifts the control problem from authentication alone to runtime authorisation, context integrity, and delegated authority. The article points to CoSAI’s workstreams as the place where open specifications, reference architectures, and secure design patterns are being codified for enterprise use. For identity teams, that matters because standards will shape how agents are represented, constrained, and audited in production environments.

Practical implication: Map standards review to identity architecture now, not after procurement starts.

MCP security and tool invocation controls

The article notes that CoSAI’s Workstream 4 has already published a secure-by-design agentic systems paper and an MCP security whitepaper covering threat categories across the Model Context Protocol. In practice, MCP is the bridge between an agent and the tools or data it can reach, so its security posture becomes part of the identity boundary. That means permissions, context scope, and tool access are no longer separate concerns. They are coupled in the same execution path.

Practical implication: Treat tool access policy and identity policy as one control surface for agentic systems.

Why runtime governance is different from static access control

A static access model assumes the security team can define privilege before execution and review it later. Agentic systems break that assumption because the agent can chain actions, change targets, and invoke multiple services in a single session. The article’s focus on credential scoping, context validation, and anomaly detection reflects that runtime governance is about watching the decision chain as it happens. That is a different control problem from traditional entitlements review.

Practical implication: Design controls that evaluate agent behavior during execution, not only at provisioning time.

Threat narrative

Attacker objective: The objective is to use legitimate agent access to create compounding cross-system impact before governance can interrupt the sequence.

1. Entry occurs when an agent is granted legitimate access to tools, data sources, or enterprise systems under a governance model that assumes bounded execution.
2. Escalation happens when the agent chains actions across CRM, email, finance, or other connected systems faster than human review can intervene.
3. Impact follows when a single decision-making node amplifies errors, misuse, or malicious actions across multiple systems in one runtime sequence.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI standards are now part of identity governance, not a side conversation. The article makes clear that CoSAI is building the specifications enterprises will eventually operationalize, which means identity teams are no longer just consuming standards after the fact. They are shaping the access, audit, and runtime assumptions those standards will encode. The implication is that IAM and NHI programmes will inherit agentic control requirements whether they are ready or not.

Runtime governance is the new failure mode for agentic identity. The article’s emphasis on credential scoping, tool invocation policies, context integrity validation, and anomaly detection shows that the failure is not only who can access a system. It is what a decision-making node can chain together once it is inside the environment. That is where traditional entitlement models become too coarse for agentic systems. Practitioners should read this as a shift from static privilege management to execution-chain governance.

CoSAI will likely become a procurement reference point before it becomes a compliance reference point. The board structure, open governance model, and multi-vendor participation mean enterprise buyers will increasingly ask vendors how they align to these emerging specifications. That creates a standards credibility stack in which participation, contribution, and reference-architecture alignment matter more than membership logos. The implication is that security teams should re-evaluate vendor claims through a standards and evidence lens, not a feature checklist.

Agentic AI and NHI governance are converging around the same control problem. Agents authenticate, invoke tools, and touch sensitive data using credentials and permissions that look like NHI, but their runtime behavior is autonomous in effect. That means NHI controls alone are insufficient if they stop at issuance and rotation. Practitioners should expect the governance model for agents to borrow from NHI, then extend into runtime and decision governance.

Identity blast radius: The article points to a growing reality where one agent can access CRM, email, and financial systems in the same execution chain. That is not just a larger attack surface, it is a wider blast radius created by delegated authority across integrated systems. The implication is that security teams must measure how far a single agent identity can propagate impact, not just whether it is authenticated correctly.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For the next step, review OWASP NHI Top 10 for the threat model and design patterns that standards work is converging toward.

What this signals

Agentic AI standards will shape procurement before they shape policy. Once CoSAI-style specifications start appearing in RFPs, the governance question becomes whether your programme can demonstrate alignment to open design patterns rather than just internal controls. That is why standards tracking belongs in the identity roadmap now, alongside architecture and audit planning. For readers building an agent governance programme, the next move is to align internal policy language with the control vocabulary emerging in open standards and the OWASP Agentic AI Top 10.

Identity teams should prepare for agentic control planes to inherit NHI-style accountability requirements. Agents already authenticate, invoke tools, and touch sensitive data using permissions that look like machine identity, but their runtime behavior is closer to autonomous decision-making. That means the familiar controls around issuance and rotation will not be enough on their own. The practical signal is that agent governance needs operational ownership, runtime telemetry, and exception handling in the same programme.

Runtime visibility is becoming the gating factor for safe deployment. If security teams cannot trace what an agent accessed, which tools it invoked, and how far its decisions propagated, they cannot answer audit, incident, or risk questions with confidence. That makes execution-chain logging and context validation more than a technical enhancement. They are the minimum evidence layer for governable agentic AI.

For practitioners

• Map agent governance to emerging standards now Inventory which of your agentic AI controls reference OWASP Agentic AI guidance, MITRE ATLAS techniques, and CoSAI workstream outputs. Use that map to identify where your architecture has no agreed language for tool access, context integrity, or runtime decision chains.
• Unify identity and tool-access policy for agents Treat agent identity, MCP tool permissions, and data scope as a single governance problem. Separate reviews for entitlements and tool invocation create blind spots because the risk emerges in the combined execution path.
• Review runtime controls before provisioning controls alone Assess whether your current programme can detect or interrupt an agent that chains actions across systems in one session. If the answer is no, add policy checkpoints for context validation, anomaly detection, and execution-chain logging.
• Test vendors for standards contribution, not logo presence Ask each vendor which specifications, threat models, or reference architectures they have actually contributed to in CoSAI, OWASP, or MITRE ATLAS. Membership without substantive technical input is weak evidence of standards credibility.
• Build procurement questions around governance fit Require security architecture reviews to show how the product aligns with secure-by-design agentic patterns, auditability requirements, and delegated authority limits. This makes the buying process reflect how agent governance will be enforced in production.

Key takeaways

• Agentic AI standards are moving from discussion to governance infrastructure, which makes identity teams part of the standards conversation now.
• The core risk is runtime decision chaining, not just access issuance, because agents can propagate impact across multiple systems in one session.
• Programmes that cannot align to open specifications, trace agent actions, and validate delegated authority will struggle to govern production deployments.

Key terms

• Agentic AI governance: Agentic AI governance is the set of policies, controls, and review processes used to manage software that can choose actions and execute them with limited human intervention. It extends beyond authentication into delegated authority, runtime monitoring, and accountability for multi-step behaviour.
• Runtime governance: Runtime governance is the control layer that evaluates what an identity does while it is active, not just what it is allowed to do on paper. For agentic systems, it covers tool invocation, context integrity, action chaining, and the evidence needed for audit and incident response.
• Standards credibility stack: A standards credibility stack is the combination of frameworks, threat models, open specifications, and practitioner contributions that make a vendor’s guidance credible in enterprise settings. In this context, it matters because buyers increasingly test whether a vendor helped shape the standards it claims to support.
• Identity blast radius: Identity blast radius is the scope of systems, data, and processes that can be affected when a single identity is misused or behaves unexpectedly. For autonomous or agentic identities, blast radius often grows through chained actions across multiple services rather than a single direct access path.

Deepen your knowledge

Agentic AI standards and runtime governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous agents, this is a practical place to start.

This post draws on content published by Zenity: Zenity Joins CoSAI, explaining why agentic AI standards need practitioners at the table. Read the original.