By Kelvin Zhou·Founder, Parade Warrior · Sydney·22 May 2026·~14 min read

Bottom line up front

Traditional IT assurance — designed around deterministic systems, static controls and human-initiated transactions — does not survive contact with agentic AI. Agents reason, plan, call tools, write to memory and act across systems at machine speed, using non-human identities that current IAM, change and audit programmes were never designed to govern.

By the end of 2026, Gartner expects ~40% of enterprise applications to embed task-specific AI agents (up from <5% in 2025). Yet over 40% of agentic AI projects will be cancelled by end of 2027 — primarily for inadequate risk controls, unclear value and escalating cost.

The assurance function that wins this cycle will treat agents as a new control object class — assured continuously, at runtime, with evidence captured by design.

1. Why IT assurance must be re-engineered

The assurance discipline that grew up around SOX, COBIT, ITGCs, SOC 2 and ISO 27001 was built on three assumptions: (i) systems behave deterministically, (ii) changes are infrequent and human-authored, and (iii) the locus of decision-making is a named human user mapped to an identity in IAM. Agentic AI breaks all three.

Agents combine reasoning, planning and orchestration with autonomous tool-use, real-time memory and reinforcement from their environment. As EY frames it, agents differ from traditional and generative AI because they make decisions and act on them independently — and that autonomy is the source of both the value and the new risk surface.

Three systemic shifts follow:

From "who did what" to "why did it happen." ISACA notes that agentic AI decisions often lack clear traceability. The audit question is no longer just attribution — it is the causal chain from instruction → reasoning → tool invocation → effect.
From point-in-time testing to continuous, runtime assurance. Risk emerges during execution, not at design time, because state evolves and tools are invoked dynamically. AI TRiSM's runtime inspection layer becomes the de facto control plane.
From human identity to non-human identity (NHI) as the dominant subject. NHIs already outnumber humans roughly 17:1 inside large enterprises; agents accelerate the curve and amplify token-sprawl, over-permissioning and credential-rotation gaps.

The governance blind spot

The three most cited AI governance frameworks — NIST AI RMF 1.0, the EU AI Act, and ISO/IEC 42001 — contain no explicit mention of agentic AI. This is closing fast: NIST stood up the AI Agent Standards Initiative in February 2026, and CSA published the NIST AI RMF Agentic Profile extension aligned to the AI Controls Matrix (AICM) and the AAGATE runtime architecture. Assurance leaders should expect a refreshed, agent-aware baseline by H2 2026 — and align with ASD's Frontier AI Guidance in the meantime.

2. Eight control domains for assuring agents

The following synthesises the EY Agentic AI Risk Management Framework (eight-domain shield), the KPMG Trusted AI framework, PwC's Responsible AI operationalisation lens, Deloitte's Trustworthy AI, Gartner's AI TRiSM market guide and the OWASP Agentic Top 10 (2026).

1. Agent identity and non-human identity (NHI) governance: Agents need unique, verifiable identities with defined scope — not shared service accounts. Short-lived credentials, context-aware conditional access, separation of agent identity from the delegating-human identity, and full traceability of the delegation chain. NHIs already outnumber humans roughly 17:1 inside large enterprises, and the CSA / Oasis 2026 State of NHI survey rates legacy IAM and manual rotation as the dominant governance gap. The World Economic Forum has framed NHIs as agentic AI's new frontier of cyber risk.
2. Tool-use and action authorisation (MCP, function-calling): Model Context Protocol (MCP) gives agents the ability to act, not just analyse — and is insecure by default. Assurance controls: tool allow-listing, signed tool manifests, capability scoping per agent, prompt-injection harnesses on every tool boundary, and runtime policy enforcement at an AI gateway. This is the work scoped inside our Agentic Readiness Review.
3. Runtime behavioural assurance: IBM and Palo Alto both frame runtime as the new control plane: behaviour cannot be fully predicted from design artefacts, so detection and response must be continuous. EY's dual-control framework pairs preventative controls (limiting what an agent can do before it acts) with detective controls that continuously monitor and respond to unexpected behaviours.
4. Data lineage, memory and information governance: Trustworthy AI starts with trustworthy data: lineage, consent, classification, retention. Agents add long-lived memory — state that can be poisoned, exfiltrated, or leak across tenants. Controls: data-at-source classification, vector-store access policies, memory TTL, RAG provenance metadata, and AI-SPM coverage across managed and self-hosted models.
5. Evaluation, observability and quality: AI Evaluation & Observability Platforms (AEOPs) automate evals against quality, fairness and accuracy expectations, and feed logs, metrics and traces back into the loop. Without continuous evals, regression in agent quality is invisible — and agent-washing in vendor contracts is impossible to falsify.
6. Human oversight, escalation and accountability: Responsible AI principles require clear approval paths and criteria for testing and monitoring, with feedback loops to refine agents as they evolve. EY's six-step governance evolution stresses aligning oversight investment to the risk profile of each agent — not a flat policy.
7. Third-party and supply-chain assurance: The Mythos / third-party access incident demonstrated that an agent-grade defender tool was sidestepped via a third-party identity gap within three weeks of launch. Assurance must extend to model providers, MCP server vendors, agent platforms and embedded copilots — including SOC 2 + ISO 42001 evidence, AIUC-1 attestations where available, and contractual rights to audit eval results.
8. Regulatory and framework alignment: ISO/IEC 42001 (AIMS, certifiable since 2024), NIST AI RMF + Agentic Profile (draft 2026), the EU AI Act (high-risk obligations from 2 August 2026), APRA CPS 230 / 234 / 220 read through an AI lens, ASD's Frontier AI Guidance, AIUC-1 (the 'SOC 2 for AI agents'), and SOC 2 Trust Services Criteria mapped via SSAE 21 where AICPA guidance is still silent.

Two of these are directly in our service scope — see the Agentic Readiness Review for domains 1–3 and the ISO 27001 + ISO 42001 ISMS uplift for domain 8.

3. A reference control model for assuring agents

A Big-4-style control matrix mapping control nature (preventative / detective / corrective) to agent lifecycle stage (design → build → run):

Stage	Preventative	Detective	Corrective
Design	Use-case triage & risk tiering; agent register; ISO 42001 policy stack.	Independent design review; pre-go-live assurance opinion.	Kill-switch + rollback plans baked into design.
Build	Threat modelling (MAESTRO, OWASP Agentic Top 10); tool allow-listing; red-teaming; signed model + MCP supply chain.	Eval suites in CI/CD; OWASP AIVSS scoring; bias / robustness / drift tests.	Versioned rollback of prompts, tools, weights; reproducible eval baselines.
Run	AI gateway runtime enforcement (prompt-injection, DLP, jailbreak, tool-call policy); short-lived agent credentials; conditional access.	Agent observability traces; behavioural anomaly detection; continuous evals on prod traffic; AI-SPM posture.	Auto-quarantine of agent; credential revocation; incident comms; root-cause to causal chain (instruction → reasoning → tool).

Re-stated for assurance: Gartner's AI TRiSM market guide defines four layers — AI Governance, AI Runtime Inspection & Enforcement, Information Governance, Infrastructure & Stack. Treat the top two layers as the new assurance estate that did not exist in your last ITGC scope.

4. The 2026 vendor landscape

The assurance toolchain is now meaningfully buyable, not just conceptual. Grouped by AI TRiSM layer:

4.1 Governance, policy & lifecycle

Big 4 advisory & attestation. KPMG AI Assurance, PwC Assurance for AI (UK launch July 2025), EY Responsible AI + agentic risk framework, Deloitte Trustworthy AI + agentic AI audit toolkit.

AI governance / GRC platforms. Credo AI, IBM watsonx.governance, OneTrust AI Governance, Holistic AI, Anch.AI, ModelOp, Monitaur, RelyanceAI.

Attestation standards. AIUC-1 (the "SOC 2 for AI agents"), ISO/IEC 42001 (UiPath, Genesys, Microsoft Copilot family certified).

4.2 AI runtime inspection & enforcement (AI gateways)

Palo Alto Networks Prisma AIRS, Prompt Security MCP Gateway, Zenity, NeuralTrust AI Gateway, Cequence AI Gateway (MCP-native), Truefoundry, F5, Cloudflare AI Gateway, Lakera Guard, Lasso, Robust Intelligence (Cisco), Protect AI (Palo Alto).

4.3 Agent observability & evaluation (AEOP)

Gartner published its first Market Guide for AI Evaluation & Observability Platforms — projecting 60% engineering-team adoption by 2028 from ~18% today. Representative vendors: Arize AX / Phoenix, LangSmith, Galileo, Braintrust, Langfuse, Helicone, HoneyHive, Maxim AI, Latitude, Openlayer, Azure AI Foundry Observability, Datadog LLM Observability.

4.4 Agent identity, NHI and authorisation

BeyondTrust Pathfinder (first GA agentic AI security solution, identity-led), Aembit, Veza, Astrix, Token Security, Entro, Oasis, Clutch, Lumos, Gravitee Agentic IAM, Ping Identity agentic-ready IAM.

4.5 Data observability & AI-ready data

Monte Carlo, Acceldata, Bigeye, Sifflet, Anomalo, Soda, Collibra DQ — all featured in Gartner's Data Observability Tools guide with agentic AI capabilities in the leaders set.

4.6 AI security posture management (AI-SPM)

Wiz AI-SPM, Palo Alto AI-SPM, Orca AI, Lakera, HiddenLayer, Protect AI, Mindgard, CalypsoAI.

4.7 Internal audit acceleration

RSM US, KPMG, EY, Deloitte and the IIA are shipping agentic-AI-for-audit playbooks — auto-built RCMs, evidence-collection agents, walkthrough automation, control-mapping agents.

Procurement reality

Most platforms in §4.2–§4.4 are 12–24 months old. Treat them like the EDR market in 2016: necessary, fast-moving, consolidating. Buy with 12-month exit clauses and an explicit OpenTelemetry / OTel-trace mandate so you can swap backends without re-instrumenting.

5. Predictions

Next 6 months (H2 2026)

Regulatory "agent-aware" drafts land. NIST publishes the AI RMF Agentic Profile in usable form; EU AI Act high-risk obligations bite from 2 August 2026.
APRA-regulated entities asked to demonstrate agent inventories. APRA's 2026 AI-lens reading of CPS 230 / 234 / 220 puts material service-provider, operational risk and information security obligations onto AI agents and the AI supply chain.
First wave of agentic project cancellations becomes visible — overwhelmingly due to inadequate risk controls and undefined ROI, not model quality.
AI gateway becomes a budgeted CISO line item. Expect 1–2 acquisitions of mid-tier AI gateway vendors by SASE / WAAP incumbents.
SOC 2 + AI add-on or AIUC-1 becomes a buyer ask. Procurement teams require either a SOC 2 with AI-controls description (per AICPA SSAE 21 latitude) or AIUC-1 for any vendor selling agents.
NHI tooling crosses into the IAM mainstream. Gartner Magic Quadrant moves for IGA / PAM include agent-identity criteria; CSA AICM v1.x sees first audit-firm adoption.
"Agent register" becomes the new asset register — moving from leading practice to baseline assurance expectation.

Next 12 months (through Q2 2027)

AI Evaluation & Observability becomes the new APM line item. Adoption climbs toward Gartner's 60%-by-2028 trajectory; tooling consolidates around OpenTelemetry semantic conventions for LLMs/agents.
First SOC for AI (or equivalent AICPA pronouncement) emerges. Either AICPA issues authoritative guidance mapping Trust Services Criteria to agentic systems, or AIUC-1 reaches scale as the de facto attestation. Buyers stop accepting a vanilla SOC 2 as sufficient for agent vendors.
ISO/IEC 42001 + an agentic addendum. Certification bodies issue agentic-specific guidance; sectoral mappings to APRA CPS 230/234, FedRAMP and CMMC follow.
Big 4 reposition from "Responsible AI" advisory to assurance over agents. Each ships a productised agent-assurance opinion — signed letters or reasonable-assurance reports usable for board reporting and regulator engagement.
The agent identity standard war begins. Competing proposals around verifiable agent credentials (W3C VC-style), delegation tokens (extending OAuth 2.1 / GNAP) and MCP-native auth.
Shadow agents replace shadow IT as the top board worry. OWASP Agentic Top 10 (2026) effectively becomes the threat model auditors test against. Most agent incidents will start with an over-privileged or exposed NHI — not a model jailbreak (see our analysis of the Mythos / Apple M5 disclosure).
AI insurance gates assurance. AIUC-style insurance products tie premiums to attestation scope — converting trustworthy AI from a slogan into a balance-sheet item.
Internal audit functions deploy their own agents. Most Tier-1/Tier-2 audit shops will run agentic AI for RCM generation, walkthrough drafting and continuous controls testing — reducing manual prep 40–60% per emerging RSM/EY case studies.

6. A 365-day action plan for Australian boards

0–90 days — establish the perimeter

Stand up an agent register (purpose, owner, model, tools / MCP servers, data scopes, identity, eval scores, kill-switch).
Adopt the NIST AI RMF Agentic Profile as the assurance baseline; map controls to ISO/IEC 42001 Annex A.
Tier agents by risk (revenue impact, data sensitivity, autonomy level, blast radius). Apply EY's dual-control model to the top tier.
Pilot one AI gateway + one AEOP against a single production agent.
Map your top three agentic workflows to OWASP Agentic Top 10 and ASD Frontier AI guidance.

90–180 days — operationalise

Move agent identities to short-lived, scoped credentials; eliminate shared service accounts for agents.
Wire continuous evals into CI/CD; require eval-pass before production tool grants.
Update vendor due diligence: request SOC 2 + AI description criteria or AIUC-1, plus eval and red-team summaries.
Define incident playbooks for: prompt injection, tool exfiltration, memory poisoning, agent impersonation, MCP supply-chain compromise.

180–365 days — assure and report

Issue a board-level agent assurance opinion (internal or third-party Big 4).
Achieve ISO/IEC 42001 certification; pursue AIUC-1 for any external-facing agent product.
Integrate agent metrics into ERM dashboards alongside cyber and operational risk.
Embed the agent register into change-management and access-review cadences.

7. The Australian and APAC overlay

For APRA-regulated entities and APAC mid-market boards, the regulatory vector is already clear.

APRA's 2026 AI lens reads CPS 230 (operational risk), CPS 234 (information security) and CPS 220 (risk management) through an AI lens — and finds gaps, particularly around AI supply chain and AI-dependent critical operations.
Material service-provider arrangements must be uplifted by 1 July 2026.
ASD's Frontier AI Guidance is now a board expectation in Australia and is being read alongside ISO 42001, the EU AI Act, NIST AI RMF and the Australian Voluntary AI Safety Standard. See our full decode of the ASD guidance.
Singapore's world-first dedicated agentic AI governance framework (January 2026) is the closest regional precedent for explicit agent obligations and is worth pattern-matching against if you operate across APAC.

8. Key terms

Agent: A software entity that reasons, plans, calls tools and acts across systems, often autonomously and at machine speed.
NHI (Non-Human Identity): Any identity that isn't a named human — service accounts, API keys, workload identities, and now AI agents. Already outnumber humans ~17:1 in large enterprises.
MCP (Model Context Protocol): Anthropic-originated open protocol that lets agents discover and call external tools. Insecure by default; needs allow-listing, signing and gateway enforcement.
AI TRiSM: AI Trust, Risk and Security Management — Gartner's four-layer framing: governance, runtime inspection & enforcement, information governance, infrastructure & stack.
AEOP: AI Evaluation & Observability Platform. Continuous evals, traces, metrics and logs over LLM and agent behaviour. Gartner projects 60% engineering-team adoption by 2028.
AI-SPM: AI Security Posture Management — discovery and posture across managed and self-hosted models, prompts, vector stores and agent infrastructure.
AIUC-1: Independent attestation standard — the 'SOC 2 for AI agents' — covering security, privacy, safety, reliability, accountability and society, often coupled to insurance.
ISO/IEC 42001: International standard for AI management systems (AIMS), certifiable since 2024. Lifecycle governance for AI; being extended to agentic automation.
OWASP Agentic Top 10 (2026): Industry threat-model baseline auditors will increasingly test against — most agent incidents in 2026–27 will start with an over-privileged or exposed NHI, not a model jailbreak.

Parade Warrior is a Sydney cyber consultancy for the agentic era — AI Trust Assessments, Agentic Readiness Reviews, ISO 27001 + ISO 42001 ISMS uplift, and Fractional CISO engagements. Written by Kelvin Zhou, Founder and Principal Consultant.

Last updated: 22 May 2026.

9. Sources

Talk to Parade Warrior about agent assurance →← Back to Insights

IT Assurance in the Agentic AI Era.