CSA — NIST AI RMF: Agentic Profile¶
Provenance & licence
Source: CSA Lab Space — Agentic NIST AI RMF Profile v1 ·
Last observed: 2026-06-16 ·
Version: Lab Space draft v1 (early 2026) ·
Status: planned ·
Licence: no licence stated on the CSA Lab Space draft; CSA's published agentic work uses CC BY / CC BY-SA — treated here as facts & short attributed quotation (facts-and-quotation)
Summary¶
The Cloud Security Alliance's Agentic Profile maps the NIST AI RMF's four functions onto the qualitatively different risks of agentic AI — systems that plan, use tools, hold memory, and act with autonomy, which sit outside the original frame of RMF 1.0 and the GenAI Profile. It is a draft (v1) in CSA's Lab Space. Around it, CSA's 2026 programme is expanding fast: the CSAI Foundation announced milestones to "secure the agentic control plane" (April 2026), a Catastrophic Risk Annex extending the AI Controls Matrix (AICM) and the STAR for AI assurance programme, and a four-phase rollout (June 2026 → December 2027) explicitly aligned with NIST AI RMF, the EU AI Act, and ISO/IEC 42001.
In plain language¶
Our explanation, not the official text
Plain-language summary in our own words — not the official text. The CSA Lab Space draft states no explicit licence, so we paraphrase the concepts and attribute CSA. Not legal advice.
This CSA profile takes the NIST AI RMF and adapts it to agentic AI — systems that plan, call tools, hold memory, and act on their own. The core question it forces: is the agent's authority bounded, logged, and reversible, and is the human oversight real rather than cosmetic? It's still a draft and plugs into CSA's wider AI controls catalogue.
Key terms¶
- Agentic AI — AI that takes autonomous, multi-step actions using tools, not just text replies.
- AG-GV / MP / MS / MG — the agentic versions of NIST's govern / map / measure / manage.
- Oversight theatre — human oversight that exists on paper but can't actually stop the agent.
In depth (in our own words)¶
Our explanation — not the official text
Our own-words explanation of the concepts. The CSA Lab Space draft states no explicit licence, so we paraphrase the concepts and attribute CSA. Not legal advice.
Why agentic AI needed its own profile. The NIST AI RMF and the GenAI Profile were written for models that answer questions. Agentic systems are different: they pursue goals over many steps, call external tools and APIs, hold memory, and act with real autonomy. That introduces failure modes the original frameworks barely touch — an agent drifting from its intended goal, misusing a tool, escalating its own privileges, having its memory or context poisoned, or several agents triggering a cascade of actions no single human approved. CSA's Agentic Profile exists to extend the familiar NIST functions to exactly these risks.
The four agentic functions, in plain terms. The profile mirrors NIST's GOVERN/MAP/MEASURE/MANAGE with agent-specific codes. AG-GV (Govern) is about the agent's mandate: who authorised it, what it is allowed to do, and who is accountable. AG-MP (Map) is about its reach: the tools, data and actions it can take — the attack and blast-radius surface. AG-MS (Measure) is about evidence: is the oversight actually effective, or just decorative? AG-MG (Manage) is about control under stress: containment, kill-switches, rollback and recovery when an agent behaves unexpectedly.
The questions an agentic audit really turns on. In our practice the decisive checks are: Is the agent's authority bounded and least-privilege, or can it do far more than its task needs? Is every action logged, attributable and reversible? Is the human oversight real — can a person actually stop or undo the agent in time — or is it "oversight theatre"? Has the kill-switch ever been tested? Are memory-poisoning and inter-agent communication risks considered?
Where it sits in the ecosystem. The profile plugs into CSA's wider control work — the AI Controls Matrix (AICM) and the catastrophic-risk programme — and lines up with the OWASP Top 10 for Agentic Applications and the EU AI Act's oversight duties. So it's both a risk lens and a crosswalk back to obligations you already have.
A caveat worth stating. It is a draft (v1). The structure is stable enough to use as an audit lens today, but specific clause numbers and controls may change — so cite it as evolving guidance, and re-check the current version before relying on exact references.
Key Sections¶
- AG-GV (Govern) — governance of agent objectives, authority, and accountability.
- AG-MP (Map) — context, tools, and the agent's action surface.
- AG-MS (Measure) — evaluation of agent behaviour, reliability, and oversight effectiveness.
- AG-MG (Manage) — response, containment, and recovery for autonomous behaviour.
- AI Controls Matrix (AICM) + Catastrophic Risk Annex — control set for loss of human oversight and large-scale, irreversible outcomes.
Audit-Relevant Anchors¶
- AG-GV controls — is the agent's authority bounded, logged, and revocable? (Core agentic-audit question.)
- AG-MS controls — evidence that oversight is real, not "oversight theatre".
- AICM mapping — crosswalk an auditor can use to tie agentic controls back to NIST/ISO/EU obligations.
- Draft status — anchors must be re-checked: v1 is not final, so cited clause numbers may shift.
Auditor Checklist¶
Evidence-oriented checks for an agentic-AI deployment:
- Agent objectives, authority, and scope are explicitly bounded and documented (AG-GV).
- The agent's tool/action surface is mapped and least-privilege (AG-MP).
- Agent actions are logged, attributable, and revocable.
- Oversight effectiveness is measured, not assumed (AG-MS) — no "oversight theatre".
- Containment / kill-switch and recovery procedures are tested (AG-MG).
- Memory/context-poisoning and inter-agent communication risks are considered.
- AICM controls are mapped to NIST / ISO / EU obligations.
Cross-Framework Mapping¶
Indicative cross-references, not authoritative equivalences.
Cells link to the direct source (CSA draft · NIST AIRC · EU AI Act · OWASP GenAI).
| CSA Agentic | NIST AI RMF | EU AI Act | OWASP Agentic 2026 |
|---|---|---|---|
| AG-GV (govern) | GOVERN | Art. 14 (oversight) | Identity / privilege abuse |
| AG-MP (map) | MAP | Art. 9 | Tool misuse |
| AG-MS (measure) | MEASURE | Art. 15 | Human-agent trust exploitation |
| AG-MG (manage) | MANAGE | Art. 9 (treatment) | Rogue agents / cascading failures |
Recent Changes (rolling, last 5)¶
| Date | Severity | What changed |
|---|---|---|
2026-06-16 |
baseline | Initial baseline: CSA Agentic Profile draft v1 (early 2026) plus CSA 2026 catastrophic-risk / AICM / STAR-for-AI programme captured. |