3 priorities for federal CISOs in the agentic era

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and allied governments have issued guidance urging federal agencies to treat autonomous AI systems as a core cybersecurity concern. Federal CISOs must establish agencywide agentic security programs, develop playbooks for agent-driven incidents, and simulate adversarial attacks to address threats that outpace traditional controls.

3 priorities for federal CISOs in the agentic era COMMENTARY | As agentic AI use spreads across government, agencies need to develop security programs, craft playbooks for mitigating incidents and simulate adversarial attacks. The U.S. Cybersecurity and Infrastructure Security Agency CISA , alongside counterpart agencies from allied governments, recently published guidance advising organizations to treat autonomous AI systems as a core cybersecurity concern. While the guidance focused primarily on critical infrastructure operators, its implications extend directly to the broader federal government. Federal CISOs are not just experimenting with AI; they are being held accountable for securing it under zero trust mandates, software supply chain requirements and emerging federal AI governance frameworks. Recent coverage of federal cybersecurity makes one thing clear: AI threats have evolved faster in the last 12 months than most agencies have been able to absorb. Agents are operating inside government environments today, some built by agency teams, others introduced or manipulated by adversaries. And they act at a speed and scale that outpaces traditional security controls. These systems are already being embedded into mission workflows, from automating benefits processing and case management to assisting cyber analysts and accelerating operational decision making. Federal agencies are only beginning to understand what these threats actually look like in practice. What is clear is that managing them requires a fundamentally different approach, one built for the agentic era, not retrofitted from the playbook that preceded it. Three priorities should guide agency CISOs through this transition. Priority One: Establish an agencywide agentic security program. Agentic AI systems are already operating inside government organizations, without the knowledge of security teams. That visibility gap must close. Agency CISOs should begin by inventorying every agent in their organization’s environment: what data and systems it can access, what identity it runs under and what decisions it is authorized to make. Without that inventory, securing these systems is not possible. In the federal context, this means treating agents as non-human identities and extending zero trust principles beyond users and devices to include autonomous systems as first-class actors. But visibility alone is insufficient. Agents are created, modified and deployed at developer speed, often in minutes — not months. Government security teams need to be embedded directly into how agents are built, tested and deployed from the start. Traditional governance structures are also poorly suited to this pace. Security teams designed to review changes on monthly or quarterly cycles cannot keep up with agentic deployment timelines. What is needed instead is governance that is automated, embedded and continuous, including real-time policy enforcement and monitoring capable of detecting behavioral drift as it occurs. Priority Two: Develop an agency playbook for agent-driven incidents. Nearly every government security breach to date has involved social engineering and a human link in the kill chain. Incident response frameworks have been built around human behaviors — a person clicking a malicious link, accessing unauthorized data or making an unauthorized change. When an agent is the one taking the action — executing a flawed instruction or misinterpreting context — that model no longer applies. Agencies must begin treating agents as autonomous actors, not as extensions of a user. Right now, most agencies lack a playbook for this. Developing one requires defining what evidence is relevant in an agentic investigation: the agent’s instruction chain, the model outputs it acted on, the context window it operated within, the permissions it invoked and the decision boundaries it crossed. Just as importantly, agencies must be able to reconstruct and explain these decisions in a way that withstands audit, oversight and legal scrutiny from inspectors general to congressional inquiries and FOIA requests. Failure modes also look different for agents than for humans. Agents can act on incomplete or manipulated context, follow attacker-crafted instructions or drift outside their intended scope, creating a new category of incident. Priority Three: Simulate adversarial AI attacks. Defensive security training prepares teams to protect systems. It does not prepare them to think like adversaries who invest significant effort in learning how to misuse agents, exploit prompt structures or push AI systems outside their intended boundaries. Agencies need people with genuine offensive AI expertise — and where that expertise does not exist internally, they should develop it through partnerships with organizations that have it. This is particularly critical in the federal landscape, where nation-state adversaries are actively experimenting with prompt injection, data poisoning and AI-driven workflow manipulation to exploit government systems. AI red-teaming must also be tightly integrated with incident response. When agencies struggle to reconstruct what an agent did and why, the answer is simulation: prompt injection scenarios, harmful instruction chains, privilege misuse, scope drift and unanticipated action sequences. These scenarios should be stress-tested regularly. The agentic era is already reshaping how federal systems operate, and how they are attacked. For federal CISOs, the challenge is not just adopting AI, but securing it in a way that aligns with zero trust mandates and ensures accountability at scale. Agencies that move now to establish visibility, enforce real-time controls and continuously test agent behavior will be better positioned to stay ahead of both risk and mission disruption. Larry Kovalsky is the Director of Public Sector Solutions Engineering at Netskope.