Your NIST 800-53 Controls Already Cover AI Agents — The Complete Mapping
Every week another vendor pitches a “novel AI security framework.” Meanwhile, your organization already maintains a comprehensive control catalog that maps directly to AI agent risk — you’re just not using it that way yet.
NIST 800-53 Rev 5 contains 1,189 controls. Our analysis, grounded in the OSA SP-027 Secure AI Integration Pattern, identifies 47 controls across 14 families that apply directly to securing AI agents in enterprise environments. No new framework required. No new budget line. Just disciplined application of controls you already own.
The Four Trust Boundaries
OSA SP-027 defines four trust boundaries for AI agent deployments. Every interaction between an AI agent and your enterprise crosses at least one of these boundaries. Each boundary demands specific controls — and NIST 800-53 already provides them.
The principle is straightforward: treat AI agents as untrusted components operating across trust boundaries. Not because they’re malicious — because they’re non-deterministic, externally influenced, and operate with delegated authority. The same assumptions you apply to third-party services, contractor access, and API integrations apply here.
Zone 1: Human Zone — Governance and Authorization
The Human Zone is where intent originates. A user requests an action, an agent interprets it, and execution begins. The controls here ensure that humans remain in the loop and that agent actions stay within authorized boundaries.
Key Controls
AC-3 (Access Enforcement) — Every agent action must be evaluated against an authorization policy before execution. This isn’t optional. If your agent can send emails, query databases, and modify configurations, AC-3 requires that each of those capabilities has an explicit access decision. Implement attribute-based access control (ABAC) that evaluates the requesting user’s role, the agent’s delegated permissions, and the sensitivity of the target resource.
AC-6 (Least Privilege) — Agents should operate with the minimum permissions necessary for each specific task. Not the minimum permissions for all possible tasks they might perform — the minimum for this task. This means dynamic privilege scoping per invocation, not static role assignment at deployment.
AU-2 (Event Logging) & AU-3 (Content of Audit Records) — Log every agent decision point: what was requested, what was interpreted, what actions were taken, and what results were returned. You need full traceability from human intent to agent action. Without it, you have no accountability chain.
PM-9 (Risk Management Strategy) — Your enterprise risk management strategy must explicitly address AI agent risk. If it doesn’t mention autonomous or semi-autonomous software agents, it’s incomplete.
Implementation Guidance
Establish an Agent Authorization Board or extend your existing change advisory board to review agent deployments. Define maximum privilege envelopes for each agent type. Require human approval for actions that cross predefined risk thresholds — financial transactions above a threshold, access to PII, modifications to production systems.
Zone 2: Agent Execution Environment — Isolation and Containment
This is where the agent runs. It’s the most critical boundary because a compromised execution environment gives an attacker the agent’s full delegated authority. The controls here are about containment: ensuring that even if the agent behaves unexpectedly, the blast radius is limited.
Key Controls
SC-39 (Process Isolation) — Each agent instance must execute in an isolated process space. No shared memory with other agents or host processes. Container isolation is the minimum; sandboxed execution with syscall filtering is better. If your agent can read another agent’s memory space, you’ve already failed.
CM-7 (Least Functionality) — Strip the execution environment to bare essentials. No network tools the agent doesn’t need. No file system access beyond its working directory. No installed packages beyond runtime dependencies. Every unnecessary capability is an attack surface.
SC-4 (Information in Shared Resources) — Prevent information leakage between agent sessions. Clear execution context between invocations. Shared resources like temp directories, environment variables, and cached credentials must be scoped per session and purged on completion.
SC-28 (Protection of Information at Rest) — Agent working memory, intermediate results, and cached data must be encrypted at rest. This includes conversation history, tool outputs, and any persisted state.
SI-3 (Malicious Code Protection) — Scan agent inputs and outputs for injection attacks. Prompt injection is the AI-native equivalent of SQL injection — treat it with the same seriousness. Apply input validation, output sanitization, and behavioral anomaly detection.
Implementation Guidance
Deploy agents in ephemeral containers with read-only root filesystems. Use gVisor or similar kernel-level isolation. Implement network policies that restrict agent egress to only approved endpoints. Monitor for anomalous system calls, unexpected network connections, and unusual resource consumption patterns. The dig8ital factory provides reference architectures for hardened agent execution environments.
Zone 3: Enterprise Systems — Identity and Access
When an agent interacts with your enterprise systems — databases, APIs, SaaS platforms, internal services — it crosses into Zone 3. This is where traditional IAM controls do the heavy lifting, but they need to be extended to handle non-human identities.
Key Controls
IA-8 (Identification and Authentication of Non-Organizational Users) — Treat AI model providers and external agent services as non-organizational users. Require strong authentication for all inbound API calls. Mutual TLS at minimum.
IA-2 (Identification and Authentication) — Agents must authenticate with unique, non-shared credentials. No hardcoded API keys. No shared service accounts across agent types. Each agent instance gets its own identity with scoped permissions and rotatable credentials.
AC-2 (Account Management) — Agent service accounts require the same lifecycle management as human accounts: provisioning, review, suspension, and deprovisioning. Implement automated expiry. If an agent hasn’t been invoked in 90 days, its credentials should be suspended automatically.
SC-7 (Boundary Protection) — Enforce network segmentation between the agent execution environment and enterprise systems. Agents should access enterprise resources through API gateways with rate limiting, request validation, and logging — not through direct network connectivity.
SI-10 (Information Input Validation) — Validate all data flowing from agents into enterprise systems. An agent’s output is untrusted input to your enterprise. Apply the same input validation you’d apply to any external API consumer: schema validation, type checking, range constraints, and business rule enforcement.
Implementation Guidance
Deploy a dedicated API gateway for agent-to-enterprise communication. Implement OAuth 2.0 with short-lived tokens and narrow scopes. Use a secrets manager with just-in-time credential provisioning. Log every agent interaction with enterprise systems at the API gateway layer and correlate with agent-side audit logs for end-to-end traceability.
Zone 4: AI Model Provider — Supply Chain Security
The model provider is your most opaque dependency. You send sensitive context to it. You receive non-deterministic outputs. You have limited visibility into model behavior changes. This is a supply chain problem, and NIST 800-53 has supply chain controls.
Key Controls
SA-12 (Supply Chain Protection) — Assess model providers as critical suppliers. Require transparency into model versioning, training data provenance, and change notification processes. Your supply chain risk assessment must include AI model providers alongside traditional software vendors.
SA-9 (External System Services) — Define explicit security requirements for model provider services: data handling commitments, geographic processing constraints, audit rights, and incident notification obligations. Codify these in your service agreements.
SR-3 (Supply Chain Controls and Processes) — Implement controls to detect unauthorized model changes. Pin model versions where possible. Monitor for behavioral drift by maintaining evaluation benchmarks and running them on a schedule.
SC-7 (Boundary Protection) — All traffic to model providers must traverse monitored egress points. Implement data loss prevention (DLP) at the boundary to prevent sensitive data from being included in prompts. This isn’t hypothetical — prompt context regularly includes data that shouldn’t leave your network.
SC-8 (Transmission Confidentiality and Integrity) — Encrypt all communications with model providers. Verify certificate chains. Implement certificate pinning for critical model provider endpoints.
Implementation Guidance
Maintain a model provider inventory with risk ratings. Implement prompt filtering that strips PII, credentials, and classified information before data leaves your network. Establish model evaluation pipelines that detect behavioral changes between versions. Require contractual commitments for data handling and breach notification.
Implementation Roadmap
Moving from control mapping to operational deployment requires a phased approach:
The Complete Control Mapping
The 47 controls span these 14 families:
| Family | Controls | Primary Zone |
|---|---|---|
| AC (Access Control) | AC-2, AC-3, AC-4, AC-5, AC-6, AC-17, AC-20 | Zones 1, 3 |
| AU (Audit) | AU-2, AU-3, AU-6, AU-12 | All Zones |
| CA (Assessment) | CA-7, CA-9 | All Zones |
| CM (Configuration) | CM-2, CM-3, CM-7, CM-8 | Zone 2 |
| IA (Identification) | IA-2, IA-4, IA-5, IA-8 | Zones 2, 3 |
| IR (Incident Response) | IR-4, IR-5, IR-6 | All Zones |
| MP (Media Protection) | MP-2, MP-4 | Zone 2 |
| PM (Program Management) | PM-9, PM-11 | Zone 1 |
| RA (Risk Assessment) | RA-3, RA-5 | All Zones |
| SA (Acquisition) | SA-4, SA-9, SA-12 | Zone 4 |
| SC (System & Comms) | SC-4, SC-7, SC-8, SC-12, SC-13, SC-28, SC-39 | Zones 2, 3, 4 |
| SI (System & Info Integrity) | SI-3, SI-4, SI-5, SI-10 | Zones 2, 3 |
| SR (Supply Chain) | SR-2, SR-3, SR-5 | Zone 4 |
| PT (PII Processing) | PT-2, PT-3 | All Zones |
Stop Waiting for a New Framework
The controls exist. The mapping is clear. The gap isn’t knowledge — it’s application. Every month you spend evaluating new AI security frameworks is a month your AI agents operate outside your existing control baseline.
Start with your highest-risk agents. Map them to trust boundaries. Apply the controls you already have. Close the gaps you find.
If you need help operationalizing this mapping — from agent architecture review to automated control validation — get in touch. The dig8ital factory builds secure agent infrastructure grounded in established frameworks, not hype cycles.
Need help with this?
We help enterprise security teams implement what you just read — from strategy through AI-powered automation. First strategy session is free.