The SP 800-53 gap for AI agents, and what NIST COSAiS is writing to close it

A pattern recurs in 2026 security-architecture reviews. A team is asked to map an agentic AI deployment onto the organisation’s control baseline, which in US federal and a large slice of regulated private-sector contexts is NIST Special Publication 800-53. The team gets most of the way and then stalls on a handful of control families where the standard’s implementation guidance assumes something the agent breaks: a human in the loop, a static service identity, a deterministic action path, a bounded supply chain. The control intent still applies. The guidance for how to satisfy it for an autonomous agent does not exist yet.

That gap is real, it is concentrated in four control families, and NIST has a project writing the overlays to close it. The project is called COSAiS, the overlays are not expected to be final before 2027, and in the meantime the work of documenting compensating controls falls on the enterprise. This piece walks the gap, the project, and the interim posture a CISO and security architect can adopt now.

Why a comprehensive catalogue still leaves a gap

SP 800-53 is one of the most complete security and privacy control catalogues in use. The reason it nonetheless underspecifies the agent case is historical: it was written for information systems operated by humans and built from deterministic software. Its controls assume an operator who authorises actions, a service whose identity is static, an audit trail of system events, and a supply chain of components whose provenance can be tracked.

An agentic AI system violates several of those assumptions at once. It plans and takes action on its own initiative. It holds delegated credentials and acts with someone else’s authority. It can be steered by untrusted input through prompt injection, which means its action path is not fully determined by its code. It accumulates memory across sessions. And its behaviour depends on a model and a chain of tools and protocols whose provenance the catalogue’s supply-chain controls were not written to reach.

None of this makes the catalogue wrong. The control objectives are mostly still correct. What is missing is the layer that says, for this class of system, here is what satisfying the objective actually looks like. That layer is an overlay, and the absence of an authoritative one is the gap teams hit in review.

Where the gap actually falls

Four control families absorb most of the difficulty. Naming them precisely is useful because it turns a vague “agents are hard to secure” into a concrete worklist.

Access Control (AC). An agent acts with delegated authority, often broad, and can chain actions across systems. Least privilege for a non-human actor that decides its own next step is not well specified by controls written for human-assigned roles. The practical questions, scoping an agent’s permissions to the narrowest set its task requires, and constraining what it can do when an action chain goes somewhere unexpected, do not have off-the-shelf guidance.

Identification and Authentication (IA). The agent is a non-human identity. It needs credentials, rotation, and attribution that are distinct from the human who invoked it and from the static service accounts the catalogue understands. The agent-identity and non-human-identity architecture is its own discipline precisely because IA controls do not, as written, tell you how to manage an identity that is neither a person nor a fixed service.

Audit and Accountability (AU). Reconstructing why an autonomous agent did something requires logging its reasoning and its tool calls, not just the system-level events AU controls were written to capture. If the audit trail records that an action occurred but not the chain of decisions and inputs that led to it, the organisation cannot answer the question an incident review or a regulator will ask. The production observability stack exists to fill this in, but the control catalogue does not yet require the agent-specific telemetry that makes accountability possible.

Supply Chain Risk Management (SR). The agent’s behaviour rests on a model, its training data, and a chain of tools and protocols. SR controls reach software components and vendors; they do not, as written, reach the provenance of a model’s weights or the trust boundary of a tool the agent calls through a protocol like the Model Context Protocol. The AI bill of materials work is the emerging answer, and it sits outside the current SR guidance.

A team that names these four families, and documents where its agent deployment touches each, has converted the gap into something auditable. That documentation is the asset.

What COSAiS is, and what it will produce

COSAiS stands for Control Overlays for Securing AI Systems. It is a NIST project building overlays on top of SP 800-53: tailored selections of existing controls, with AI-specific implementation guidance, for defined AI use cases. The important framing is that an overlay does not replace the catalogue or invent a competing control set. It selects the relevant controls and specialises their guidance so an assessor and an enterprise have concrete agent-specific direction instead of having to interpret general controls on their own.

The publicly described scope includes more than one overlay. A single-agent overlay addresses systems characterised by autonomous decision-making, contextual reasoning, and planning. A multi-agent overlay addresses cooperative agent systems, where the security questions expand to inter-agent trust and lateral movement between agents, an attack surface that does not exist when there is only one agent. The two agent overlays sit among five planned use-case overlays, alongside ones for generative-AI assistants, predictive AI, and AI developers. The project has moved in public rather than internally: a concept paper opened for comment in 2025, and an annotated outline for one of the overlays circulated as a discussion draft in early 2026. That concept-to-outline cadence is the concrete reason finalized agent overlays are not a 2026 deliverable.

The reason this matters to a buyer or a security architect is that an overlay, once final, is the artefact that lets an assessor accept an agent deployment as controlled against a recognised baseline. Until it exists, every organisation interprets the gap on its own, inconsistently, which is both expensive and fragile under audit.

The timing, and the interim burden

The constraint that shapes the whole posture is timing. Security analysts tracking the listening sessions and draft materials expect finalized COSAiS guidance no earlier than 2027. Drafts and annotated outlines have circulated, and they are useful for direction, but a draft is not something an assessor will accept as authoritative, and building a compliance posture on a draft that may change is its own risk.

That leaves a clear interim burden, and it sits with the enterprise rather than with NIST or the vendor. The work, concretely:

Identify the SP 800-53 controls the agent deployment actually touches, family by family, with the four above as the priority. Document, for each, where the standard implementation guidance does not fit the agent case. Then record the compensating controls the organisation is using to close each gap, the runtime guardrails, the identity and rotation policy, the agent-specific logging, the model and tool provenance checks, with enough specificity that an auditor can evaluate them.

This is unglamorous and it is the cheapest version of the work. Producing the compensating-control documentation now, while the deployment is small, is materially less expensive than reconstructing it after an incident or assembling it under audit pressure. It also positions the organisation to adopt the COSAiS overlays cleanly when they land, because the gap analysis will already be mapped to the same control families the overlays will specialise.

Where this sits in the evidence package

The control layer is one of three layers a regulated-sector AI evidence package needs, and being explicit about the division of labour keeps each from being asked to carry the others’ weight.

The management-system layer answers “does this organisation govern its AI,” and ISO 42001 is the recognised attestation for it, covered in the ISO 42001 procurement companion. The control layer answers “are the runtime security controls present and adequate,” and that is SP 800-53 plus, eventually, the COSAiS overlays. The framework layer that ties risk management together is the NIST AI Risk Management Framework mapping. A buyer or auditor that sees a management-system certificate but no control mapping, or a control mapping with no governance system behind it, has an incomplete package, and that incompleteness is what a careful audit is designed to surface.

What would change this read

The cadence on this claim is 90 days, with a review on 28 Aug 2026, because NIST project timelines move in quarters and the next authoritative signal is a published draft. Three developments would move the claim.

NIST publishing a draft or final COSAiS overlay would move it from gap-exists toward gap-being-formally-closed, and would let the interim-burden advice be replaced with concrete overlay-adoption guidance. That is the most likely and most welcome trigger.

A published agent-security incident attributable to one of the four families would provide concrete precedent for the gap being consequential rather than theoretical, and would sharpen which family deserves priority. The containment-architecture and OWASP agentic top-10 pieces track the threat side that would feed such a review.

A change in FedRAMP or sector regulation that requires agent-specific controls before the overlays are final would intensify the interim burden and move the claim’s emphasis from “document compensating controls as good practice” to “document them because you will be required to.”

Related reading

The governance-layer companion is the ISO 42001 procurement checkpoint. The risk-management framing is the NIST AI Risk Management Framework mapping. The control families themselves are treated in depth in agent identity and IAM architecture, the containment architecture, and the production observability stack. The claim behind this piece is tracked at its Holding-up entry.