VERIK
Editorial · Agentic AI Governance
VERIK / V008 / 09 MAY 2026
Five CategoriesRegulatory

Five Categories, No Enforcement Architecture

On the load-bearing document inside the agentic AI news cycle - and what it does not say.

On April 30, 2026, six agencies across five governments published a joint advisory titled "Careful Adoption of Agentic AI Services." The authoring agencies were CISA, NSA, Australia's ASD's ACSC, the Canadian Centre for Cyber Security, NCSC-NZ, and NCSC-UK. The document opens not with a threat ranking or vendor checklist but with a statement of conditions: agentic AI systems "increasingly operate across critical infrastructure and defense sectors," and defenders "must implement security controls to protect national security and critical infrastructure from agentic AI-specific risks."

That document, not the commentary it generated, is the load-bearing artifact. The advisory does not declare autonomous agents "the primary enterprise security threat of 2026." It does not endorse any governance vendor. It names five risk categories that must be controlled when an autonomous agent operates inside an enterprise environment - and those categories deserve to be engaged on their own terms, not as a backdrop for product announcements.

The Five Categories

The advisory names five distinct risk areas for agentic AI systems. They are worth taking in sequence.

Privilege risks. The advisory's framing is direct: "Privilege risks are a key concern for agentic AI and strict adherence to the principle of least privilege is critical. Privileges assigned to agents directly determine the level of risk they can introduce. Poor management of privileges can expose organisations to privilege compromise, scope creep, identity spoofing and agent impersonation." The NSA's press release summarizes the point: "Over-privileged agents can amplify the impact of a single compromise." The concern is not hypothetical. Agents that inherit ambient credentials, accept delegated authority without scoping, or accumulate permissions across multi-step workflows represent a privilege surface that has no direct analog in traditional software architecture.

Design and configuration risks. The advisory describes the failure modes in specific technical terms: "Unvetted third-party components may carry excessive or unintended privileges when integrated into agent workflows. Static role or permission checks often fail to capture the context of dynamic decision-making flows; if entitlements are evaluated only once at system startup rather than at each invocation, a malicious actor can exploit a stale 'allow' decision to execute unauthorised actions." The advisory is identifying a structural property: the moment of permission evaluation is decoupled from the moment of action. That decoupling is not a configuration oversight - it is a design pattern embedded in most current agentic frameworks.

Behavior risks. "In agentic AI cyber security, behavioural risks describe the ways in which AI agents may act unexpectedly, cause harm, or become exploitable" - encompassing, per the NSA press release, "goal misalignment, specification gaming, deceptive behavior, and emergent capabilities." These risks cannot be addressed purely at the configuration layer. They arise during execution, often in ways no pre-deployment review anticipates.

Structural risks. "A core aspect of agentic AI systems is the interconnected structure between agents, tools and the outside world. While this enables their unique capabilities, it also increases the attack surface and complexity of the system." The advisory is pointing at something that the standard architecture discussion tends to underspecify: in multi-agent systems, the failure of one component propagates. The governance surface is not any individual agent - it is the interaction topology. And that topology changes as agents are added, chained, or replaced.

Accountability risks. "Agentic system architecture can obscure what caused a particular action, making accountability hard to trace. This presents increasing risk as agentic AI is pushed to assume more roles and given more capabilities." The Register's reporting on the advisory quoted the conclusion directly: "Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains."

These five categories describe what must be controlled. The advisory does not describe how. And it does not describe how an enterprise would prove, after the fact, that the controls held.

The Amplification Gap

Between April 30 and the publication of this piece, the advisory's language has been selectively amplified. The pattern is consistent: vendor copy and commentary paraphrase the advisory while inflating its claims. "Careful adoption" becomes "urgent action." Five risk categories become a product taxonomy. The advisory's deliberately measured language - "until security practices, evaluation methods and standards mature" - becomes a confirmation that the market has already matured enough to offer solutions.

The attribution errors compound this. The risk framework described in the advisory belongs to CISA, NSA, and five allied agencies. It does not belong to NIST. NIST's own AI Agent Standards Initiative, launched February 17, 2026, is a separate program - focused on identity, authentication, and interoperability standards, with no published agentic-specific standard as of May 2026. Attributing the CISA advisory's risk categories to NIST misidentifies the document.

The concern here is structural: when the advisory's five categories get mapped onto existing product features without engaging the harder layer underneath, the categories become taxonomy rather than requirements. They describe a surface. They do not constitute an enforcement architecture.

The silence inside the advisory - the gap between "what must be controlled" and "how an enterprise proves the controls held" - is honest. The advisory knows what it does not specify. The amplification has chosen to treat the silence as already filled.

What the Silence Contains

The advisory describes what must be controlled. It does not describe the artifacts a controller would produce to prove control held. That is a different and harder problem. The unsolved layer has three components.

Deterministic policy evaluation at the moment of action. Not a probabilistic guardrail, not a post-hoc log, not an LLM-judge that may or may not catch the call. Deterministic means: at the moment an agent proposes an action, a policy evaluator runs, produces a binary permit/deny decision, and that decision gates the action. The advisory's Design and Configuration category points at exactly this - entitlements evaluated "at each invocation" rather than "only once at system startup". Invoking that principle in practice means the policy evaluator must be present at every invocation, not consulted at deployment time and assumed to hold thereafter. A probabilistic guardrail consulted occasionally is not a policy evaluator. A log written after the action is not enforcement. The advisory's distinction between startup-time and invocation-time evaluation is doing the structural work in this category, and it is doing it without ambiguity.

Attestable execution. Evidence that the policy was evaluated, with cryptographic or equivalent strength, bound to the specific action it gated. Not a log the application wrote to its own store. Not an audit trail the agent itself could modify. Attestable means: a third party, without access to the original system, could verify that at time T, policy P evaluated action A and produced outcome O. The advisory's Accountability category describes what happens in the absence of this: "agentic system architecture can obscure what caused a particular action." Obscurity is not a data problem. It is an architecture problem.

An auditable evidence chain that survives across orchestrator boundaries, model swaps, and tenancy changes. An agent operating under one orchestrator may call tools hosted by a different vendor, invoke models from a third party, and persist state in a fourth system. If the evidence chain is held by any one of those parties, it is not an enterprise evidence chain - it is a vendor-scoped log. The advisory's Structural category identifies the interconnected architecture as a first-order risk. The evidence chain problem is the governance analog of the same structural reality.

None of this names a solution. The shape of the unsolved problem is what matters here.

The Agent Identity Layer

Three earlier Verik arguments established the terrain this piece builds on.

The Andreessen Autonomy Threshold piece argued that giving agents financial agency without verifiable identity is a solvency problem, not a UX problem. The Vercel "Allow All" piece argued that consent at machine speed without instrumented oversight collapses into permission inflation. The Operating in the Fog piece argued that visibility and verifiability are not the same thing.

This piece extends the arc: the advisory describes what must be controlled, but an enterprise cannot prove control of an actor whose identity is not bound to its actions, whose actions are not bound to evaluable policy, and whose policy evaluation does not produce evidence the auditor can verify after the fact. The same problem, at four levels of a single stack.

On Accountability Specifically

Of the five categories, Accountability is the one most exposed by the policy-as-document gap. The advisory acknowledges the attribution chain: an agent that acts on behalf of a human principal generates actions running through model providers, orchestrators, tools, and downstream systems. Multiple counterparties. Multiple log stores. No single authority holds the complete chain.

The advisory acknowledges this chain. It does not specify the artifacts that would let an enterprise reconstruct it when something goes wrong. The EU AI Act's August 2, 2026 application date - currently the operative deadline regardless of the Omnibus deferral negotiations, which as of this writing have not concluded - includes logging obligations under Article 12 for high-risk AI systems. Those obligations require records of automated decisions. They do not specify the architecture that would make those records tamper-evident or reconstructable across a multi-vendor agentic topology.

The gap between having logs and having an attestable evidence chain is the gap between a legal requirement as written and that requirement as enforceable. If the first major agentic incident that produces a regulatory inquiry occurs before the evidence architecture matures, the enterprise will produce documentation, not evidence. The difference will matter.

Open Questions

The advisory is the beginning of a framework, not the end of one. Several questions it leaves open will define the next phase of this conversation:

When the first agentic incident produces a regulatory inquiry, what artifact does the enterprise produce to demonstrate that the policy evaluated, the action was gated, and the accountability chain can be reconstructed? Who holds that artifact, and how was it produced?

What does enforcement look like when the orchestrator, the model provider, and the tool vendor each hold one piece of the evidence and none of them produce it together? Is the answer contractual? Technical? Regulatory?

How does an enterprise distinguish between a vendor that has implemented the five categories and a vendor that has implemented the language of the five categories? The advisory provides the vocabulary. It does not provide the test.

At what point does "governance-as-code" require evidence that the code ran - not just that it was written? A policy document describes intent. An attestable execution trace describes what actually happened. The advisory implies the second. Most current governance offerings provide the first.

What does the NIST AI Agent Interoperability Profile - currently in development with a target of Q4 2026 - say about these questions when it publishes? And when it does, will the vendors who have been building around the CISA advisory's five categories be positioned to demonstrate alignment, or will they be required to re-architect to meet a standard they did not anticipate?

The advisory was published April 30, 2026. The commentary landed quickly. The harder questions are still open.

Verik publishes at the agentic frontier. Pieces in this arc: Andreessen Autonomy Threshold | Vercel "Allow All" | Operating in the Fog | Five Categories, No Enforcement Architecture.