Why NIST’s AI agent standards initiative is a turning point for enterprise security | Tech Radar

Overview

News, deals, reviews, guides and more on the newest smartphones

News, deals, reviews, guides and more on the newest computing gadgets

Details

Start exploring exclusive deals, expert advice and more

Unlock and manage exclusive Techradar member rewards.

Why NIST’s AI agent standards initiative is a turning point for enterprise security

Is standardization arriving too late for AI cybersecurity?

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

The launch of NIST’s AI Agent Standards Initiative marks a pivotal moment in the evolution of enterprise AI. For the first time, one of the world’s most influential standards bodies is formally acknowledging what security teams have been seeing on the ground for some time now.

Director of Cybersecurity Strategy at Salt Security.

AI agents are autonomous digital actors capable of taking real-world actions across systems, data stores and business workflows.

Standardization has moved beyond being helpful; at this stage, it is essential.

The Human Risk Reckoning: Why security must evolve for an AI-augmented workforce

How businesses can stop their AI agents from running amok

Friend or foe? AI: The new cybersecurity threat and solutions

AI agents operate in what can be described as the Agentic Action Layer, or the interface where models connect to APIs to retrieve data, trigger workflows and interact with other systems. This is where reasoning turns into execution. And execution, in enterprise environments, means API calls.

Historically, cybersecurity has evolved alongside architectural shifts. Endpoint security emerged following personal computing. Network security grew with enterprise connectivity. Cloud security became indispensable as workloads moved to Saa S and Iaa S environments.

Today, AI agents and API-first architectures represent a similar inflection point. APIs now power the majority of digital interactions and underpin every meaningful AI-driven workflow. Yet most organizations still cannot confidently answer basic questions about their API exposure, shadow endpoints or runtime protections.

NIST’s initiative signals recognition that AI agents introduce a distinct risk profile. Unlike passive systems, agents can reason, chain actions and operate at machine speed. It’s more than just accessing data; they can change configurations, move funds, update records and trigger downstream automation.

Without standards around identity, logging, governance and secure integration, the result is chaotic at best and fragmented and filled with blind spots leading to more serious data breaches at worst.

Common baselines will help vendors align on terminology, controls and testing methodologies. More importantly, they will help CISOs frame agent security as a structural issue.

Importantly, standards alone will not close the gap. Enterprises adopting agentic AI need to act in parallel.

How a mature API management strategy can help eliminate agentic blind spots

The mobile app traffic your security team can't see — and AI agents are generating it

From Black Box to White Box: why AI agents shouldn’t be a mystery to enterprises

First, they must establish full visibility into their API fabric. Our research consistently shows that organizations underestimate their API inventory, leaving undocumented or “shadow” APIs exposed. If an AI agent can call it, it must be discovered, classified and governed.

Second, identity and provenance must become a cornerstone when it comes to non-human identities. Without clear machine identity, “agent behavior” is indistinguishable from authenticated abuse.

In a world where 96% of successful attacks involve abusing legitimate access, giving an autonomous system broad read/write permissions without strict least-privilege design is a structural risk.

Third, governance must move beyond static policy. Agents generate high-volume machine-to-machine traffic that traditional endpoint and network tools cannot interpret at the business logic layer. Organizations need behavioral monitoring that understands sequences of API calls, data sensitivity and intent, not just packets and ports.

Finally, secure design must become part of the agent development lifecycle. Marketing “autonomy” without immutable logging, runtime validation and policy enforcement is not innovation. It is exposure.

It is fair to ask whether standardization is arriving too late. AI agents are already being deployed in customer support, software development, IT operations and personal productivity tools. In some cases, as we have seen with early agent platforms, enthusiasm has outpaced infrastructure fundamentals.

But this is not a lost cause. The window for proactive governance is still open.

Unlike previous technology waves, organizations now understand the cost of retrofitting security. Cloud misconfiguration crises and supply chain compromises have provided hard lessons. The difference with agentic AI is speed. Autonomy scales risk. When you remove the human from the loop, you remove the manual gatekeeper.

NIST’s initiative should therefore be seen not as a clean-up effort, but as a call to formalize controls before agent sprawl becomes unmanageable.

More broadly, the AI Agent Standards Initiative reinforces a deeper truth that APIs are no longer backend plumbing. They are the operating system of modern business. AI agents amplify this reality by turning every API into a potential action point.

If endpoints, networks and cloud infrastructure defined the first three pillars of cybersecurity, AI-driven API ecosystems are defining the fourth. Standardization is the first step in acknowledging that reality. Execution must follow.

For organizations, the message is clear. You cannot govern what you cannot see. You cannot scale AI safely without securing the API pathways that give it power. The time to align innovation with enforceable standards, identity controls and runtime protection is now, not after the first agent-driven breach makes the headlines.

This article was produced as part of Tech Radar Pro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Eric Schwake is Head of Product Marketing at Salt Security.

You must confirm your public display name before commenting

1 This upcoming retro handheld looks like the PSP successor I've been waiting for

3 Apple TV HD moved to obsolete list despite continuing software support

5 Russian i Phone users lose Apple ID payments as Kremlin escalates VPN crackdown

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest smartphones
• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards

• Why NIST’s AI agent standards initiative is a turning point for enterprise security