This is the final post in Building Defensible Agents — the second series in our synthesis of 49+ arXiv publications from Q1 2026 on agentic AI security. Posts 1 through 5 of Series 1 established the attack surface. Series 2 Posts 1 and 2 established why probabilistic defenses are insufficient and what deterministic architectural enforcement achieves when built correctly. This post examines the governance layer: the standards, frameworks, and institutional infrastructure that determines whether the security research reviewed across both series gets deployed consistently and at scale — or remains confined to academic papers while production systems remain unprotected. The primary sources are Security Considerations for Multi-Agent Systems (arXiv:2603.09002), Security Considerations for AI Agents (arXiv:2603.12230), Authenticated Workflows (arXiv:2602.10465), Human Society-Inspired Approaches to Agentic AI Security: The 4C Framework (arXiv:2602.01942), and A Survey of Agentic AI and Cybersecurity (arXiv:2601.05293).
In early March 2026, NIST’s deadline for responses to its Request for Information on AI agent security closed. The RFI had asked the field a direct question: what should a federal framework for securing agentic AI systems address, and how? The responses from the research community — reflected in the papers surveyed for this series — converged on a remarkably consistent set of answers. The field knows what good governance requires. The gap is between knowing and having built it.
That gap is not primarily a technical gap. The two prior posts in this series demonstrated that the technical tools exist: mandatory access control frameworks that achieve 0% attack success, cryptographic authentication layers that achieve 100% recall, policy compilers that raise compliance from 48% to 93%. The gap is a governance gap — the absence of standards that make these tools mandatory, interoperable, and consistently deployed across the organizations and platforms that are building agentic systems right now.
This post maps what the research says a credible governance framework must address, where existing frameworks fall short, and what the 2026 corpus identifies as the most urgent priorities for NIST and the broader standards community.
Distinct threats identified across nine categories in a systematic evaluation of multi-agent system security — the most comprehensive threat taxonomy published in the Q1 2026 corpus. The 16 security frameworks evaluated against this taxonomy achieved an average coverage score of 1.231 to 1.340 out of 5 in the two most under-addressed categories: non-determinism and data leakage. No framework achieved majority coverage in any single category. (arXiv:2603.09002)
What the Threat Taxonomy Reveals About Framework Gaps
The Security Considerations for Multi-Agent Systems paper (arXiv:2603.09002) provides the most rigorous baseline for evaluating existing governance frameworks against the actual threat landscape. Its nine-category taxonomy covers: prompt injection, data leakage, privilege escalation, agent identity spoofing, supply chain compromise, memory poisoning, non-deterministic behavior, tool misuse, and cross-agent trust exploitation.
The evaluation of 16 frameworks — including OWASP’s Agentic Security Initiative, NIST AI RMF, MITRE ATLAS, MAESTRO, ISO 42001, the CSA Agentic Trust Framework, and several vendor-published frameworks — produces a finding that should anchor every governance discussion: no framework achieves majority coverage of any single threat category. The leading framework, OWASP’s Agentic Security Initiative, reaches 65.3% overall coverage — the highest in the evaluation — but even this figure means that more than a third of identified threats have no corresponding control guidance.
The two lowest-scoring domains tell a particularly important story. Non-determinism — the property that makes agentic systems fundamentally different from traditional software, and that underlies both the Viral Agent Loop failures documented in Series 1 and the defense trilemma documented in Post 1 of this series — scores an average of 1.231 out of 5 across all frameworks. Data leakage — the domain responsible for the 60% multi-agent exposure increase documented in Series 1, Post 5 — scores 1.340. The field has produced extensive guidance on prompt injection and supply chain risks. It has produced almost nothing on the two threat categories most distinctive to agentic systems.
Why Non-Determinism Is the Hardest Governance Problem
Traditional software security governance is built around deterministic systems. A penetration test maps what a system does when given specific inputs. A compliance audit checks whether required controls are in place and functioning. An incident response playbook follows a defined decision tree. All of these assume that the system’s behavior is predictable and auditable.
Agentic systems are neither. The same input, given to the same agent in the same configuration, can produce different actions depending on context that was generated by prior interactions — context that itself was generated non-deterministically. Governing the security of a system whose execution path cannot be fully predetermined requires frameworks that have never existed before. The 1.231/5 average score in the non-determinism category reflects not a lack of effort but a genuine absence of the conceptual tools required to address it.
What Good Governance Infrastructure Requires
The Security Considerations for AI Agents paper (arXiv:2603.12230) — Perplexity AI’s formal response to the NIST RFI — provides the most direct articulation of what the field is asking for. Its framing around four principal attack surfaces — tools, connectors, hosting boundaries, and multi-agent coordination — maps cleanly onto the technical findings of both series and identifies the governance requirements that follow from each.
Mandatory disclosure of agent capability boundaries
The MCP tool poisoning attacks documented in Series 1, Post 2 succeed partly because agents have no standardized mechanism to verify that a server’s claimed capabilities match its actual constraints. A governance framework that requires capability attestation — cryptographically binding a server’s behavioral constraints to its capability claims in a way that agents can verify — would address this at the infrastructure level. No current framework requires this. SMCP (arXiv:2602.01129) proposed it as a protocol-level solution; adoption requires a standards mandate.
Inter-agent communication audit requirements
The 60% data exposure increase from multi-agent systems documented in Series 1, Post 5 is driven primarily by unmonitored inter-agent communication channels. A governance framework that treats inter-agent communication as a first-class audit surface — requiring logging, classification, and retention for agent-to-agent messages with the same rigor applied to external API calls — would close the monitoring gap that produces the exposure increase. No current framework specifies this requirement.
The CVE Record as Evidence of Governance Failure
The Perplexity NIST response documents two specific CVEs disclosed in early 2026: CVE-2026-25253 and CVE-2026-26327, both OpenClaw platform vulnerabilities. The existence of CVEs in an agent platform is not itself the governance failure — vulnerabilities will always be discovered. The failure is the absence of a standardized vulnerability disclosure and remediation framework for agentic systems. No equivalent of the Common Vulnerability Scoring System exists for agent-specific vulnerabilities. No coordinated disclosure program specifically addresses the novel attack classes agentic systems introduce. The research community is filing CVEs against frameworks designed for traditional software.
Supply chain verification standards for agent skill registries
The ClawHavoc campaign documented in Series 1, Post 3 operated undetected because skill registries have no standardized verification requirement. The SkillFortify framework (arXiv:2603.00195) achieves 96.95% F1 detection with 100% precision — but its deployment is voluntary. A governance framework that mandates behavioral verification as a condition of registry listing, modeled on the gate-based lifecycle governance framework proposed in the agent skills survey (arXiv:2602.12430), would make detection mandatory rather than optional. The technical capability to enforce this requirement exists. The standards mandate does not.
The tools to secure agentic systems exist and perform well. What does not yet exist is the institutional infrastructure to make their use mandatory, consistent, and interoperable across the organizations building these systems. That is the governance gap — and it is what a credible NIST framework must close.
— Synthesis from Security Considerations for Multi-Agent Systems (arXiv:2603.09002) and Security Considerations for AI Agents (arXiv:2603.12230)What the 4C Framework Adds to the Standards Conversation
The Human Society-Inspired Approaches to Agentic AI Security paper (arXiv:2602.01942) from CSIRO Data61 and UNSW makes the most ambitious governance argument in the corpus. Its 4C Framework — Core, Connection, Cognition, Compliance — draws on the observation that human societies have solved analogous coordination problems through layered institutional structures, and asks what the equivalent structures for agentic AI governance would need to look like.
The argument is not that AI governance should mimic legal systems. It is that the properties those systems provide — accountability, traceability, predictable enforcement, and mechanisms for handling emergent behavior not anticipated by initial rules — are exactly the properties that agentic AI governance needs and that purely technical frameworks cannot provide alone. A mandatory access control policy can enforce defined rules. It cannot anticipate rules that need to exist for attack patterns that have not yet been observed. Governance infrastructure needs both the technical enforcement layer and the institutional layer that can update the rules it enforces.
The Framework Coverage Gap in Practical Terms
The Survey of Agentic AI and Cybersecurity paper (arXiv:2601.05293) provides the broadest synthesis of the governance landscape, covering both offensive amplification risks and defensive capabilities, and identifying three areas where the coverage gap has the most immediate production consequence.
Prompt Injection, Supply Chain, Data Privacy
OWASP’s LLM Top 10, NIST AI RMF, and MITRE ATLAS collectively provide reasonable coverage of prompt injection attack patterns, supply chain risk categories, and general data privacy requirements. These are the threat categories most analogous to traditional software security and benefit from decades of prior framework development.
This coverage, while imperfect, gives practitioners a starting point for the most well-understood threat categories. It is the floor, not the ceiling.
Partial Coverage · Known ThreatsNon-Determinism, Inter-Agent Channels, Emergent Behavior
Non-deterministic execution paths, unmonitored inter-agent communication, emergent behaviors from agent interactions, capability attestation requirements, and agent identity verification have no meaningful coverage in any evaluated framework. These are the threat categories most distinctive to agentic systems — and the ones with the worst empirical outcomes in the 2026 research.
A framework that does not address these is not governing agentic AI security. It is governing AI security with agentic characteristics removed.
Critical Gaps · Novel ThreatsFive Specific Asks for the NIST Framework
Synthesizing the governance-focused papers in the corpus, five specific requirements emerge as the clearest priorities for a NIST framework that would materially improve the security posture of agentic AI deployments.
Capability attestation standards. MCP and analogous agent-tool protocols must include a standardized mechanism for cryptographic capability attestation — binding a server’s behavioral constraints to its capability claims in a form that agents and orchestration layers can verify. This addresses the most structurally significant vulnerability class in Post 2 of Series 1 at the infrastructure level.
Inter-agent communication audit requirements. Governance standards must classify agent-to-agent communication channels as security-critical audit surfaces, requiring the same logging and retention standards applied to external API calls. The 60% multi-agent exposure increase is entirely attributable to the absence of this requirement in current deployments.
Mandatory behavioral verification for skill registries. Any registry distributing agent skills or tools should be required to perform behavioral verification as a condition of listing — not as a best practice but as a compliance requirement. The technical capability exists. The governance mandate does not.
Interaction budget requirements for multi-agent deployments. The Viral Agent Loop failure mode documented in Series 1, Post 4 has no corresponding control guidance in any current framework. A governance standard requiring that multi-agent systems enforce interaction budgets — maximum token consumption, maximum interaction depth, mandatory termination conditions — would address this emergent threat class directly.
Agentic-specific CVE and incident reporting infrastructure. The current CVE framework was not designed for the attack classes agentic systems introduce. A coordinated disclosure program that understands the distinction between a tool poisoning vulnerability and a traditional injection vulnerability, and that routes disclosures to the appropriate remediation parties across the multi-stakeholder agentic ecosystem, is foundational infrastructure that does not yet exist.
Eight posts across two series have documented where agentic AI breaks and what the research says about building defensible systems. The consistent finding across all eight is that the technical knowledge required to secure agentic AI exists in the 2026 research corpus — empirically validated, reproducibly demonstrated, ready for deployment. What does not yet exist at scale is the governance infrastructure that would make that knowledge mandatory, consistent, and enforceable. That is the work NIST’s framework needs to begin — and the work that practitioners cannot wait for government to complete on their behalf.
