As CSA Labs put it in March 2026, “The deployment of agentic AI. AI systems capable of autonomous action, tool use, environmental interaction, and multi-step task completion. Has outpaced the regulatory and standards frameworks designed to govern it.” NIST has been playing catch-up since 2023, releasing a progression of documents that each patch a gap the previous one left open. Here is what each piece covers and what it still misses when applied to autonomous agents.
NIST AI 100-1: The AI Risk Management Framework (AI RMF 1.0)
Published in January 2023, the AI RMF is the foundation. It is voluntary, and its four functions. GOVERN, MAP, MEASURE, and MANAGE. Have become the de facto governance vocabulary for AI risk across federal agencies, financial institutions, and technology organizations alike.
The framework was designed for the AI deployments that existed in early 2023: narrowly scoped predictive models and early-generation language model assistants. That matters when you try to apply it to agents. Agents autonomously plan multi-step tasks, delegate subtasks to subordinate agents, and invoke external tools. They accumulate and act on information over time, operate across organizational trust boundaries, and can produce cascading real-world consequences from a single compromised instruction.
The MAP function is where the strain shows most clearly. For agents, mapping must cover the tool integration surface, the authorization scope, interaction with other agents, and the downstream systems whose state the agent can affect. The current framework does not specify any of that. NIST is revising the RMF, though no numbered revision has been published yet.
NIST AI 600-1: Generative AI Profile
Published July 26, 2024, AI 600-1 is a cross-sectoral companion to the RMF developed pursuant to Executive Order 14110. It identifies twelve risk categories. Including data poisoning, hallucinations, CBRN information access, harmful content, and data privacy violations. And maps suggested practices for managing each. The focus areas are governance, content provenance, pre-deployment testing, and incident disclosure.
Most current agentic systems are built on generative foundation models, so AI 600-1 is directly relevant. The gap is that it still describes a largely static threat model. Prompt injection through tool outputs, cross-session memory persistence, and tool-chain poisoning are attack vectors with no equivalent in the threat model underlying AI 600-1. The profile gives you a GenAI risk taxonomy; it does not give you an agentic one.
NIST AI 100-2 E2025: Adversarial Machine Learning Taxonomy
Published in March 2025, this update to NIST’s adversarial ML taxonomy is the most practically useful document for security teams working on agentic deployments right now. It establishes common terminology covering ML method types, attack life cycle stages, and attacker goals, capabilities, and knowledge. Alongside mitigation methods.
The March 2025 edition extended the taxonomy to cover autonomous AI agent vulnerabilities for the first time, including indirect prompt injection, agent memory poisoning, and supply chain attacks on agent tools. It also details GenAI-specific misuse attacks and clearly delineates attacks affecting integrity, availability, and privacy as separate categories. That delineation matters: it gives threat modelers a structured vocabulary for agentic attack surfaces that the RMF and AI 600-1 never supplied.
NIST’s own red-team research, cited by CSA Labs, found that novel attack strategies against AI agents achieved an 81% success rate compared to 11% against baseline defenses. That number alone justifies treating AI 100-2 as required reading before any agent system goes to production.
NIST AI 100-5: Agentic AI Profile
NIST AI 100-5 is an agentic AI profile that addresses the novel risks of autonomous AI agents directly. The first NIST document scoped specifically to this class of system. The document identifier NIST AI 100-5e2025 appears in NIST publication archives with an April 2025 date, though the full verified scope was not confirmed through primary source results at time of writing. Verify current status and content at nist.gov/artificial-intelligence before citing specific provisions.
What is clear is that this document fills the conceptual gap the base RMF left open for multi-agent architectures. As CSA Labs noted in April 2026, “When an orchestrating agent spawns sub-agents to handle sub-tasks, accountability for the overall action sequence becomes distributed in ways that existing RMF categories do not capture.” AI 100-5 is NIST’s attempt to resolve that.
NIST IR 8596: CSF 2.0 Profile for AI
If your organization runs a Cybersecurity Framework 2.0 program rather than an SP 800-53 program, NIST IR 8596 is your on-ramp. Published as a preliminary draft on December 16, 2025, it maps CSF 2.0 Functions, Categories, and Subcategories to three AI-specific focus areas, including agentic threats.
The value here is integration, not novelty. Organizations with mature CSF 2.0 programs can absorb AI-specific risk categories without rebuilding their security architecture from scratch. That is a practical consideration many teams overlook when they treat the NIST AI documents as a separate silo from their existing controls.
COSAiS: SP 800-53 Control Overlays for AI Systems
The COSAiS project, announced in mid-2025 with an initial concept paper in August 2025, is developing SP 800-53 control overlays for five AI deployment categories, explicitly including single-agent and multi-agent systems. This is the structured path for SP 800-53 shops to map existing controls to agentic deployments.
No final overlay documents have been published as of April 2026. Full publication is expected on a timeline of late 2026 to 2027. That means organizations doing federal work under OMB M-25-21 and M-25-22 “High-Impact AI” classifications already face NIST-aligned requirements for agentic systems today, before the COSAiS overlays that will eventually formalize those requirements are finished. The gap is real and the interim period requires active decisions, not waiting.
NCCoE Concept Paper: Agent Identity and Authorization
In February 2026, the National Cybersecurity Center of Excellence published a concept paper proposing to adapt existing identity and authorization frameworks for AI agents. The paper, titled Accelerating the Adoption of Software and AI Agent Identity and Authorization, examines how OAuth, SAML, and federated identity frameworks apply to agents that operate continuously, trigger downstream actions, and access multiple systems in sequence.
The proposed demonstration project would use OAuth 2.0, SPIFFE/SPIRE, and Model Context Protocol as the technical basis. This is a preview of where NIST technical guidance on agent identity is heading before formal special publications arrive. If you are designing agent authorization architectures now, this concept paper is worth reading as a signal of likely future requirements.
NIST AI Agent Standards Initiative (CAISI)
On February 17, 2026, NIST’s Center for AI Standards and Innovation formally launched the AI Agent Standards Initiative. This is the first time NIST has established a dedicated organizational initiative around agent security as a category. The initiative runs on three pillars: industry-led voluntary standards development with active participation in ISO and ISO/IEC JTC 1 bodies; community-led open-source protocol development including Model Context Protocol to prevent vendor lock-in; and building U.S. Leadership in international agent standards bodies.
The standards themselves will take several years to mature. But the institutional commitment signals that agent governance is now a first-class concern at NIST, not an afterthought addressed by footnotes in documents designed for something else.
What the stack means for practitioners today
Only 14.4% of organizations report that their AI agents go live with full security approval, according to the Gravitee State of AI Agent Security 2026 Report. That number is a useful anchor.
The NIST stack gives you a map to close that gap. Use AI RMF 1.0 for governance structure. Apply AI 600-1 for GenAI risk categorization. Use AI 100-2 E2025 for attack modeling and adversarial threat vocabulary. If you run CSF 2.0, layer in IR 8596. If you run SP 800-53, watch COSAiS and plan your overlay adoption. Start reading the NCCoE concept paper now to get ahead of the identity and authorization requirements that are coming.
The documents are not a finished system. They are a stack that has been assembled incrementally as the threat picture for agents became clearer. Treating them as a coherent whole, rather than picking one and stopping, is the practical approach.