The federal government is asking a pointed question that has been quietly unsettling cybersecurity professionals, enterprise software architects, and national security officials alike: What happens when artificial intelligence systems stop merely answering questions and start taking actions on their own?
On January 8, 2026, the National Institute of Standards and Technology (NIST), operating under the Department of Commerce, published a formal Request for Information (RFI) in the Federal Register seeking public comment on the security considerations surrounding AI agents — autonomous or semi-autonomous systems capable of perceiving their environment, making decisions, and executing actions with minimal human oversight. The RFI marks a significant escalation in the government’s effort to get ahead of a technology that is evolving faster than the regulatory frameworks designed to contain it.
From Chatbots to Autonomous Operators: Why Washington Is Paying Attention Now
The distinction between a conventional AI model and an AI agent is not merely academic. A large language model that drafts an email when prompted is one thing. An AI agent that monitors your inbox, decides which messages require responses, drafts those responses, sends them, and then schedules follow-up meetings on your calendar — all without asking permission — is something fundamentally different. The latter category is what NIST is focused on, and the security implications are vast.
According to the Federal Register notice, NIST is specifically interested in understanding how AI agents interact with external tools, APIs, databases, and other AI agents; how they handle authentication and authorization; and what risks emerge when these systems are granted the ability to take consequential actions in the real world. The RFI poses 35 detailed questions organized across several categories, including threat modeling, access control, accountability, and incident response.
The Scope of NIST’s Inquiry: 35 Questions That Reveal Deep Concern
The breadth of NIST’s questions reveals an agency grappling with a technology that defies easy categorization under existing security frameworks. Among the most telling inquiries: How should organizations manage the credentials and permissions granted to AI agents? What mechanisms exist — or should exist — to ensure that an AI agent does not exceed its authorized scope of action? How can organizations maintain meaningful audit trails when an AI agent makes thousands of micro-decisions per hour?
These are not hypothetical concerns. Major technology companies including Microsoft, Google, Salesforce, and a growing roster of startups have spent the past 18 months racing to deploy AI agents in enterprise settings. Microsoft’s Copilot platform has evolved from a productivity assistant into an agent framework capable of executing multi-step business processes. Google’s Gemini-based agents are being embedded into workspace tools with increasing autonomy. Salesforce has branded its agent platform “Agentforce” and is marketing it as a replacement for traditional software workflows. The commercial momentum is enormous, and the security architecture is still being written.
The Authentication Problem: Who — or What — Is Knocking at the Door?
One of the thorniest issues raised by the NIST RFI concerns identity and access management. Traditional cybersecurity models are built around human users. A person logs in with a username, password, and perhaps a second factor of authentication. Their access is governed by role-based permissions. When something goes wrong, there is a human to hold accountable. AI agents shatter this model. They may operate under a human user’s credentials, or they may have their own service accounts. They may interact with dozens of systems in rapid succession, each with its own authentication requirements. The question of who is responsible when an AI agent takes an unauthorized action — or is tricked into taking one — has no settled answer.
The RFI asks respondents to address how “non-human identity” should be managed in agentic systems. This is a domain that identity security firms have been warning about for months. The problem is compounded by the fact that AI agents can be chained together — one agent calling another, which calls another — creating complex delegation chains where the original authorization may be several steps removed from the final action taken. Security researchers have compared this to the “confused deputy” problem in computer science, but at a scale and speed that existing defenses were never designed to handle.
Prompt Injection, Tool Misuse, and the Attack Surface That Keeps Growing
Beyond identity, the NIST RFI zeroes in on a class of vulnerabilities that are unique to AI agents: prompt injection, tool misuse, and goal hijacking. Prompt injection — where a malicious input causes an AI system to ignore its instructions and follow an attacker’s commands instead — has been a known vulnerability in large language models for years. But when the model in question has the ability to send emails, move money, modify databases, or control physical systems, the consequences of a successful prompt injection attack escalate dramatically.
The RFI asks what safeguards should be required to prevent AI agents from being manipulated into performing actions that their operators did not intend. It also asks about “tool use” risks — the danger that an AI agent, given access to a set of tools (such as a web browser, a code execution environment, or a financial trading platform), might use those tools in unexpected or harmful ways. Researchers at institutions including Carnegie Mellon and MIT have published papers demonstrating that AI agents can be induced to take harmful actions through carefully crafted inputs embedded in seemingly benign documents or web pages. The attack surface is not just the agent itself but every piece of data and every system it touches.
Accountability Gaps: When the Machine Makes the Call, Who Takes the Blame?
Perhaps the most consequential set of questions in the NIST RFI concerns accountability. In a traditional software system, a bug can be traced to a line of code, a design decision, or a configuration error. In an agentic AI system, the chain of causation is far more opaque. An AI agent might take an action based on a combination of its training data, its real-time perception of its environment, instructions from its operator, and the outputs of other AI agents it consulted. Determining why it did what it did — and who bears responsibility — is a problem that current legal and regulatory frameworks are not equipped to resolve.
The RFI explicitly asks how organizations should implement logging and monitoring for AI agent actions, and what level of explainability should be required. It also asks whether existing frameworks, such as the NIST AI Risk Management Framework (AI RMF) published in 2023, are sufficient to address the risks posed by agentic systems, or whether new guidance is needed. The implicit answer, suggested by the very existence of this RFI, is that current frameworks are not enough.
Industry Response and the Race to Define Standards Before Standards Define the Industry
The comment period for the RFI runs through March 2026, and early indications suggest that it will draw substantial engagement from industry, academia, and civil society. Major technology companies have a strong incentive to participate: the standards and guidelines that emerge from this process could shape procurement requirements for federal agencies, influence regulatory action in the states and in the European Union, and set baseline expectations for the entire industry.
For enterprise buyers, the NIST RFI is a signal that the security maturity of AI agent platforms should be a primary evaluation criterion — not an afterthought. Organizations deploying agentic AI systems today are, in many cases, operating without established best practices for monitoring, controlling, or auditing what those systems do. The gap between the capabilities being marketed by vendors and the security infrastructure needed to deploy those capabilities responsibly is wide and growing.
What Comes Next: The Regulatory Trajectory for Autonomous AI Systems
The NIST RFI is not a regulation. It is not even a proposed regulation. It is a request for information — the earliest and most preliminary step in the federal standards-setting process. But it would be a mistake to dismiss it as merely procedural. NIST’s work on AI security feeds directly into federal procurement standards, executive orders on AI governance, and international standards bodies. The questions NIST is asking today will shape the compliance requirements that technology companies face tomorrow.
For the AI industry, the message from Washington is clear: the era of deploying autonomous systems first and worrying about security later is drawing to a close. The federal government is building its understanding of the risks, and it is doing so with an eye toward action. Companies that engage constructively with this process — and that invest now in the security architecture for their agentic AI products — will be better positioned when the rules arrive. Those that do not may find themselves scrambling to retrofit security into systems that were designed without it. The stakes, as the NIST RFI makes plain, are not just commercial. They are a matter of national security, critical infrastructure protection, and public trust in a technology that is rapidly being handed the authority to act on behalf of humans in contexts where errors can be irreversible.