AI agent context windows: are your controls keeping up?

TL;DR: RSA 2026 conversations, vendor launches, and supporting research converged on a single conclusion: the AI agent context window is the real security perimeter, because more tokens reduce accuracy, dilute instructions, and expand attack surface, according to Zenity and cited research. The governance gap is no longer about model quality, but about who controls what enters context, what persists, and what gets acted on.

NHIMG editorial — based on content published by Zenity: Context Engineering Is Security Engineering. RSA 2026 Made the Case

By the numbers:

• 85% of large enterprises are experimenting with AI agents, but only 5% have moved them into production.
• 97% of organizations with AI-related security incidents lacked proper AI access controls.

Questions worth separating out

Q: How should security teams govern AI agent context windows?

A: Security teams should treat context windows as governed trust boundaries, not as passive text buffers.

Q: Why do AI agents make least privilege harder to enforce?

A: AI agents make least privilege harder because their effective authority depends on what context they can see and act on at runtime, not just on the permissions assigned to the underlying identity.

Q: What breaks when prompt, retrieval, and memory are governed separately?

A: When prompt, retrieval, and memory are governed separately, no one owns the full decision chain.

Practitioner guidance

• Map every context source as a governed access path Inventory system prompts, retrieval feeds, memory stores, tool outputs, and compaction rules as separate trust inputs.
• Constrain context to the minimum necessary tokens Remove unused retrieval sources, trim prompt scaffolding, and reduce memory persistence to the smallest set that still supports the task.
• Correlate posture drift with runtime behaviour Track when agent permissions, connectors, or retrieval sources change and compare those changes with tool calls and output patterns.

What's in the full article

Zenity's full blog post covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of the stateful threat engine and how it correlates prompt chains, tool use, and session history.
• Operational examples of real-time exposure visibility when agent permissions, connectors, or MCP servers change.
• The Issues correlation model that ties configuration drift to live behaviour in one investigation.
• Coverage specifics for Microsoft 365 Copilot, Copilot Studio, ChatGPT Enterprise, Salesforce Agentforce, Azure AI Foundry, Google Vertex AI, and ServiceNow.

👉 Read Zenity's analysis of why context engineering is the security perimeter for AI agents →

AI agent context windows: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →