As the AI industry pivots from chatbots that answer to agents that act, the security questions change in kind, not just degree. A system that merely generates text can produce a bad answer; a system that can book travel, move money, execute code, or operate machinery can produce a bad action with consequences in the physical and financial world. On January 8, 2026, the U.S. government formally took notice of that shift. The Center for AI Standards and Innovation (CAISI) — a body housed within the National Institute of Standards and Technology at the Department of Commerce — published a Federal Register notice, a 'request for information,' under document number 2026-00206, asking the field how to measure and improve the security of autonomous AI agents. The comment period closed March 9, 2026, but the questions the notice frames are the ones the industry will be answering for years.

The agency's description of the threat is striking for how directly it states the risk. AI agent systems, the notice says, 'are capable of taking autonomous actions that impact real-world systems or environments, and may be susceptible to hijacking, backdoor attacks, and other exploits.' Then it spells out the stakes: 'If left unchecked, these security risks may impact public safety, undermine consumer confidence, and curb adoption of the latest AI innovations.' That last phrase is worth dwelling on, because it reveals the government's framing. Insecure agents are not only a safety problem; they are an adoption problem. If enterprises and consumers do not trust that an autonomous agent can be kept from being commandeered, they will not deploy it — and the security gap becomes a brake on the very innovation the rest of the policy stack is trying to accelerate.

The attack surface the notice names

The notice is precise about the kinds of failures it worries about, and each one maps to a real and active area of AI security research. 'Hijacking' is the takeover of an agent's behavior — for instance, through prompt injection, where adversarial content slipped into the data an agent reads redirects it to act against its operator's intent. An agent that browses the web, reads email, or processes documents is constantly ingesting untrusted input, and any of it could carry an instruction the agent mistakes for a legitimate command. 'Backdoor attacks' point at the supply chain of the models themselves — the possibility that a model has been trained or tampered with to behave maliciously under specific, attacker-chosen triggers that lie dormant until activated. 'Other exploits' leaves the door open to the failure modes the field has not yet catalogued, which, given how new agentic systems are, is a wide door.

What makes these risks distinct from classical cybersecurity is the autonomy. A traditional vulnerability lets an attacker do something to a system. An agentic vulnerability lets an attacker do something through a system — turning a tool that was granted real-world permissions into an instrument acting on the attacker's behalf, at machine speed and scale. The notice's framing recognizes that an agent with the authority to act is a far more dangerous thing to compromise than a model that only talks.

What CAISI is asking for

This is a request for information, which means the government is in listening mode, and the notice is explicit about wanting substance over generalities. It encourages respondents 'to provide concrete examples, best practices, case studies, and actionable recommendations based on their experience developing and deploying AI agent systems and managing and anticipating their attendant risks.' The agency is not soliciting abstract philosophy; it wants the operational knowledge that lives inside the labs and companies actually shipping these systems — the real incidents, the mitigations that worked, the evaluation methods that caught problems before they shipped.

The notice also tells respondents exactly where their input is headed. The responses 'may inform CAISI's work evaluating the security risks associated with various AI capabilities, assessing security vulnerabilities of AI systems, developing evaluation and assessment measurements and methods, generating technical guidelines and best practices to measure and improve the security of AI systems, and other activities related to the security of AI agent systems.' Read that list as a preview of the deliverables to come: evaluation methods, assessment measurements, and technical guidelines for agentic security. In NIST's world, a request for information is often the first visible step toward a benchmark or framework that the rest of the government — and much of the private sector — eventually adopts as the reference standard.

Why it matters for the AI industry

For the companies building AI agents, this notice is both a warning and an opportunity. The warning is that the federal government's standards body has identified agentic security as a priority and is actively building the measurement apparatus to evaluate it. Vendors selling autonomous agents into enterprises and governments should expect that 'how do you prevent your agent from being hijacked?' will move from a research curiosity to a procurement requirement — and that NIST-derived evaluation methods are a likely yardstick. The opportunity is that the field is genuinely early, and a request for information is the rare moment when the people doing the work can shape the standards before they harden. Firms that contributed concrete practices and case studies helped define what 'secure agent' will come to mean in federal guidance.

It is also a useful corrective to the narrative that AI agents are simply the next product wave to monetize. The government's own framing — that security failures could 'curb adoption' — acknowledges that the agentic future depends on solving these problems, not despite them. Document 2026-00206 is an RFI, not a rule; it imposes no obligations and sets no compliance date. But it is a clear, dated signal that the security of autonomous AI is now an explicit federal standards priority, and that the methods for measuring whether an agent can be trusted to act in the world are being defined right now. For an industry rushing to give AI hands as well as a voice, that is a signal worth reading from the source.