Notifications
Clear all
Topic starter
25/06/2026 10:26 pm
TL;DR: AI risk moves from periodic model review to continuous runtime control when agents are in production, and the NIST AI RMF remains the most practical structure for making Govern, Map, Measure and Manage operate continuously, according to Collibra. The real issue is that frameworks built for static assessment fail when privilege, action and impact unfold inside the session.
NHIMG editorial — based on content published by Collibra: The AI risk management framework, NIST AI RMF for models and agents (with implementation steps)
Questions worth separating out
Q: How should organisations govern AI agents that can act autonomously?
A: Treat the agent as an acting identity, not as a passive application.
Q: Why do AI agents complicate traditional IAM and risk review processes?
A: Because traditional IAM assumes access can be reviewed after it is granted and before it changes materially.
Q: What do security teams get wrong about AI risk management frameworks?
A: They often treat the framework as documentation rather than operating model.
Practitioner guidance
- Register every AI system with an owner and risk tier Create a single inventory that records each model or agent, its purpose, data sources, action space and accountable owner.
- Baseline agent behaviour before production rollout Define expected actions, access patterns and escalation paths before the system is allowed into live workflows.
- Enforce policy through runtime controls Translate AI policy into mechanisms that can pause execution, block prohibited access and preserve evidence when behaviour crosses threshold.
What's in the full article
Collibra's full article covers the operational detail this post intentionally leaves for the source:
- How Collibra maps Govern, Map, Measure and Manage into an operating model for AI risk
- The implementation table showing what to implement for each NIST AI RMF function
- The comparison of NIST AI RMF with the EU AI Act and ISO 42001
- The AI Command Center example that operationalises continuous monitoring and runtime intervention
👉 Read Collibra's full analysis of the NIST AI RMF for models and agents →
NIST AI RMF for AI agents: are your controls keeping up?
Explore further
25/06/2026 10:57 pm
Continuous AI risk control is now an identity problem, not just a model problem. The NIST AI RMF works because it assumes risk must be managed throughout operation, not at a single approval point. That matters more once agents enter production, because the control question shifts from model quality to what the identity can access and do. NIST AI RMF and NIST Cybersecurity Framework 2.0 are the relevant anchors here. Practitioners should treat agent governance as part of the same identity control plane that already governs high-risk machine access.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent exceeds its intended scope?
A: The accountable party is the owner assigned through governance, supported by the teams that approved the agent’s scope and controls. If no owner can pause, review or explain the action path, accountability has been designed out of the programme instead of into it.
👉 Read our full editorial: NIST AI RMF for agents exposes where continuous AI risk control fails
