Enterprises mapping agentic AI onto NIST SP 800-53 today find real, recurring control gaps concentrated in four families (Access Control, Identification and Authentication, Audit and Accountability, and Supply Chain Risk Management) because the catalogue's implementation guidance assumes human-operated, deterministic systems rather than autonomous agents that hold delegated credentials, can be steered by untrusted input, and depend on a model-and-tool supply chain; NIST's COSAiS project (Control Overlays for Securing AI Systems) is writing single-agent and multi-agent overlays to close the gap, but finalized agent-specific guidance is not expected before 2027, so the interim burden is on the enterprise to identify the touched controls, document where standard guidance does not fit the agent case, and record compensating controls.
Anchored on (a) NIST SP 800-53 Rev 5 (Security and Privacy Controls for Information Systems and Organizations) and its control families AC/IA/AU/SR, a pre-cutoff, durable fact; (b) NIST CSRC COSAiS project at csrc.nist.gov/projects/cosais (Control Overlays for Securing AI Systems), described scope includes a single-agent overlay (autonomous decision-making, contextual reasoning, planning) and a multi-agent overlay (cooperative systems, inter-agent trust, lateral movement), with annotated outlines and use-case materials published; (c) Cloud Security Alliance Labs research notes (Apr 2026) on the NIST AI agent listening sessions and the expectation that finalized guidance is unlikely before 2027. SOFT-SOURCING / VERIFY-BEFORE-PUBLISH FLAG: drafted 30 May 2026 against research post the author's Jan-2026 cutoff. DURABLE core: SP 800-53 exists with these control families, and the structural reasons agents underspecify against them (delegated authority, non-human identity, reasoning-not-events audit, model/tool provenance) are sound. VERIFIED 2026-05-30 via WebFetch of csrc.nist.gov/projects/cosais: the COSAiS project exists and is developing five use-case overlays including 'Using AI Agent Systems – Single Agent' and '– Multi-Agent', built on SP 800-53 (plus SP 800-218A, draft AI 800-1, AI 100-2e2025); a concept paper opened for comment 14 Aug 2025 and an annotated outline (Predictive AI) circulated as a discussion draft 8 Jan 2026 with feedback due 13 Feb 2026 — confirming drafts-circulating, not-final status. STILL AN EXPECTATION (Peter to treat as such): the 'not before 2027' finalization timing is CSA-Labs analyst tracking, not a NIST commitment; the page gives no final date, and the concept-to-annotated-outline cadence in early 2026 makes a 2026 finalization implausible, which supports the framing. The four-families (AC/IA/AU/SR) gap characterisation is attributed in the piece to practitioner analysis, not asserted as NIST's own enumeration. 90-day review cadence (28 Aug 2026). Trigger conditions: (1) NIST publishing a draft/final overlay moves claim toward gap-being-closed (strengthen); (2) a published agent-security incident attributable to one of the four families gives precedent; (3) FedRAMP/sector rule requiring agent-specific controls before overlays land intensifies the interim-burden point. Sibling AM-192 (iso-42001-enterprise-ai-vendor-checkpoint) is the management-system-layer companion; nist-ai-rmf-agentic-ai-mapping is the risk-framework layer.
/holding/AM-193/Embed this claimiframe + oEmbed
The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.
Email-me when AM-193's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.
The claim: Enterprises mapping agentic AI onto NIST SP 800-53 today find real, recurring control gaps concentrated in four families (Access Control, Identification and Authentication, Audit and Accountability, and Supply Chain Risk Management) because the catalogue's implementation guidance assumes human-operated, deterministic systems rather than autonomous agents that hold delegated credentials, can be steered by untrusted input, and depend on a model-and-tool supply chain; NIST's COSAiS project (Control Overlays for Securing AI Systems) is writing single-agent and multi-agent overlays to close the gap, but finalized agent-specific guidance is not expected before 2027, so the interim burden is on the enterprise to identify the touched controls, document where standard guidance does not fit the agent case, and record compensating controls.
About this register
The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.
Recent corrections in Reporting
- AM-008 · Partial · 17 Jun 2026
Source-text figure re-review: Google's 2024 Environmental Report reports a 28% year-over-year increase to 8.1 billion gallons, not the 33% (from a 6.1 billion 2023 base) asserted at publish. The 8.1B 2024 figure and the Microsoft WUE 0.30 L/kWh / 39%-improvement figure are unchanged and verified. Article corrected to 28% and the unsupported 6.1B base removed; the claim text retains the original figure with this correction per the Holding-up protocol.
- AM-132 · Partial · 10 Jun 2026
One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.
- AM-129 · Partial · 10 Jun 2026
One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.
Reviews coming up in Reporting
- AM-063 · Holding · next +9d (27 Jun 2026)
AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…
- AM-061 · Holding · next +9d (27 Jun 2026)
Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…
- AM-003 · Partial · next +9d (27 Jun 2026)
GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…