Agent Governance & Compliance for the EnterpriseDraft

Traditional security frameworks were not designed for autonomous actors that transform data semantically, spawn sub-processes, and chain API calls dynamically. When an agent summarizes a confidential report and sends the summary to an unauthorized recipient, regex-based DLP won't catch it. When agents create other agents at runtime, static RBAC policies cannot express the required constraints.

This paper bridges the gap between existing compliance frameworks — OWASP's Agentic Security Initiative, NIST AI RMF, ISO 42001 — and the architectural controls that make compliance achievable in practice. It covers what's genuinely new about agent security versus what's inherited from microservices, and provides concrete deployment patterns.

What You'll Learn

• What's genuinely new about agent security vs. microservice security: semantic data transformation, scoped tool access for sub-agents, and nondeterministic behavior
• Layered output enforcement: schema validation, deterministic business logic hooks with retry, and policy gates — the pattern that makes SOC 2 compliance achievable for agent systems
• Why agents should be first-class principals in the organizational identity system — same policy engine, same audit trails — without implying legal equivalence to users
• How to choose between RBAC, PBAC, ABAC, and ReBAC as an engineering decision based on the use case, rather than a one-size-fits-all prescription
• A four-layer reference deployment architecture from API gateway through data access layer
• Progressive autonomy models that let agents earn trust through demonstrated behavior with clear escalation paths

Who This Is For: Security architects, compliance officers, and engineering leads implementing agent governance in regulated environments.