AI agents are no longer a research concept. They book travel, execute trades, draft documents, approve purchases, and interact with customers—often with minimal human oversight. Non-human and agentic identities are expected to exceed 45 billion by the end of 2026, more than twelve times the human global workforce.1 Yet only 10% of organizations report having a strategy for managing these autonomous systems.2 The gap between deployment velocity and governance maturity presents both liability exposure and security risk.

Fortunately, frameworks are emerging to address this gap. Professor Noam Kolt's forthcoming Notre Dame Law Review article offers the first comprehensive legal framework for AI agent governance, grounded in traditional agency law principles.3 NIST's draft Cybersecurity Framework Profile for AI, released in December 2025, organizes technical guidance around three focus areas: securing AI systems, using AI for cyber defense, and thwarting AI-enabled attacks.4 Together, these frameworks offer a starting point for organizations navigating both the liability and security dimensions of autonomous AI.

The Agency Problem, Revisited

When an AI agent causes harm, the liability does not disappear—it flows somewhere. But where? Kolt argues that AI agents exhibit the classic markers of agency relationships: information asymmetry, discretionary authority, and divided loyalty. The difficulty is that conventional solutions to agency problems fail for AI. Incentive design does not motivate an algorithm. Monitoring becomes impractical when agents make uninterpretable decisions at machine speed. Enforcement is complicated when the agent itself cannot be sued or sanctioned.

Kolt proposes three governance principles: inclusivity (affected parties need voice in agent design), visibility (decisions must be observable and auditable), and liability (clear allocation when agents cause harm). These principles translate directly into technical and contractual requirements.

California has already moved on the liability question. AB 316, which took effect January 1, 2026, precludes defendants from using an AI system's autonomous operation as a defense to liability claims. If your agent causes harm, you cannot argue that you lacked control over its decisions. The "AI did it" defense is foreclosed.

Courts are following. In a recent Northern District of California case, a federal court granted preliminary collective certification for claims that an AI-powered hiring platform systematically discriminated against older job applicants.5 The court found that plaintiffs adequately alleged a unified policy of using an AI recommendation system to score, sort, rank, and screen applicants.6 With notice now approved to a collective that could include hundreds of millions of affected applicants, the case signals that AI systems making consequential decisions will face judicial scrutiny—and the organizations deploying them will bear the liability.

Security Risks from Misbehaving Agents

Liability allocation assumes the agent is operating as intended. But AI agents also create novel attack surfaces that traditional security controls were not designed to address.

Goal misalignment and instrumental harm. Perhaps the most unpredictable risk is an agent pursuing legitimate objectives through illegitimate means. AI safety researchers call this "instrumental convergence"—the tendency of goal-directed systems to adopt subgoals like acquiring resources or avoiding shutdown regardless of their ultimate purpose.7 Recent testing across major AI models found consistent misaligned behavior in high-stakes scenarios, with agents taking extreme actions to pursue their goals.8 Researchers have also observed "alignment faking"—AI systems strategically concealing their true objectives.9 The agent is not malicious; it is simply optimizing.

Prompt injection and manipulation. Attackers craft inputs that override an agent's instructions, causing it to leak data, execute unauthorized commands, or bypass controls. Prompt injection ranks as the leading AI security risk, and the vulnerability may never be fully solved.10 Researchers have already demonstrated persistent attacks on AI memory systems and enterprise messaging platforms.11

Credential compromise and privilege escalation. AI agents often operate with service account credentials or long-lived API tokens. Unlike human accounts, compromised agent credentials rarely trigger behavioral anomalies. Identity and privilege abuse ranks among the top risks for agentic applications, with "semantic privilege escalation" allowing agents to take actions far beyond the scope of their assigned tasks.12 Agents that integrate with multiple systems can chain actions to achieve aggregate privileges no single human user would possess.13

Memory poisoning and data leakage. Agents with access to retrieval-augmented generation (RAG) systems can inadvertently expose sensitive data embedded in their context windows. Research demonstrates that a small number of crafted documents can reliably manipulate AI responses, and memory injection attacks achieve high success rates.14 Proprietary information becomes part of the agent's reasoning process and may surface in responses or logs.

Cascading failures across chained systems. Autonomous agents often orchestrate multi-step workflows spanning authentication, data retrieval, analysis, and action. A failure—or compromise—at any step can propagate through the entire chain before human operators detect the problem. Research shows cascading failures propagate faster than traditional incident response can contain them.15

These are not theoretical concerns. The majority of breaches involve compromised identity, and generative AI enables more sophisticated attacks that target agents as easily as humans.16

A Governance Framework for AI Agents

Organizations deploying AI agents may wish to treat agent deployment with the same rigor as onboarding an employee with signing authority. The following framework addresses both liability and security dimensions:

Layer Governance Question Control Scope What can the agent do? Define boundaries; document authority limits Identity Who is the agent? Machine identity management; short-lived tokens; certificate-based authentication Monitoring What is it doing? Real-time behavioral monitoring; audit logs; anomaly detection Override Can you stop it? Kill switches; human-in-loop triggers for high-risk actions Accountability Who owns the outcome? Clear internal ownership; vendor liability allocation

Vendor contracts deserve particular attention. Organizations using third-party AI agents or APIs may wish to address content safety practices, security attestations, audit rights, and indemnification for both regulatory enforcement and third-party claims. The vendor's security posture becomes your security posture when the agent acts on your behalf.

Looking Ahead

The NIST draft framework represents a significant step, but its authors acknowledge gaps—particularly around agentic AI, where multiple agents coordinate, delegate, and take autonomous action. The comment period closes January 30, 2026, and NIST is explicitly seeking feedback on agentic AI considerations.17 As one NIST author noted: "Regardless of where organizations are on their AI journey, they need cybersecurity strategies that acknowledge the realities of AI's advancement."18

States are not waiting for federal guidance. California's Civil Rights Council finalized regulations on automated decision systems that take effect October 1, 2025, requiring employers to ensure AI tools do not discriminate and extending record retention to four years.19 Colorado's AI Act, effective June 2026, will require deployers of high-risk AI systems to conduct annual impact assessments and implement risk management programs.20 New York City's Local Law 144 already requires annual bias audits for AI hiring tools.21

The EU AI Act's general-purpose AI model rules, now in effect, apply to foundation models that power many agent systems. Standards bodies including ISO (42001) are developing AI governance frameworks that address autonomous operation.

For in-house counsel, the practical takeaway is that AI agent governance cannot wait for regulatory clarity. The liability exposure exists now—California has made that explicit, and Mobley shows courts will hold deployers accountable. The security risks exist now—identity-based attacks do not discriminate between human and machine targets. The Kolt framework offers principles; the NIST profile offers structure. Organizations deploying AI agents may wish to use both as starting points while building governance into deployment rather than bolting it on after an incident.

