NIST Wants to Know How You Secure Your Agents [RFI Breakdown]

You shipped an AI agent to production. It works. It’s pulling data, making decisions, triggering actions. Now it’s calling an API it shouldn’t call.

Nobody knows who authorized it. The logs don’t show why. You can’t roll back its decisions. And your CEO is asking how this happened.

This is the problem Washington just realized it needed to solve.

On January 12, 2026, NIST’s Center for AI Standards and Innovation (CAISI) opened a formal Request for Information (RFI) on securing AI agent systems. The comment deadline just passed (March 9). But the deadline matters less than what the RFI asked. Because what NIST is asking tells you exactly where governance will tighten next.

Answer-First Summary

NIST’s RFI signals a shift from treating agents as software to treating them as entities that need identity, authorization boundaries, and accountability measures. The four pillars—identity/authentication, authorization models, monitoring/observability, and lifecycle management—reveal the infrastructure gap every team building autonomous systems is about to hit. Listening sessions in April and concept paper comments due April 2 mean you have 8-12 weeks to move from “someday we’ll secure agents” to “here’s how we actually do it.”

---

What NIST Actually Asked (And Why It Matters)

The RFI didn’t ask for essays on AI safety. It asked technical questions that expose a hard infrastructure problem: your identity systems weren’t built for agents.

NIST’s questions clustered into four areas.

Identity and Authentication. How do you prove an agent is really the agent you deployed? Not a hijacked version. Not a prompt-injected imposter. NIST wants to know how you distinguish a legitimate agent from an unauthorized one. Your humans get user IDs and passwords. Your services get API keys. Your agents get… what? That gap is the vulnerability regulators are staring at.

Authorization Models. Once you’ve proven who the agent is, how do you limit what it’s allowed to do? Your engineers understand role-based access control (RBAC). Agents are different. An agent that runs continuously, chains decisions, and calls multiple systems in sequence doesn’t fit neatly into “user can read, cannot write.” NIST asked: what does scoped authorization actually look like when the subject is autonomous?

Monitoring and Observability. An agent took an action. You need to know: why did it make that choice? Which systems did it touch? What data did it access? Can you explain the chain of decisions? Can you catch it acting outside its authority in real time? NIST asked how organizations should implement logging, alerting, and explanation for agent behavior—and what level of explainability should be non-negotiable.

Lifecycle Management. When you deploy an agent, you need to version it. Update it. Test changes. Roll back if something goes wrong. Retire it. NIST asked how you manage the full lifecycle while maintaining security and auditability at each stage.

These aren’t abstract questions. They’re the things your team hasn’t figured out yet because standards don’t exist. And standards don’t exist because nobody knew what to standardize until agents started running in production and breaking things.

The Signal (Beyond the RFI)

Here’s what the timeline tells you: this is moving fast.

The RFI comments closed March 9. Listening sessions happen in April. NIST also released a concept paper on “Accelerating the Adoption of Software and AI Agent Identity and Authorization,” with comments due April 2. That’s not a slow regulatory crawl. That’s “we know what the problem is, here’s a starting framework, tell us how to build it.”

Meanwhile, Singapore launched the world’s first national Agentic AI Governance Framework on January 22, 2026. It’s voluntary, but it exists. It covers risk assessment, human accountability, technical controls, and end-user responsibility. Singapore moved first. Washington is catching up.

And on March 11, the FTC issues a policy statement on how the FTC Act applies to AI—including where state laws requiring AI output modifications conflict with federal prohibitions on deceptive practices. That’s the regulatory structure tightening in real time.

What does this timeline mean? Governance is happening now, in April and May. And the frameworks being written in the next 60 days will shape your infrastructure decisions for years.

Three Things to Prepare Before April

You can’t control regulatory timelines. You can control whether you’re ready to ship safely when the standards arrive.

First: Audit your agent identity infrastructure. Not in 90 days. This month. Walk through every autonomous system in production or development. Ask: How does this agent prove who it is? What identity mechanism backs it? (Is it a hardcoded API key? A service account? An OAuth token? A custom scheme?) Document the gaps. If you can’t answer “who authorized this agent?” in under 30 seconds, that’s your starting point for redesign.

Second: Build for audit trails before you need them. Every agent action should log: timestamp, agent ID, decision point, reasoning (if applicable), systems accessed, data modified, authorization check result. Not for compliance theater. For the moment something goes wrong and you need to explain step-by-step how it happened. If you’re designing new agent workflows now, bake in observability from day one.

Third: Study what Singapore actually did. The framework requires human oversight mechanisms that can override, intercept, or review agent actions. It requires risk bounding upfront. It requires accountability assignments. You don’t have to implement Singapore’s framework—but understanding how a real governance model structures these questions will inform how you structure yours. Read the IMDA framework. It’s the closest thing to a working template available today.

The Human-AI Parallel

You need identity so you can be held accountable. So does an agent.

Right now, most teams treat agent deployment like pushing a service. Deploy. Monitor. If it breaks, roll back. But agents break differently. A service crash is obvious. An agent that silently makes bad decisions at scale is catastrophic. The only way to catch it is to know who made the decision (which agent), trace the reasoning (observability), and verify the decision fell within authority (authorization).

This isn’t new in human organizations. When a trader executes a massive position, you know: which trader. What authorization level they have. What their position history looks like. What triggers an override. Why? Because unchecked autonomous decision-making in finance destroyed companies. So markets built accountability structures around it.

AI agents are traders now. They’re making autonomous decisions that have business impact. And your organization probably treats them like a script that occasionally runs.

The NIST RFI is saying: stop. You need to know who the agent is. What it’s allowed to do. What it actually did. Why. And how to stop it if something goes wrong. Not someday. Now.

What’s Coming Next

The framework papers are due in April. Listening sessions happen in April. NIST will synthesize feedback and begin drafting standards in May and June. By summer, preliminary guidance will exist. Organizations that didn’t prepare in March will scramble in June.

You’re still in the window. Use it.

The next vulnerability lives in your inability to answer a simple question: who authorized this agent to do that?

---

Next in the series: Microsoft Found a New Way to Poison AI Recommendations