In 2025, boards asked which model to standardize on. The question is now settled, and it was always the smaller one. The model is one layer of four. The other three are where an agent reads your data, calls your tools, and takes action.
Model choice is close to commoditized. Performance gaps between frontier models are measured in weeks. The layer that decides is not where the risk lives.
The risk lives at the execution layer. That is where an agent invokes a tool, moves money, writes to a record, or sends a message. Govern the model and you govern the decision. You do not govern the act.
The standards bodies moved first
On February 17, 2026, NIST opened the AI Agent Standards Initiative through its Center for AI Standards and Innovation. The declared scope is agent identity, authorization, agent security, and interoperable protocols (NIST, 2026). None of that is model quality. All of it is what happens after the model decides.
The Cloud Security Alliance went further. Its Agentic Profile for the NIST AI Risk Management Framework adds categories the base framework never carried: tool-use risk, runtime behavioral governance, and delegation-chain accountability (CSA, 2026). Its note on audit is blunt. Traditional audit log review is insufficient when an agent can take hundreds of actions in the time a human reviews one.
The model vendor says the same thing
Anthropic frames an agent as four layers: the model, the harness, the tools, and the environment. Its position is direct. The model layer alone cannot secure agentic AI (Anthropic, 2026). Three of the four layers sit outside the model. That is where an agent does the damage, and the work.
This is a model-agnostic architecture problem, not a question of vendor loyalty. Whether you run Anthropic, OpenAI, or Mistral, the ungoverned surface is the same. It is the set of tools the agent may call, and the trace of what it did with them.
In an agentic system, the model decides and the tools act. Governance that stops at the model governs the decision and ignores the act. Hikari Blue · operator note
The market is already paying for the gap. Gartner projects that over 40% of agentic AI projects will be canceled by the end of 2027, citing escalating costs, unclear business value, and inadequate risk controls (Gartner, 2025). Inadequate risk controls is the execution layer under a milder name.
What this changes for the board
For the CISO, the unit of control is no longer the prompt. It is the tool call: which agent, which permission, which policy decision, which reasoning step before the action. Each one logged before execution, not reconstructed after the incident.
For the CTO, this is architecture, not a bolt-on. An audit trail assembled after the fact is a reconstruction. An audit trail engineered into the tool gateway is evidence. Kill switch as architecture, not feature. Zero cleartext data server-side. These are build decisions taken before the first agent ships, not settings toggled after it misfires.
For the board, the question moves from awareness to proof. Being aware that you run agents is not governance your board can look in the eye. Being able to show what each agent did, under what authority, is. Awareness is a slide. Proof is a trace.
The question to bring to the next board
Do not ask which model you standardized on. That answer ages in weeks.
Ask whether you can produce, today, the trace of every tool your agents called, the permission that authorized it, and the reason the agent gave before it acted.
If the answer is a reconstruction, you have a model policy. You do not yet have an operating layer.
Sources
- NIST (2026). AI Agent Standards Initiative, Center for AI Standards and Innovation. nist.gov/artificial-intelligence/ai-agent-standards-initiative
- Anthropic (2026). Zero Trust for AI Agents. claude.com/blog/zero-trust-for-ai-agents
- Cloud Security Alliance (2026). NIST AI RMF: Agentic Profile v1. labs.cloudsecurityalliance.org/agentic/agentic-nist-ai-rmf-profile-v1
- Gartner (2025). Gartner Predicts Over 40% of Agentic AI Projects Will Be Canceled by End of 2027. gartner.com/en/newsroom/press-releases
The Hikari Blue team · Austin, July 2026