AI SecurityAgentic AIGovernanceAATF

The governance gap nobody is closing: why AI policy is stuck on models while agents run unsupervised

MIT and Georgetown classified 1,000+ AI governance documents and found almost nothing on agentic risks. The policy world is regulating 2024 problems in 2026.

TL;DR

Nearly all AI governance on the books was written for models, not agents. MIT and Georgetown classified over 1,000 governance documents and found that socioeconomic risks, multi-agent coordination failures, and power centralization barely register. Meanwhile, agentic AI vulnerabilities jumped 255% in a single year. The policy establishment is regulating yesterday’s problem while autonomous agents make decisions, call APIs, and fail in ways nobody has written rules for.

The governance machine is pointed at the wrong target

The MIT AI Risk Initiative and Georgetown’s Center for Security and Emerging Technology published their April 2026 update on the AI governance field. They classified over 1,000 governance documents from the AGORA archive – the largest public catalog of AI regulatory and policy materials – against the MIT AI Risk Taxonomy’s 24 subdomains.

The results are lopsided. The most-covered risk subdomains are AI system security vulnerabilities and attacks, governance failure, lack of capability or robustness, compromise of privacy, and lack of transparency. Model-level concerns, all of them. The problems policymakers understood in 2023 when most of these frameworks were drafted.

The least covered: AI welfare and rights, multi-agent risks, economic and cultural devaluation, and power centralization. A February 2025 paper from the Cooperative AI Foundation and researchers across Oxford, Google DeepMind, and MIT identified three failure modes for multi-agent systems – miscoordination, conflict, and collusion – and noted these are “novel and under-appreciated risks” with emergent behaviors that cannot be predicted from testing individual agents. The governance world has barely begun to acknowledge that these systems exist, let alone regulate how they fail.

Hundreds of documents about model safety, bias, and transparency. Almost nothing about what happens when autonomous agents coordinate, compete, conflict, and fail at scale.

The world moved. The rules didn’t.

NIST AI RMF 1.0, ISO/IEC 42001:2023, and the EU AI Act were all designed before tool-calling agents existed. They assume AI behavior can be characterized at deployment time, subjected to human review, and documented in advance. Autonomous agents break every one of those assumptions by design. The EU AI Act, which began enforcing general-purpose AI obligations in August 2025, contains no definition of “agentic systems.” Its human oversight requirements assume that AI system behavior is known and stable at deployment – not that it plans tasks across multiple steps, picks its own tools, spawns sub-agents, and adapts on the fly.

The Cloud Security Alliance put numbers on the disconnect in April 2026. Among 235 large-enterprise CISOs and CIOs surveyed: 92% lack full visibility into their AI agent identities. 95% doubt they could detect or contain a compromised agent. 86% do not enforce access policies for AI identities. And 71% report that AI systems have access to core business platforms – ERP, CRM, financial systems – while only 16% govern that access effectively.

The vulnerability data tells the same story

TrendAI’s State of AI Security Report analyzed 330,239 CVEs and identified 6,086 unique vulnerabilities affecting AI systems from 2018 to 2025. AI-related CVEs hit 2,130 in 2025 – a 34.6% year-over-year increase against 17.9% growth in overall CVE disclosures.

The distribution matters more than the total. Agentic AI vulnerabilities jumped from 74 to 263 CVEs between 2024 and 2025. That is a 255.4% increase. MCP servers, which barely existed as a category in 2024, racked up 95 CVEs in 2025 with over 60% tied to command injection flaws. The AI supply chain showed the highest severity concentration at 46.5% high or critical.

TrendAI’s 2026 forecast projects agentic AI CVEs reaching 350 to 550, with MCP servers potentially tripling. The attack surface is growing fastest in exactly the categories that governance documents ignore.

NIST is moving. Slowly.

NIST’s Center for AI Standards and Innovation issued an RFI on January 8, 2026 – the first formal U.S. government initiative specifically scoped to cybersecurity controls for autonomous AI agents. The AI Agent Standards Initiative, announced February 17, organizes around three pillars: industry-led standards facilitation, community-driven interoperability protocols, and research on agent authentication.

The timeline is honest. First substantive NIST deliverables are not expected before late 2026. Agent-specific SP 800-53 control overlays are further out. The international standards process at ISO/IEC JTC 1 operates on timescales measured in years.

Gartner projects 40% of enterprise applications will embed task-specific AI agents by end of 2026. Deployment speed is accelerating. Governance speed is not.

Runtime governance is filling the vacuum

This is where the market is moving faster than policy. On March 16, 2026, TrendAI announced expanded collaboration with NVIDIA to support NVIDIA OpenShell, an open-source runtime for long-lived autonomous agents introduced at NVIDIA GTC. TrendAI Vision One provides a security layer for OpenShell – governance, behavioral analysis, policy enforcement, and monitoring applied directly to the agent runtime. Eight days later, on March 24, TrendAI launched the Agentic Governance Gateway as a separate product line: a broader set of controls for governing autonomous agent workflows across any environment, not just OpenShell.

The Gateway sits on top of Vision One and addresses specific problems the MIT data identifies as ungoverned. It maps how agents move between endpoints, cloud services, and APIs in real time. It analyzes whether agent behavior matches approved policies. It can block, throttle, or reshape agent-initiated actions. It inserts mandatory human review steps for high-risk decisions. And it lets security teams test new governance rules in simulation before enforcing them live.

Whether those capabilities work as advertised is a separate question. What matters for this analysis is that the product category exists at all. A year ago it didn’t.

Microsoft followed on April 2, releasing the Agent Governance Toolkit as open source – claiming to address all 10 OWASP agentic AI risks with sub-millisecond policy enforcement. Singapore’s IMDA published a Model AI Governance Framework specifically for agentic AI. The Berkeley Haas California Management Review published a paper proposing the “Agentic Operating Model” for enterprises.

The industry is building the governance layer that regulators have not written yet. Products like the Gateway operate at the behavior and interaction layer – runtime permissions, tool access control, inter-agent coordination policies – rather than the model layer where existing regulation sits.

What security leaders should do with this

Do not wait for NIST. Do not wait for the EU AI Act to produce agent-specific guidance. Both are coming. Neither is arriving fast enough for the deployment timelines most organizations are already committed to.

Inventory your agents. Enumerate every agent deployment, including the shadow ones provisioned by business units without IT involvement. Capture agent identity, delegated permissions, connected tools and data, and the human owner of record. You cannot govern what you have not mapped.

Build runtime governance before the mandates arrive. TrendAI’s Gateway, Microsoft’s open-source toolkit, and the OWASP Agentic Top 10 are starting points. Building governance infrastructure now means having something to show regulators when enforcement catches up, instead of scrambling to retrofit it.

Treat multi-agent coordination as a first-class risk. If you have agents calling other agents, spawning sub-tasks, or sharing tool access, you need policies for how they coordinate and how they fail.

Close the identity gap. 92% of large enterprises lack full visibility into their AI agent identities. Non-human identities already outnumber human identities in most enterprise environments, and IAM frameworks built for human users were never designed for delegated, real-time authorization across autonomous systems.

The gap is only getting wider

The governance establishment spent three years writing thorough rules for AI models. The agents have been running for six months and nobody wrote the rules yet.

Sources

← All posts