A Standards Map for Agentic AI

Agentic AI systems are often discussed as if they were single products that need a single standard. That framing breaks down as soon as the system acts. An agentic deployment contains deterministic control logic, operational security, model reasoning, tool permissions, memory, handoffs, receipts, and human approval boundaries. Each layer fails differently.

This briefing maps existing safety, security, and AI-governance standards onto those layers. The finding is practical rather than exotic: many of the standards already exist. The missing work is architectural separation, an explicit rule that deterministic control outranks AI reasoning, and receipts that prove who authorized consequential action.

A security lead handed an agentic system usually starts with a reasonable question: is this thing SOC 2 compliant, ISO 42001 compliant, or covered by the AI RMF? The problem is the noun. The agent is not one thing. It is a stack of things.

The control layer that refuses an unsafe tool call is not governed like the model that interprets a request. The credentials an agent can use are not governed like the memory it writes. The log that says an action happened is not the same as a receipt proving the action was allowed.

Traditional safety standards belong near the deterministic parts of the system. Security and monitoring standards belong around access, credentials, infrastructure, and incident response. AI-governance standards belong around model behavior. Audit and accountability controls belong at the boundary where the system changes the world.

This table mixes legal requirements, contractually required controls, certifiable standards, and voluntary frameworks. That distinction matters. DFARS does not have the same force as the NIST AI RMF; ISO/IEC 42001 is not the same kind of artifact as a concept note. The map is a starting point for placement, not a claim that every row applies to every deployment.

The central architectural rule is simple enough to print on a badge: deterministic control overrides AI reasoning, never the reverse. The model can interpret ambiguous requests, draft plans, classify inputs, and recommend actions. It should not be able to talk the system past a hard limit.

No current standard applies this principle explicitly to the boundary between deterministic control and AI reasoning. That is why the boundary has to be designed in rather than certified after the fact.

Most agent platforms produce logs. Logs are necessary, but they are not enough. An auditor wants to know who authorized the action, what the system believed at the time, which rule permitted it, what changed, and how it could be undone.

The receipt fields from The Boring Stack Playbook become compliance evidence here: authority, state, evidence, rule, action, owner, rollback, and escalation. The difference between a transcript and a receipt is the difference between observability theater and evidence an auditor can actually use.

These are the places where reaching for an existing standard does not work cleanly, because the failure mode did not exist when the standard was written.

Standards bodies and researchers are starting to name the same problems. The NIST AI Agent Standards Initiative, created in February 2026, and a recent runtime-guardrails paper both point in the same direction: an agent can look acceptable at each individual step while producing an unacceptable trajectory overall.

The stable part of the argument is the layer map. The moving part is the agent-specific standards work, which is active but not finished. A standards initiative is not a standard, and a concept note is not a final profile.