Nine seconds. That is how long it took an autonomous AI agent on stage at RSAC 2026 to delete a production database. The CEO running the demo was making a point about runaway agent authority, but the laughter in the audience was uncomfortable — every security leader in that room knew their own agents had the same permissions and they had no plan if one of them did the same thing.
This is the gap I want to talk about. Not the AI risks that fit into existing frameworks. The risks that exist because the frameworks haven't been written yet.
The regulations were written for a different kind of AI
The NIST AI Risk Management Framework was finalized in January 2023. The 2024 Generative AI Profile that followed it addressed model outputs — what the AI says, what it generates. ISO/IEC 42001, the international AI management-system standard, was published in December 2023. The EU AI Act, the most comprehensive AI law in the world, was adopted in 2024 with a risk-tiered structure built around AI systems and their intended purpose.
All three of these instruments were drafted before the modern agent stack existed. They contemplate AI as something an organization builds, validates, deploys, and monitors on a release cycle. A system with a version number. A defined intended use. A bounded set of inputs and outputs.
That is not the AI that enterprises are running in 2026.
The AI that matters now is an autonomous agent. It plans toward a goal we gave it last week. It chose three tools to use today that it didn't have access to yesterday. It read a document this morning that changed its understanding of what we asked it to do. It will hand off to another agent this afternoon, and that agent will act on our behalf without anyone signing off on its plan.
This is not a system you ship. This is a colleague you didn't background-check, can't fire, and can't reliably identify.
The risks have names. The laws don't.
In December 2025, the OWASP Foundation published the Top 10 for Agentic Applications — a peer-reviewed framework developed by more than a hundred security researchers cataloging the ten most critical risks unique to autonomous agents. Goal hijack. Tool misuse. Identity and privilege abuse. Supply chain compromise. Memory poisoning. Insecure inter-agent communication. Cascading failures. Human-agent trust exploitation. Rogue agents.
Read that list and then read the EU AI Act. Read the NIST AI Risk Management Framework. Read ISO 42001's Annex A controls. None of those documents name these risks. The May 2026 Digital Omnibus that deferred the EU AI Act's high-risk obligations to December 2027 didn't address the gap either — it bought time on implementation timelines, not coverage.
Gartner formalized "Guardian Agents" as a product category in 2026 — AI agents whose job is to govern other AI agents at machine speed. The analyst note projecting that this segment will capture 10 to 15 percent of the agentic AI market by 2030 was published precisely because the existing security stack does not govern agent execution at the speed agents operate. The market is building what the law hasn't yet defined.
This is what underregulation looks like in 2026: the discipline has named the risks. The regulators have not picked them up.
Enterprises are deploying ahead of the law
The Cloud Security Alliance reported in May 2026 that 79 percent of organizations lack visibility into agent or MCP traffic. Seventy-six percent report shadow AI as an active problem, up from 61 percent a year earlier. Industry surveys consistently find that roughly nine in ten enterprises cannot attribute autonomous AI actions to specific identities. Eighty percent of organizations report that their AI agents have taken at least one unauthorized action.
I see this in every deal I do. CISOs and CIOs are not blind to the gap. They know they cannot enumerate the agent fleet they already run. They know their incident response runbook does not cover the case where the agent is the actor. They know the kill switch they have on paper would not survive contact with a production incident. They are deploying anyway, because the productivity case for agents is overwhelming and waiting is not actually an option.
I am not faulting them for that. I would do the same thing. But I want to be clear about what is happening: we are running a generational experiment in granting machines the authority to act without granting them the accountability to face consequences. The regulators are not in the loop. The auditors are catching up. The vendors are racing.
The bill arrives in court, not Congress
When the regulatory framework does not exist, the rules get drafted somewhere else. They get drafted in litigation.
The class action against UnitedHealth over its naviHealth nH Predict tool moved past dismissal in February 2025; discovery is now in motion in the District of Minnesota. Plaintiffs allege the algorithm functioned as the primary decision-maker on Medicare Advantage post-acute care denials and that the appeal-reversal rate hovered around 90 percent. Parallel cases are running against Humana for the same vendor's tool and against Cigna for its PXDX algorithmic-denial system. The Office of Inspector General added Medicare Advantage prior authorization to its 2026 Work Plan with AI algorithm use flagged as an emerging compliance risk. Stanford Law's CodeX program published an analysis in March titled, simply, Kill switches don't work if the agent writes the policy.
This is what filling the regulatory vacuum looks like. Courts asking, motion by motion, whether the AI was the actual decision-maker. Whether the human review documented in compliance binders was real. Whether the audit logs survive subpoena. Whether the agent's identity can be tied to the action.
The CIO will live under the precedent, not under the statute. Court-built rules are slower, more inconsistent across jurisdictions, and far more expensive to navigate than rules a regulator drafts deliberately. Every CIO I talk to understands that we are eighteen to twenty-four months from an agentic AI incident significant enough to compress the rule-making cycle into something far less measured.
Three things to do before the next twelve months
This is the part where I would normally argue for new regulation. I am not going to, because that argument writes itself and because the rules will get written regardless. The more interesting question is what enterprises should do in the gap.
One. Inventory every agent identity by name. The single most common pattern I see in enterprise environments is that nobody can produce a list of the autonomous AI agents currently in production. Sometimes it is shared service accounts. Sometimes it is shadow deployments from inside engineering. Sometimes it is vendor agents running under the customer's credentials. Until you can name them, the rest of the conversation is theoretical. The first thing the litigation discovery team will ask for is a list. The first thing the auditor will ask for is the same list.
Two. Move your AI governance committee from a quarterly cadence to a monthly working meeting plus a quarterly board update. Your committee was modeled on data governance, and data governance reviews are quarterly because data changes slowly. Agents change behavior between meetings. They ingest new tools, accumulate memory, drift from their original goal. A governance body that meets four times a year cannot govern a thing that changes hourly. The monthly working meeting catches the operational issues; the quarterly meeting keeps the board informed.
Three. Renegotiate your AI vendor contracts now, while you still have leverage. The OWASP Top 10 for Agentic Applications and the Cloud Security Alliance AI Controls Matrix already exist. Bring them into your procurement language this quarter. Demand training-data lineage. Demand per-agent identity attestation. Demand auditable override logs. Demand a kill switch you can pull in production without an engineering change request. Most vendors will not have ready answers. Make the answers a contractual requirement. The vendors who can answer will reward you. The vendors who cannot will not be the ones standing when the precedent gets set.
What the gap actually costs
I started this piece with the RSAC demo because the nine-second framing is memorable, but it is not the real risk. The real risk is the version of that incident that does not get demoed on stage. It happens at three in the morning. It happens because an autonomous agent received a tool description that contained an instruction nobody saw, made a decision nobody reviewed, and acted in a way nobody can attribute. It happens in a healthcare system where a clinician override didn't get logged, or in a financial services firm where a refund agent created a six-figure exposure before anyone noticed, or in a manufacturing environment where the agent that controls a piece of physical infrastructure made a call no human signed off on.
The frameworks we have were written for the AI we built. They do not govern the AI that wakes up each morning and decides what to do next. We have time to draft those rules deliberately. We are choosing not to. The rules will get drafted anyway — just by people with subpoena power and a lot less context.
Sources: Cloud Security Alliance, "Shadow AI Agents" report (May 2026) · OWASP Top 10 for Agentic Applications 2026 (December 2025) · NIST AI Risk Management Framework 1.0 (January 2023) · ISO/IEC 42001:2023 · EU AI Act (Regulation 2024/1689) and Digital Omnibus political agreement (May 2026) · Gartner Guardian Agents press release (June 2025) · Stanford CodeX, "Kill switches don't work if the agent writes the policy" (March 2026) · Estate of Lokken et al. v. UnitedHealth Group, D. Minn. · OIG Work Plan 2026 entry on Medicare Advantage prior authorization · RSAC 2026 keynote coverage (Fortune).