How to use NIST and ISO frameworks to govern AI agents

Security leaders no longer need convincing that AI agents introduce risk. What’s missing is how to govern them once they move into production and begin operating autonomously across enterprise environments.

AI agents already read sensitive documents, invoke internal APIs, trigger workflows, and make decisions that still require human judgment. From a security perspective, the most important shift is not their intelligence, but their behavior and intent, since they carry delegated authority, operate autonomously, and often hold more access than the humans they support.

Fortunately, security teams don’t need to reinvent the wheel. The NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001 already provide the structure needed to govern AI agents. The hard part is applying them through an effective control plane such as identity.

Treat AI agents as entities with identities

The first step is foundational, but has immediate operational consequences. AI agents must be treated as machine-scale identities with human-like qualities, not as software components embedded inside applications. Both NIST AI RMF and ISO 42001 emphasize accountability, ownership, and lifecycle governance. Applied to AI agents, that means each agent must have a defined owner, a clear intent, a bounded scope of access, and an explicit lifecycle.

If security teams cannot answer what agents they have, who owns an agent, what intent it was created for, what systems it can access, or when it should be retired, they already have an ungoverned entity in their environment. This mirrors lessons learned with service accounts, except AI agents reason, adapt, and act at machine speed, dramatically increasing potential impact.

Apply NIST AI RMF to identity risk

The NIST AI RMF is particularly useful because it treats AI risk as continuous rather than static, which aligns with identity security principles, where access and behavior evolve over time.

In practice, this starts with observability and governance. Organizations need policies that explicitly classify how AI agents use identities and how they are subjected to IAM controls, monitoring, and accountability. That’s why agents should be approved with the same scrutiny applied to privileged users.

Mapping comes next. Security teams need observability into what agents actually do, not just their inventory or what they were designed to do. This includes which systems they access, what actions they initiate, how they chain decisions, and what downstream effects those actions can trigger. This is identity mapping, not model documentation.

Measurement has to be non-negotiable. Risk should be evaluated based on autonomy, permission breadth, and data sensitivity. An agent that can initiate transactions or modify infrastructure should be treated like a highly privileged identity, not an invisible background process.

Management must be adaptive. Permissions should be revocable in real time, not reviewed quarterly. Behavioral drift, when an agent begins acting outside its intended scope, should trigger investigation just as anomalous human behavior would. NIST’s emphasis on continuous risk management is a reminder that AI identity security cannot be a one-time control.

Use ISO/IEC 42001 to operationalize governance

Where NIST provides structure, ISO/IEC 42001 brings operational discipline. It extends the rigor of management systems like ISO 27001 to AI deployments, including agentic systems.

Applied to AI identities, ISO 42001 reinforces lifecycle controls. Agents should be formally onboarded and registered, reviewed periodically, and decommissioned when no longer needed. Temporary agents should expire automatically, while long-lived agents should regularly justify their continued access.

Logging and traceability are equally important. Every meaningful action an agent takes should be attributable to a specific identity and auditable after the fact. If an organization cannot explain why an agent accessed a system or executed a workflow, that access should be revoked or the agent retired.

ISO 42001 also stresses continuous monitoring and recurring risk assessments. For AI agents, this means watching for identity failures such as privilege creep, unexpected tool usage, or actions that exceed the agent’s defined scope.

Align IAM to an agent-first reality

Most IAM programs were built around humans, with applications and automation added later. AI agents invert that model. They are autonomous, ephemeral, and often created outside traditional IAM workflows.

Security teams should not allow agents to inherit human access by default. Delegated authority must always be narrower than the human it supports. While credentials should be short-lived and dynamically issued rather than embedded as static secrets. Monitoring must shift from periodic access reviews to behavioral baselining that reflects how agents actually operate.

These are not new IAM principles. They are familiar controls that need to be applied to a new class of identities that operate at machine speed and scale.

Make AI identity governance ongoing

One common mistake is treating AI governance as a project. Both NIST AI RMF and ISO/IEC 42001 explicitly recommend continuous management. That means assigning ownership, defining metrics, conducting regular access reviews, and iteratively improving controls as agents evolve.

Identity has always been the enterprise control plane. With AI agents becoming digital employees, organizations that bring AI agent identities under the same disciplined governance applied to privileged human users will be able to innovate without losing control.