Press Release

How to Govern AI Agents: A Practical Security Framework

AI agents use tools and take actions on a user’s behalf. They can call APIs, run code, browse the web and move data between services, sometimes with limited human review.

That autonomy creates risk. On May 7, 2026, Microsoft showed how a malicious prompt could lead to host-level remote code execution against an AI agent without a traditional exploit chain.

If your team is reviewing that finding, focus on the RCE exposure: how a prompt moved from instruction to execution, and where controls should have stopped it. The broader lesson is simple: an agent that can act needs the same governance you apply to any privileged identity.

This guide turns high-level guidance into five practical steps: identify the agent, bound its permissions, contain its execution, govern web traffic and measure and respond.

What Governance Means for AI Agents

Security blocks attacks. Compliance proves you met a rule. Governance decides what an agent is allowed to do and holds it accountable over its lifecycle.

The NIST AI Risk Management Framework offers a useful backbone through its Govern, Map, Measure and Manage functions. Its Manage function tells organizations to be able to override, disengage, or deactivate AI systems that behave outside intended use.

Use these functions as a checklist, not paperwork. Every control below maps back to one of them.

Step 1: Identify the Agent

You cannot govern what you cannot see. Start with an agent registry that lists each agent, its owner, its purpose and the systems it touches.

Assign each agent a distinct identity instead of reusing a shared service account. NIST’s NCCoE opened public comment in 2026 on applying identification, authentication and authorization to enterprise AI agents.

Bind each agent to a responsible human principle so every action traces back to a person and a policy.

Step 2: Bound Permissions and Autonomy

Give each agent the least access it needs. Define role-based scopes for tools, data, network reach and session length.

Stage autonomy in tiers. Low-risk actions can run unattended, while sensitive actions require human approval before they proceed.

Excessive agency is a known failure mode. When an agent can call any tool or reach any system, one compromised prompt can cascade into real damage.

Review scopes on a schedule. Permissions granted for a pilot often outlive the pilot and become a quiet risk.

Step 3: Contain Execution and Tool Use

Assume an agent will be manipulated at some point. Run it in a sandbox with no direct network egress and no standing access to secrets.

Enforce complete mediation so every tool call passes through a gate that checks policy before it executes.

Validate outputs before you trust them. Microsoft’s agent safety guidance advises validating and sanitizing LLM outputs before rendering, executing or passing them to sensitive contexts.

New protocols can widen the attack surface. NSA guidance published on May 20, 2026 warns that agent ecosystems built on the Model Context Protocol introduce risks such as serialization issues, trust boundary gaps and agent misuse.

Build a fast kill switch that can suspend an agent and revoke its credentials in seconds, not hours.

Step 4: Govern Web-Facing Agents and LLM Scrapers

Your public sites now face a mix of human visitors, legitimate automation and AI agents. Treating them all the same leaves you exposed.

Set separate policies for search crawlers, AI model crawlers and agentic browsers. Use allow, challenge, limit, charge and block paths depending on intent and risk.

Cloudflare offers AI Crawl Control, which lets site owners block, allow, or charge AI crawlers. In 2025, it announced default blocking of unauthorized AI crawlers with a permission-based access model.

If your organization needs policy-based controls that distinguish humans, legitimate automation and AI agents across public sites, CHEQ is one option to assess. A practical Govern AI Agents approach should focus on entity visibility, authenticity checks, LLM scraping governance and real-time signals to CDN, WAF, IAM, analytics and security tools.

When comparing tools, test whether CHEQ and your surrounding controls can show who is visiting, what that entity is allowed to do, and how enforcement decisions reach downstream systems.

Log and rate-limit web-facing agent traffic so you can spot abuse patterns early.

Step 5: Measure, Monitor and Respond

Keep immutable audit trails that record every tool call and the reason it was made. Monitor agent-to-agent activity, since one agent triggering another can hide the real actor.

Run continuous red teaming against your agents. Track failures by policy, tool and data source so remediation is concrete. This supports the NIST Measure and Manage functions, including the ability to deactivate an agent when behavior deviates from intended use.

Application Checklist

  • Give every agent its own service account and identity
  • Maintain an agent registry with owner and purpose
  • Apply tool whitelists per agent
  • Block direct network egress from the agent container
  • Validate and sanitize outputs before any sensitive action
  • Set human approval thresholds for high-risk tasks
  • Log every tool call with a reason
  • Keep a quarantine procedure that runs in under 60 seconds
  • Separate policies for humans, crawlers, and agents on web surfaces
  • Review permissions and autonomy tiers on a schedule

A 30, 60, 90 Day Roadmap

In the first 30 days, inventory your agents, assign identities and block unverified crawlers on public sites.

By 60 days, define permission tiers, introduce staged autonomy and add output validation gates before sensitive actions.

By 90 days, red team your agents, run a security benchmark and finalize incident runbooks and deactivation procedures. If CHEQ is part of your web governance stack, include its signals and enforcement logs in those exercises.

Regulatory Snapshot

Rules are converging on lifecycle logging, human oversight and cybersecurity. EU AI Act obligations for providers of general-purpose AI models start to apply on August 2, 2026. Map RCE risks to these controls.

FAQ

How should teams start?

Inventory agents, assign owners and gate tool use.

What is the difference between AI agent security and governance?

Security blocks attacks and compliance proves you met a rule. Governance decides what an agent is allowed to do and holds it accountable across its lifecycle, so it sits above both rather than replacing them.

What is the fastest way to reduce AI agent risk?

Give each agent its own identity, hold it to least privilege and run it in a sandbox with no direct network egress. Add a kill switch that can suspend the agent and revoke its credentials in seconds, so one compromised prompt cannot cascade.

Do AI agents fall under the EU AI Act?

They can, especially where they build on general-purpose AI models. Obligations for providers of those models start to apply on August 2, 2026, so map your agent controls to lifecycle logging, human oversight and cybersecurity requirements.

Author

Leave a Reply

Related Articles

Back to top button