One tech security team found 600 AI agents running in its own systems last quarter. Security had approved almost none of them. The auditor's call is coming, and most CISOs can't answer the first question yet.
## Key takeaways
- One tech security team counted 600 AI agents running in its own systems last quarter. Security had approved almost none of them.
- NIST launched the AI Agent Standards Initiative in February 2026. The public comment window closed April 2. Federal regulators are now drawing a line.
- Broadridge Financial took 40 AI agent client deployments live with full action records wired in from day one. Autonomy is acceptable only when it's traceable.
- The Agentic Trust Framework (published by Cloud Security Alliance, February 2026) turns audit prep into five questions: identity, behavior, data flow, blast radius, kill switch.
- Two moves get you most of the way before Friday: pull the actual list of AI agents in your business, and assign one human owner to each.
## Why are auditors suddenly asking about AI agents?
Auditors are asking because regulators started asking first. NIST's Center for AI Standards and Innovation launched the AI Agent Standards Initiative in February 2026. The framework is built around agent identity and authorization. Public comments closed April 2. Boards read those signals and route them down to the audit committee, which routes them to the CISO.
I had this conversation with a Fortune 500 CISO at RSAC in April. Three of his teams were running AI agents. He couldn't name who owned any of them.
He wasn't worried about a breach. He was worried about the phone call. An auditor first, then the board. The only honest answer he had ready was a list of things he didn't know:
- Who turned the agents on
- What data they touch
- What they can do without a human signing off
- Who shuts them down when they break
Security teams have a playbook for a breach. Nobody's handed them one for this.
## What changed in the last 90 days?
The window for treating this as a future governance topic closed between February and May 2026. Three things moved at once: federal standards, real production deployments at scale, and CSA's public framework. Together they shifted AI agent governance from a roadmap item to an audit item.
In February, NIST launched the AI Agent Standards Initiative. It's the first federal program built specifically for autonomous AI. The public comment window closed April 2. That's a regulator drawing a line on the floor.
Last week, Broadridge Financial said its AI agents are live across trading and wealth management. Forty client deployments. Millions of transactions a month. The agents find problems and fix them on their own.
The part underneath the headline counts more. Broadridge built a system that keeps each agent boxed into its job, with a full record of every action wired in from day one. Tight scope, clean data, complete trail.
Autonomy is only acceptable when it's traceable. That's the new bar.
## What are the five questions your auditor will ask?
The Agentic Trust Framework reduces the audit to five questions. I laid it out in my book, Agentic AI + Zero Trust. Cloud Security Alliance published the framework in February 2026. If you can't map your AI program to these five, you don't have an audit answer yet.
Who is it? Every agent has its own identity, tied to a named owner. Not a service account. Not the IT team. A specific person whose name you can say out loud.
What is it doing? You know what normal looks like, and you get an alert when it shifts. Quick check: pull the last 30 days of API calls for one agent. If you can't draw a flat baseline, you don't know what normal is yet.
What is it using? You check what goes in and what comes out, every time. Inputs and outputs both. Most teams check one and skip the other.
Where can it go? If one agent breaks, the damage stays small. This is the blast radius question. An agent with read access to one folder is not the same as an agent with write access to the whole drive.
What if it goes rogue? You can stop it fast and get back to a clean state. The kill switch has to work. Most don't, because most teams have never tested theirs.
## How does Zero Trust apply to AI agents?
Zero Trust continuously verifies the connection: identity, device, posture, behavior. That's still the right foundation. It just doesn't inspect the meaning of what's moving through a verified channel. A prompt injection rides inside a fully trusted session.
Agents also don't need to move laterally the way an attacker does. The privileges are already granted at provisioning. The lateral movement problem gets replaced by an over-privileged-at-rest problem.
So Zero Trust is necessary for AI agents. It's not sufficient. The Agentic Trust Framework extends Zero Trust to cover what agents actually do: act on semantic intent, carry persistent memory, chain tools together. Verification has to happen at the action level, not just the connection level.
## What can you do this week to prepare?
You don't need a project to start. You need an afternoon. Two moves get you most of the way.
Pull the list. Name every AI agent running in your business right now. Not the approved list. The actual list. Ask IT and your business teams separately. The difference between the two answers tells you how big your shadow AI problem is.
Assign owners. For every agent, name one person who'll be accountable when something goes wrong. Not the vendor. Not the platform team. Someone on your team.
A CISO at a regulated bank said it best last month: Most teams don't fear the agents doing nothing. They fear not being able to prove what they did.
By Friday you'll have a one-page list of every AI agent in your business and the name of the human accountable for it. That's the first thing an auditor will ask for. It's the answer most CISOs can't give yet.
## What's in this week's Trusted Agents?
The blog post stops here. The full briefing in this week's Trusted Agents goes deeper:
- The complete afternoon audit, all five steps, including the kill-switch test and the 30-minute reconstruction test.
- Why the teams getting the most out of AI agents are the ones handing them the least capability, and what that does to performance.
- Where Zero Trust breaks down with AI agents, and the specific controls that fill the gaps.
Trusted Agents is my weekly newsletter on AI agent security for business leaders. Subscribe at trustedagent.substack.com.
## Frequently asked questions
Who actually audits AI agents in 2026?
Internal audit, SOC 2 auditors, financial regulators, and (for some industries) sector-specific bodies. NIST's AI Agent Standards Initiative gives federal auditors a reference point. Most audits in 2026 still piggyback on existing IT and access control audits, but the questions are now AI-specific.
Is shadow AI the same as shadow IT?
It's the same pattern, faster. Shadow IT took years to spread. Shadow AI moves in weeks because anyone with a credit card can spin up an agent. One tech security team found 600 AI agents running internally last quarter that security never approved. That's the new baseline.
What's the difference between AI governance and AI compliance?
Governance is the system you run on yourself. Compliance is what you can prove to someone else. The Agentic Trust Framework is built so the same five answers cover both. If you can answer the five questions, you've got governance, and you've got an audit response.
Do we need a separate AI risk officer?
Not yet for most companies. Pick a named human owner per agent first. That's the answer to the auditor's first question. The org chart can catch up later.
How does the Agentic Trust Framework relate to NIST?
The Agentic Trust Framework is a CSA-published industry framework focused on agent-specific controls: identity, behavior, data flow, blast radius, kill switch. NIST's AI Agent Standards Initiative is a federal effort that overlaps on identity and authorization. The two work together. ATF is more operational, NIST is more foundational.
Where do I start if I have zero AI agent governance today?
Pull the list of agents your team is running. Assign one human owner per agent. Do both before Friday. That's the floor. Everything else builds on top of those two facts.
## Subscribe to Trusted Agents
If you found this useful, you'll want the full version. Trusted Agents lands every Tuesday with the lab notes, the Zero Trust gap analysis, and the specific Monday-morning steps that don't appear here.
Subscribe at trustedagent.substack.com.
Joshua Woodruff is the author of Agentic AI + Zero Trust (foreword by John Kindervag, founder of Zero Trust). The Agentic Trust Framework was published by the Cloud Security Alliance in February 2026.