AI agent security governance: what the new US blueprint changes

TL;DR: A new US AI security order adds voluntary benchmarking, pre-release review, and federal cyber enforcement focused on AI-enabled abuse as researchers report an 89% year-over-year rise in AI-driven attacks, according to Zenity. The practical lesson is that agent governance now has to account for runtime visibility, delegated access, and misuse detection, not just model safety.

NHIMG editorial — based on content published by Zenity: The US Has a New AI Security Blueprint: Here's What It Actually Means

By the numbers:

• Researchers documented an 89% year-over-year increase in attacks by AI-enabled adversaries.

Questions worth separating out

Q: How should security teams govern AI agents that can act on delegated access?

A: They should govern AI agents as identities with owned permissions, runtime telemetry, and clear approval boundaries.

Q: Why do AI agents complicate existing IAM and NHI controls?

A: AI agents complicate IAM and NHI controls because they can make decisions at runtime, call tools dynamically, and execute faster than human review cycles can keep up.

Q: What breaks when access review processes are used for autonomous agent governance?

A: Access review processes break when the system under review changes access and action paths within the same operating session.

Practitioner guidance

• Map every active AI agent to a named identity owner Assign business and technical ownership to each agent that can reach credentials, APIs, or production systems.
• Instrument runtime telemetry for agent tool use Capture which tools an agent invoked, which data it touched, and which approvals, if any, were bypassed.
• Review delegated access as a live security event Treat credential access granted to AI agents as time-sensitive governance, not a one-time setup task.

What's in the full analysis

Zenity's full analysis covers the operational detail this post intentionally leaves for the source:

• A deeper breakdown of the federal AI Cybersecurity Clearinghouse and how the information-sharing model may affect critical infrastructure operators.
• A closer look at the voluntary pre-release review framework, including the trusted-partner question practitioners will need to understand.
• Zenity's reading of the enforcement language around AI-enabled cybercrime and what it means for agent governance programmes.
• The article's timeline summary for July and August implementation milestones that security teams can use for planning.

👉 Read Zenity's analysis of the US AI security blueprint and agent governance →

AI agent security governance: what the new US blueprint changes?

Explore further

View Full Forum →  |  NHI Foundation Course →