Only 14.4% of AI agents currently go live with full security and IT approval. The other 85.6% are already running inside enterprise systems, without a governance framework that any regulator, auditor, or board has formally cleared.

That 14.4% figure comes from Gravitee’s 2026 survey of more than 900 executives and technical practitioners. NIST launched a standards initiative in February to address exactly that gap. It has not published a single draft guideline since.

At HSI’s inaugural New York Salon, practitioners across diplomacy, finance, healthcare, philanthropy, and civil society converged on a consistent diagnosis: AI governance has outgrown its origins as a compliance function. It is now, fundamentally, a question of institutional design. The gap they kept returning to is not between good intentions and bad execution. It is between organizations that have governance policies and organizations that have governance capacity, the operational infrastructure to own, monitor, document, and intervene in AI systems that are already running.

In the space that regulatory gap creates, vendors are moving first. ServiceNow shipped a cross-enterprise AI governance layer in May and positioned itself as the de facto operating standard. Colorado enacted a law that reframes AI compliance around the decisions automated systems make rather than the tools that make them, then watched the federal government sue to block it before it takes effect. The framework most organizations end up following in 2026 may not be a single platform’s standard. It may be an unreconciled stack of several, each claiming authority over the same governance layer. And the institutional design choices embedded in that framework, who owns what, what gets logged, when a human can intervene, will compound with every integration added.

The Thesis

Agentic AI is forcing a structural shift from one-time approval to continuous lifecycle accountability, and most institutions have not yet made it. The governance frameworks filling that gap in 2026 are being written not by regulators but by enterprise vendors whose definitions of audit trail, compliant identity, and kill switch will shape the institutional architecture organizations are measured against for years.

The Signal

Three moves are redrawing the governance line this cycle.

Signal 01
NIST has published process artifacts, but nothing final or enforceable.

What happened. NIST’s Center for AI Standards and Innovation formally launched the AI Agent Standards Initiative on February 17, the first U.S. government program explicitly targeting interoperability and security standards for autonomous agents, distinct from prior AI safety evaluation programs. The Request for Information on agent security closed March 9. The NCCoE concept paper on agent identity and authorization closed April 2. Sector-specific listening sessions in healthcare, finance, and education concluded in April. As of June 2026, NIST has published process artifacts in that window, including the NCCoE concept paper, the COSAiS SP 800-53 control-overlay project covering single- and multi-agent use cases, a draft benchmark-evaluation practice guide for AI agent systems (comments closed March 31), and the preliminary Cyber AI Profile (NIST IR 8596, December 2025). It has published no finalized, enforceable standard.

Why it matters. The NIST AI Risk Management Framework, released as voluntary guidance in January 2023, appeared within 18 months in executive orders, state AI laws, and federal procurement requirements. The agent-specific track is on the same trajectory but earlier in the process: draft artifacts exist, nothing has been finalized, and the finalized standard will arrive after most enterprise deployments are already in production. The comment period closed ten weeks ago. Agents are running today. As the New York Salon surfaced, existing model-risk infrastructure was built for stable, inventoried systems reviewed on fixed cycles. Agentic AI acts and adapts between review windows. The standards NIST has not yet written are the ones that would govern exactly that behavior.

Second-order effect. The NCCoE concept paper identified the most specific unresolved technical problem: multi-hop delegation. OAuth handles single-hop authorization competently. Agents operating across multiple enterprise systems on behalf of users require authorization chains that existing standards, OAuth, SPIFFE, OpenID Connect, were not designed to handle. That is where the next governance failure is most likely to originate. Organizations that engage the standards process now will shape what “compliant” means when guidelines eventually land. Those that wait will retrofit to definitions others wrote.

Signal 02
ServiceNow shipped a governance framework before the standards exist.

What happened. At Knowledge 2026 on May 5–7, ServiceNow expanded its AI Control Tower into a cross-enterprise governance layer covering every AI system, agent, and workflow regardless of origin, adding 30 enterprise integrations across AWS, Google Cloud, Microsoft Azure, SAP, Oracle, and Workday. The platform integrates Veza’s access graph and Armis’s asset intelligence to enforce real-time agent identity and permissions. CEO Bill McDermott’s stated position: “We are the AI agent of the agents. We manage everyone else’s agents.” ServiceNow offered AI Control Tower free for one year, a stated $2 million value, to enterprises ready to deploy.

Why it matters. The keynote included a kill switch demonstration: a simulated prompt injection attack attempted to override pricing rules and suppress its own audit logs; AI Control Tower detected the compromise, mapped the blast radius of affected systems, and shut down the agent without human intervention. The scenario was staged. The problem it illustrates is not. According to the Kiteworks 2026 Data Security and Compliance Risk Forecast, 60% of organizations cannot terminate a misbehaving agent in production, and 33% lack evidence-quality audit trails to reconstruct what an agent did after the fact. The Salon’s framing applies directly: the question is not whether a human appears somewhere in the process, but whether they are positioned at the point where harm can still be prevented. ServiceNow is selling the kill switch as the answer to that question, at the moment when no regulatory alternative exists.

Second-order effect to watch. A CIO who signs an enterprise agreement with ServiceNow, Microsoft, or Salesforce before federal standards land is not procuring a governance tool. They are choosing a governance framework, including its definitions of what an audit trail looks like, what a compliant agent identity requires, and what shutting down an out-of-bounds agent means. That is a delegation of definitional authority that will not be easily reversed. Per ECI Research’s 2025 survey, two-thirds of enterprise AI leaders have deployed multi-agent systems in live or pilot workflows, while 44% report only moderate confidence those agents can act autonomously without human intervention. ServiceNow is positioning directly into that gap. The deeper risk is not that one vendor wins this race. It is that none of them do cleanly. Microsoft Entra Agent ID, Salesforce’s Einstein Trust Layer, and IBM watsonx Orchestrate are all competing for the same definitional authority over agent identity, audit trail, and kill switch that ServiceNow is claiming. Microsoft Entra Agent ID is integrating directly into the ServiceNow AI Platform and Workday, which means the identity layer beneath ServiceNow’s own governance layer may belong to a different vendor entirely. The structural risk is that a single enterprise ends up running three or four overlapping definitional regimes with no authority resolving the conflicts between them. ServiceNow is the clearest example of a vendor stepping into the regulatory vacuum. It is not the only one stepping in.

Signal 03
Colorado rewrote AI regulation from systems to decisions, then watched enforcement suspended before it could take effect.

What happened. On May 14, 2026, Governor Polis signed SB 26-189, repealing Colorado’s 2024 AI Act and replacing it with a framework that regulates automated decision-making technology (ADMT) used in consequential decisions across seven domains: hiring, credit, education, healthcare, housing, insurance, and government services. Effective January 1, 2027. The bill moved from introduction to signature in thirteen days. The enforcement pause on the original act did not come from a unilateral court order; it came from a joint motion. After xAI (renamed SpaceXAI following a February 2026 acquisition) filed suit on constitutional grounds on April 9 and the Department of Justice intervened on April 24, xAI, the DOJ, and Colorado’s own Attorney General jointly agreed not to enforce or conduct rulemaking until the legislative session concluded, a stay a federal magistrate judge granted on April 27. The enforcement pause extends to SB 26-189: it runs until 14 days after a ruling on a preliminary injunction, which itself comes no sooner than 28 days after rulemaking finalizes. Practitioners tracking the litigation most closely have converged on a single operative target regardless of how the stay resolves: build to the SB 26-189 text against the January 1, 2027 effective date.

Why it matters. “High-risk AI system” asks what kind of tool you are deploying. “Covered ADMT in consequential decisions” asks where automated processing materially affects a person’s access to a job, a loan, a medical service, or a school. That reframe has a direct institutional consequence: compliance becomes a workflow-mapping problem, not a model-inventory problem. Most organizations do not currently have a map of their automated decision flows at the resolution the Attorney General’s implementing rules, due January 1, 2027, will require. Building that map is one of the four institutional gaps the New York Salon identified: knowing not just what AI systems you have approved, but where they are acting and what they are determining. The Attorney General’s consent to the pause, not just the federal government’s challenge to it, is the detail that complicates any reading of this as Colorado versus Washington. The state agreed to the delay it now has to build around.

Second-order effect. Forty-five states have active AI legislation. Colorado’s outcome in federal court will set the scope of what states can regulate without triggering preemption litigation. The DOJ intervention was an explicit product of Executive Order 14365’s directive to challenge state AI regulations. If the federal challenge succeeds, states will recalibrate. If Colorado prevails, the ADMT framework, consequential decisions in seven named domains, becomes the replicable template. Until resolution, the operative compliance target for any organization in the seven domains is the SB 26-189 text itself, against the January 1, 2027 effective date, not a hedge between two competing frameworks.

Done well, governance enables faster and more credible AI deployment, not slower. The organizations that will move quickest in 2026 are not the ones with the lightest governance. They are the ones whose governance is already built into operations rather than bolted on afterward.

The Playbook

The New York Salon identified four institutional gaps that keep organizations from governing AI in practice rather than on paper. Each maps to an action any institution can take before the next board meeting or renewal decision. The fifth step is the one that closes the window on all four.

Step 01
Establish ownership of ongoing behavior, not just initial approval.

The institutional gap is not that organizations fail to approve AI systems. It is that approval is treated as a one-time event. For each AI system in production, name a specific individual accountable for its ongoing behavior between review cycles. If that name does not exist, the governance exists only on paper.

Step 02
Position human oversight where it can still prevent harm, not just document it.

The practical test is not whether a human appears somewhere in the workflow. It is whether that human is positioned, with enough information, enough authority, and enough time, to stop a consequential action before it compounds. The “Agents of Chaos” study found that agents with email, file, and shell access produced 11 case studies documenting 10 vulnerability classes under normal agent use, not adversarial attack. A reviewer at the end of that chain is a witness, not an overseer.

Step 03
Build documentation into operations, not retrospectively after an incident.

For any AI system in production, the audit trail should exist before an examiner asks for it, not be reconstructed afterward. This means logs of agent actions, model-version records, human review timestamps, and vendor diligence files that can be produced on ten business days’ notice. Organizations that build documentation into the deployment workflow are the ones positioned to move quickly at renewal, diligence, or regulatory inquiry.

Step 04
Give senior leaders enough visibility to act on risks they are responsible for.

The fourth gap the Salon identified is the hardest to close: boards and senior executives are held accountable for AI failures they could not see coming because the reporting they received was too aggregated, too infrequent, or too technical to act on. A governance framework that cannot produce a board-level risk summary from operational monitoring data is not yet a governance framework. Before signing any enterprise AI agreement or deploying in any of Colorado’s seven consequential-decision domains, verify that the system’s behavior can be translated into terms a non-technical senior decision-maker can act on.

Step 05
Before signing the platform contract, model the full cost of the framework, not the Year 1 price.

ServiceNow’s free-for-a-year offer is a price-point decision, not a product category. Every integration the platform activates, every MCP server it discovers, every hyperscaler connector it maps, becomes a switching cost that compounds with each new deployment. Model the 36-month total cost of ownership before accepting the Year 1 headline number. The governance framework adopted in the absence of regulatory alternatives is the one organizations will be retrofitting around when standards eventually land.

The Verification Test

Claim. Our organization has governance capacity for the AI systems we are running, not just a governance policy.

Test. Ask four questions in writing, with evidence required for each. First: for every AI system in production, can you name a specific individual accountable for its ongoing behavior, not its initial approval? Second: for any agent with system access, can your team produce a complete action log from the past 30 days and terminate that agent within five minutes of identifying a policy violation, without taking down connected systems? Third: can your organization produce its AI documentation file, model inventory, vendor diligence records, and monitoring logs, on ten business days’ notice, without reconstructing it? Fourth: has every automated workflow touching hiring, credit, education, healthcare, housing, insurance, or government services been mapped against Colorado SB 26-189’s “materially influence consequential decisions” standard?

Pass criteria. Yes to all four, with written evidence produced on demand: named owners, a retrieved action log and documented termination procedure, a pre-existing documentation file, and a workflow map showing ADMT touchpoints across the seven domains.

Fail smell. Ownership is diffuse or defaults to the vendor. The agent can be observed but not terminated mid-task. Documentation is reconstructed after the fact rather than maintained continuously. The Colorado ADMT mapping has not been initiated. Any one of these is a governance policy without governance capacity.

The Metric

ADOPTION OUTPACES CONTROL Share of enterprise AI agents, by governance stage IN ACTIVE TESTING OR PRODUCTION 80.9% ACTIVELY MONITORED OR SECURED 47.1% LIVE WITH FULL SECURITY & IT APPROVAL 14.4% Most agents that are already running were never cleared to run.
Source: Gravitee, State of AI Agent Security 2026 Report (survey of 900+ executives and technical practitioners), February 2026.

What it measures. The structural governance gap at the deployment layer, not the policy layer. Agents are already inside enterprise systems. Most arrived before anyone decided who owns their ongoing behavior.

Why it matters now. ServiceNow built its commercial argument around this number. NIST is deliberating over it. Colorado is legislating around the decisions those agents are already making. The governance gap is not a forecast. It is the current operating condition.

The Lens — Horizon Search Institute

Responsible AI

NIST’s AI Agent Standards Initiative closed comment without publishing guidelines, leaving vendor governance frameworks to fill the space. The structural problem the Salon identified, deployment outpacing accountability, is the same gap those frameworks are commercially designed to address. Organizations should evaluate whether the framework they adopt answers the four institutional gaps or only the technical ones. Gravitee · NIST

Governance & Diplomacy

Colorado’s shift from “high-risk AI system” to “automated decision-making technology in consequential decisions” is the most operationally precise AI regulatory framing enacted in the U.S. to date. Vikram Sura’s observation at the Salon applies at the domestic level too: formal participation in governance, signing a law or adopting a policy, is not the same as capacity to implement it. Colorado’s challenge is the one lawmakers in 45 states are watching. Colorado SB 26-189

Human Performance

The Salon’s counterintuitive claim, that strong governance enables faster and more credible AI deployment rather than slowing it, holds if organizations treat governance as operational infrastructure rather than compliance overhead. The evidence supports it: only 47.1% of AI agents are actively monitored or secured, which means most organizations cannot distinguish a working agent from a misbehaving one. Governance that solves the monitoring gap is also the governance that allows confident scaling. Gravitee

Links Worth Your Time

Sources
  1. NIST Center for AI Standards and Innovation (CAISI), “Announcing the AI Agent Standards Initiative for Interoperable and Secure Innovation,” February 17, 2026. nist.gov
  2. NIST AI Agent Standards Initiative (initiative page, last updated April 20, 2026). nist.gov
  3. NIST NCCoE, “Accelerating the Adoption of Software and AI Agent Identity and Authorization” (concept paper), February 5, 2026; comment period closed April 2, 2026. csrc.nist.gov
  4. NIST, COSAiS (Center for AI Standards and Innovation) project page. csrc.nist.gov
  5. Gravitee, “State of AI Agent Security 2026 Report: When Adoption Outpaces Control,” February 4, 2026 (survey of 900+ executives and technical practitioners; key figures: 14.4% full security approval, 47.1% actively monitored or secured, 80.9% in active testing or production). gravitee.io
  6. Kiteworks, “2026 Data Security and Compliance Risk Forecast Report” (60% of organizations cannot terminate a misbehaving agent in production; 33% lack evidence-quality audit trails). kiteworks.com
  7. MultiState AI, “State AI Legislation Tracker 2026” (as of March 2026, lawmakers in 45 states had introduced 1,561 AI-related bills). multistate.ai
  8. Colorado General Assembly, Senate Bill 26-189 (SB 26-189), signed May 14, 2026, effective January 1, 2027. leg.colorado.gov
  9. xAI LLC v. Weiser, No. 1:26-cv-01515 (D. Colo., filed April 9, 2026, original complaint). courthousenews.com
  10. ServiceNow, “ServiceNow expands AI Control Tower to discover, observe, govern, secure, and measure AI deployed across any system in the enterprise,” press release, Knowledge 2026, May 5, 2026. servicenow.com
  11. ServiceNow, “ServiceNow turns enterprise AI chaos into control with the platform for governed, autonomous work,” press release, Knowledge 2026, May 5, 2026. servicenow.com
  12. ServiceNow, “ServiceNow expands AI agent governance through deeper integration with Microsoft,” Knowledge 2026, May 5, 2026. servicenow.com
  13. Norton Rose Fulbright, “xAI sues, DOJ intervenes, enforcement of Colorado’s AI Act suspended,” June 3, 2026 (covers DOJ intervention April 24 and stay order April 27). nortonrosefulbright.com
  14. Norton Rose Fulbright, “Colorado enacts revised AI law,” May 2026. nortonrosefulbright.com
  15. Crowell & Moring LLP, “Colorado Hits Reset on AI Regulation: SB 26-189 Repeals and Reenacts the Colorado AI Act,” May 27, 2026. crowell.com
  16. McDermott Will & Emery, “Colorado AI Law in Flux: Comprehensive Replacement Bill Signed After Federal Court Blocks Predecessor’s Enforcement,” May 27, 2026. mcdermottlaw.com
  17. Buchalter LLP, “Colorado Rewrites Its AI Law: What Employers Must Know About SB 26-189,” May 19, 2026. buchalter.com
  18. Fortune, “Your company’s AI could delete everything in 9 seconds. ServiceNow wants to be the kill switch,” May 6, 2026. fortune.com
  19. The Register, “ServiceNow adds agent kill switches to AI control tower,” May 5, 2026. theregister.com
  20. Efficiently Connected, “ServiceNow Knowledge 2026: AI Governance Takes Center Stage,” May 5, 2026. efficientlyconnected.com
  21. Cloud Security Alliance, “Agentic AI Governance: NIST Standards for Autonomous Systems,” March 30, 2026. cloudsecurityalliance.org
  22. WorkOS, “Everything You Should Know About NIST’s AI Agent Standards Initiative,” April 24, 2026. workos.com
  23. STACK Cybersecurity / AILawsByState.com, “Colorado AI Act Compliance Guide,” updated May 28, 2026. stackcyber.com
  24. Researchers at Northeastern University, Harvard University, Carnegie Mellon University, and University of British Columbia, “Agents of Chaos” (red-team study of autonomous AI agents), 2025–2026. arxiv.org
  25. HSI New York Salon, internal notes on Horizon Scan 001, 2026 (remarks by Ramu Damodaran, Vikram Sura, Ishak Khan; presentation by Ashwin Telang. Distributed to salon participants only).
Issue Credits
Author
Gloria Chen
Managing Editor
Ashwin Telang
Editor-in-Chief
David Lovejoy
Published by Horizon Search Institute · EIN 42-1954110 · A Delaware nonprofit corporation · horizonsearch.org