What are the six security domains for AI agent deployment?

The six domains are: (1) Access control and permission scoping - least privilege and just-in-time permissions for every agent task, (2) Data classification before agent exposure - tiered classification determining what data agents can access, (3) Monitoring, logging, and observability - complete audit trails of every agent action, (4) Supply chain integrity - vetting every connector, plugin, and MCP server, (5) Human oversight and approval gates - tiered approval based on task risk level, (6) Incident response for agent compromise - agent-specific playbooks for containment and investigation.

How does this framework map to ISO 27001?

ISO 27001 covers foundational access control, risk assessment, incident management, and supplier relationships, providing approximately 60% coverage of agent-specific risks. Agent-specific extensions are required for autonomous actor permission models (extending Annex A.9), agent-specific logging, and AI supply chain components (extending Annex A.15). Organizations with ISO 27001 certification can build on their existing controls rather than starting from scratch.

What is the most impactful single control for AI agent security?

Least privilege and just-in-time permissions are the single most impactful controls. Most agent compromises exploit over-permissioned access. Implement access scoped to only the resources required for a specific task, for only the duration of that task. An agent configured to summarize meeting notes should not have access to the entire shared drive. Access should be enabled at task start and revoked at task completion.

When will regulatory guidance on AI agent security become enforceable?

NIST's January 2026 Request for Information on AI agent security received 932 comments, indicating significant industry concern, but enforceable standards are at least 12 to 18 months away. In the interim, organizations should apply existing security principles - least privilege, zero trust, continuous monitoring - to agent deployments proactively. The framework described here synthesizes current best practices from ISO 27001, NIS2, and DORA and extends them to cover agent-specific risks.

Deploying AI Agents: A Security-First Implementation Framework

The gap between AI agent adoption and AI agent security is the defining enterprise risk of 2026. Cisco's State of AI Security report found that while most organizations planned to deploy agentic AI, only 29% reported being prepared to secure those deployments. This piece provides a practical framework for deploying AI agents with appropriate controls - structured around six domains that map to existing compliance obligations while addressing the specific risks agents introduce.

This framework builds on the risk landscape covered in our analysis of enterprise AI agent security risks and the security distinctions between agents and chatbots. For organizations still evaluating whether and how to adopt AI agents, start with our business leader's guide to AI agents.

Key Takeaways

Six security domains govern AI agent deployment: access control, data classification, monitoring, supply chain integrity, human oversight, and incident response
Least privilege and just-in-time permissions are the single most impactful controls - most agent compromises exploit over-permissioned access
Every agent tool call, data access, and action should be logged; without observability, incident response is impossible
Existing frameworks (ISO 27001, NIS2, DORA) cover foundational controls but do not explicitly address autonomous AI systems - targeted extensions are required
NIST's January 2026 RFI on AI agent security received 932 comments, indicating regulatory guidance is forthcoming but not yet enforceable
Organizations should classify agents by risk tier based on data access and action authority, then apply controls proportionally

29%Of organizations prepared to secure agentic AI deploymentsCisco, 2026

932Comments received on NIST's AI agent security RFIFederal Register, 2026

~60%Of agent-specific risks covered by existing ISO 27001 controlsFramework analysis

The Framework: Six Domains

This framework is not a replacement for existing security programs. It is a targeted extension - a set of agent-specific controls that layer onto whatever compliance baseline your organization already maintains. If you hold ISO 27001 certification, these controls fill the gaps that ISO does not address. If you operate under NIS2 or DORA, these controls address the specific risks that autonomous AI systems introduce within your existing regulatory obligations.

Domain 1 - Access Control and Permission Scoping

The principle: every agent should have access to only the resources required for its specific task, for only the duration of that task.

Most current deployments violate this principle. An agent configured to summarize meeting notes should not have access to the entire shared drive. An agent processing expense reports should not be able to read HR files. An agent drafting email responses should not have write access to the CRM.

Implement least-privilege access by default. Define the minimum set of files, folders, APIs, and systems each agent task requires. Use just-in-time permission grants - access is enabled at task start and revoked at task completion. Avoid persistent broad-scope permissions, even for frequently used agents.

For organizations with ISO 27001 certification, this aligns with Annex A controls on access management (A.9) but requires extension to cover non-human autonomous actors. ISO's access control framework assumes human-initiated access requests with defined approval workflows. Agents request access programmatically and dynamically - the approval and scoping process must be automated to match.

Domain 2 - Data Classification Before Agent Exposure

Before any agent touches organizational data, that data needs to be classified. Not every document in a folder carries the same sensitivity. Client financials, employee records, legal correspondence, and strategic plans should not be accessible to an agent running a routine file organization task.

Establish a tiered data classification scheme if one does not exist: public, internal, confidential, restricted. Map agent tasks to the minimum classification tier required. Agents handling restricted data should operate under stricter controls - human approval for each action, enhanced logging, and limited session duration.

For organizations subject to GDPR, agent processing of personal data constitutes automated processing and may require a Data Protection Impact Assessment depending on the nature and scale of the data involved. For NIS2-regulated entities, data classification feeds directly into the risk analysis strategies required under the Act's ten minimum security measures. Our guide to Sweden's Cybersecurity Act 2025 covers the specific NIS2 implementation requirements for Nordic organizations.

For a broader perspective on AI data governance as an extension of existing enterprise frameworks, see our analysis on AI data governance.

Domain 3 - Monitoring, Logging, and Observability

If you cannot see what an agent does, you cannot secure it. This is the most critical control gap in current deployments - over half of deployed agents operate without consistent security oversight or logging.

Every agent session should produce a complete audit trail: which files were accessed, which tools were called, which APIs were queried, which actions were taken, and what data was transmitted. This audit trail must be accessible to security teams and integrated into existing SIEM or log management infrastructure.

Runtime monitoring should flag anomalous behavior: an agent accessing files outside its expected scope, making API calls to unexpected endpoints, or performing actions inconsistent with its assigned task. These anomaly detection patterns are new - they require agent-specific detection rules that most security operations centers do not yet have.

Anthropic's own documentation for Cowork notes that Cowork activity is not captured in audit logs, compliance APIs, or data exports. For enterprise environments with compliance obligations, this is a material limitation. Until agent platforms provide enterprise-grade audit logging, organizations should implement wrapper monitoring at the network and file system level.

Domain 4 - Supply Chain Integrity

Agents are only as secure as their components. The agent supply chain includes the model provider, the platform (Cowork, Copilot, etc.), connectors (Gmail, Google Drive, DocuSign), MCP servers, plugins, and skills. Each component is a potential point of compromise.

The OpenClaw incident - with over 1,100 confirmed malicious packages in the ecosystem - demonstrated that agent supply chains are actively being targeted. Trend Micro identified 492 MCP servers with no client authentication or traffic encryption. An analysis of over 7,000 MCP servers found 36.7% vulnerable to server-side request forgery.

Vet every connector, plugin, and MCP server before deployment. Use only official connectors from verified providers. Monitor for updates and vulnerability disclosures on agent platform components. For organizations with ISO 27001, this maps to supply chain security controls (A.15) but requires extension to cover the specific supply chain topology of AI agent systems.

Domain 5 - Human Oversight and Approval Gates

Full agent autonomy is appropriate for low-risk routine tasks. It is not appropriate for actions that involve sensitive data, financial transactions, external communications, or irreversible system changes.

Define a tiered approval model. Low-risk tasks (file organization, document formatting, internal summarization) can run with full autonomy after initial task review. Medium-risk tasks (email drafting, data analysis involving confidential information) should require human review before the agent delivers or sends output. High-risk tasks (actions involving restricted data, external communications to clients or regulators, financial transactions) should require explicit human approval at each significant action step.

This is not just a security control - it is an operational quality control. Agents make mistakes. They hallucinate facts, misinterpret instructions, and occasionally produce output that is confidently wrong. Human review gates catch these errors before they reach clients, regulators, or the public.

For NIS2-regulated entities, management accountability requires that senior leadership approve and supervise cybersecurity measures. Deploying autonomous AI agents without defined human oversight processes could create compliance exposure under the Act's governance requirements.

Domain 6 - Incident Response for Agent Compromise

Your incident response plan needs an agent-specific playbook. The questions that arise when an agent is compromised are different from a traditional endpoint or application breach.

What data did the agent access during the compromised session? Which actions did it take? Did it communicate with external endpoints or other agents? Were any documents modified, emails sent, or API calls made that need to be reviewed or reversed? Can the agent's complete session history be reconstructed?

If logging is in place (Domain 3), these questions are answerable. If logging is not in place, the organization is operating blind - unable to determine the scope of the incident or the remediation required.

Define containment procedures: immediate revocation of agent access, suspension of affected connectors, and isolation of any files or systems the agent accessed. Define investigation procedures: session log review, data access audit, and communication trace. Define notification procedures: if the agent accessed personal data, GDPR breach notification timelines may apply. For organizations that need to strengthen their broader incident response posture, our board briefing on AI-powered cyber threats includes the 12 controls that address the most critical gaps.

Mapping to Existing Compliance Frameworks

For organizations already holding certifications or operating under regulatory obligations, the following mapping identifies where agent-specific controls extend existing requirements.

ISO 27001 covers foundational access control, risk assessment, incident management, and supplier relationships. Agent-specific extensions are required for autonomous actor permission models, agent-specific logging, and AI supply chain components. Estimated coverage of agent-specific risks: approximately 60% - targeted gaps remain in autonomy governance and AI-specific monitoring.

NIS2 / Sweden's Cybersecurity Act covers the ten minimum security measures, incident reporting timelines, and management accountability. Agent-specific extensions are required for classifying agents as in-scope network and information systems, incorporating agent risks into the all-hazards risk assessment, and establishing agent-specific incident reporting triggers. The Act's entity-wide scope means agents operating in any business function - not just the regulated service - fall within the compliance perimeter.

DORA covers ICT risk management, digital operational resilience testing, and third-party provider oversight. Agent-specific extensions are required for classifying agent platform providers as ICT third-party service providers, incorporating agent-specific scenarios into resilience testing, and addressing the agent-specific supply chain (MCP servers, plugins, connectors) within the ICT third-party risk framework.

No current framework explicitly addresses AI agents as a distinct system category. The controls described above are synthesized from existing framework principles applied to the specific risk characteristics of autonomous AI systems. NIST's January 2026 RFI on AI agent security suggests formal guidance is in development, but enforceable standards are at least 12 to 18 months away.

Where to Start

If your organization is deploying or considering AI agents, the immediate priorities are straightforward. Conduct an agent inventory - identify every agent in use, authorized or not. Classify each agent by risk tier based on data access and action authority. Implement least-privilege permissions for all agents. Establish logging and monitoring for agent sessions. Define human approval gates for high-risk actions. And brief your board - AI agent risk belongs on the agenda alongside the cybersecurity risks your organization already governs.

For organizations ready to begin, our setup guide covers the practical steps, and our seven use cases for business leaders identifies where agents deliver the highest value. For the broader risk context, the PE firm's guide to cybersecurity due diligence and the comprehensive guide to cybersecurity due diligence in M&A cover how AI agent security fits into broader transaction and portfolio risk management.