Forrester's senior analyst Paddy Harrington put it plainly in the firm's 2026 cybersecurity predictions: an agentic AI deployment will cause a publicly disclosed enterprise breach this year, and the post-mortem will read as "a cascade of failures," not a single bad day. The numbers tell the same story from another angle: 63% of organizations have no AI governance policy at all, 97% of organizations that have already suffered an AI-related breach lacked proper access controls for the agents involved, and 80% of security teams say they have already observed risky behavior from agents running inside their own production environments. The first major public agentic breach is not a tail risk in 2026. It is the base rate.
This is the gap Forrester's AEGIS framework — Agentic AI Enterprise Guardrails For Information Security — was designed to close. Written by VP Principal Analyst Jeff Pollard with Allie Mellen, Jess Burn, and Paddy Harrington, AEGIS is a six-domain control set with 39 controls and a phased rollout, cross-mapped to NIST AI RMF, ISO/IEC 42001, OWASP Top 10 for LLMs, the EU AI Act, and MITRE ATLAS. For CIOs, CISOs, and CFOs who have just approved an agentic AI rollout, AEGIS is the difference between "audit-ready production" and "the breach footnote nobody wants."
What Forrester Actually Released
AEGIS is not another acronym layered onto an existing security catalog. It is a deliberate break from Zero Trust as enterprises practiced it through 2025. Zero Trust controls what an identity can access. AEGIS argues that for agentic systems, access is no longer the right unit of control — the unit of control is the decision. Pollard names this principle "least agency," and it is the AEGIS keystone: an agent gets only the minimum permissions, tools, capabilities, and decision-making authority needed for the specific task at hand. Access without decision scope produces the cascade Harrington described.
The framework formalizes six security domains:
- Governance, Risk, and Compliance (GRC) — Machine-executable policy-as-code, real-time compliance enforcement (not point-in-time audits), and AI-specific risk registers
- Identity and Access Management (IAM) — Agents as managed first-class identities with human owners, vaulted credentials with per-session rotation, on-behalf-of (OBO) delegation models, and just-in-time permissions
- Data Security and Privacy — Unified sensitive-data taxonomies, expanded DSPM/DLP/DAM coverage, purpose-bounded data access, privacy-preserving operations (masking, synthetic data, encryption)
- Application Security and DevSecOps — AI-specific threat modeling, agent-generated-code validation, AI bills of materials (AIBOMs), secure prompt engineering, lifecycle observability
- Threat Management and Security Operations — Detailed logging of prompts/actions/reasoning chains, detection engineering for prompt injection and behavioral drift, purple-teaming for agent-specific behaviors
- Zero Trust Architecture — Continuous authentication, micro-segmentation, and the "least agency" extension that constrains decision scope, not just access
Forrester's recommended rollout is intentionally phased: months 0-3 establish governance and policy-as-code; months 3-6 modernize IAM and data security; months 6-12 secure the agent lifecycle with threat modeling and DevSecOps; month 12+ matures Zero Trust and enforces least agency. That sequencing matters — Forrester is explicit that starting with governance produces maximum risk reduction for the least technology spend, and that teams who start with IAM tooling first usually have to redo it once governance catches up.
Why This Matters: The Dual-Audience Math
For the CISO and CIO, AEGIS reframes the threat model. The 2026 Verizon Data Breach Investigations Report confirmed identity as "the control plane for agentic AI" — and yet non-human identities (NHIs) now outnumber human users 100 to 1 in most enterprises, the NHI population grew 44% between 2024 and 2025, and 30-40% of NHIs are orphaned with unknown ownership and no rotation policy. The average enterprise carries 10,000 to 100,000+ machine identities. Layer agentic AI on top of an unmanaged NHI base and the blast radius of a single compromised agent is no longer a service account — it is every system that account chains into via OBO delegation. The June 2025 EchoLeak vulnerability in Microsoft 365 Copilot is the canonical case study: a zero-click prompt injection delivered through email caused concrete data exfiltration from a production AI system, the first publicly documented incident of its class. AEGIS exists because EchoLeak is the template, not the exception.
For the CFO and the board, AEGIS reframes the financial model. IBM's 2026 breach cost data puts the average AI-related breach at $4.88M; breaches involving AI systems where access controls were absent average $5.72M. Gartner's 2026 cybersecurity spending forecast — $244.2B — shows enterprises spending roughly 17x more on AI tools than on securing the AI itself, a misalignment that the same Gartner analysts predict will produce 25% of GenAI applications experiencing five or more minor incidents per year by 2028. Gartner also projects more than 2,000 AI-related legal claims by year-end 2026, tied directly to insufficient risk guardrails. The CFO question is no longer "should we fund AI security separately from AI build" — it is "what is our deductible exposure if we don't, and how does that compare to a 12-month AEGIS rollout."
For the CRO and General Counsel, AEGIS's cross-mapping to NIST AI RMF, ISO/IEC 42001, OWASP Top 10 for LLMs, the EU AI Act, and MITRE ATLAS makes it the closest thing the industry has to a unifying compliance overlay. One control set, five regulatory anchors — that is the kind of leverage that pays back the legal review budget on its own.
Market Context: Why a Framework Now
Forrester is not alone in calling the moment. Gartner forecasts that 40% of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5% in 2025. By Forrester's own data, 30% of enterprises will rely on agents that independently trigger transactions on behalf of humans or other systems within that same window. Yet 78% of organizations have no formal policies for AI agent credentials, only 20% have formal processes for offboarding and revoking API keys, and 24% take more than 24 hours to rotate or revoke exposed credentials after detection. GitGuardian's 2026 secrets sprawl report logged 28.65 million hardcoded secrets pushed to public GitHub in 2025 — a 34% YoY jump — with AI-related secrets up 81% YoY at 1.27M exposures. The deployment curve and the governance curve are diverging, fast.
Analyst posture has converged: Gartner's 2026 cybersecurity trends report flags agentic AI as the top emerging attack vector, IDC's "Trust Before Autonomy" framework names trusted data governance as the #1 enterprise AI strategy concern (38.7% of organizations select it as primary), and 48% of cybersecurity professionals identify agentic AI as the number-one attack vector for 2026 in Forrester's underlying survey. Vendors are reorganizing fast around AEGIS as a buying lens — F5's CalypsoAI is mapping its inference-first runtime defense (red teaming, EU-AI-Act guardrails, Splunk integration) directly to AEGIS domains; Ping Identity is mapping IAM for agents to AEGIS Domain 2; BigID is mapping data security posture management to AEGIS Domain 3; and gateway vendors like Traefik have published AEGIS implementation guides. When the entire ecosystem reorganizes its messaging around one framework in 90 days, that framework has won the de facto standard contest before the next analyst cycle.
Framework #1: AEGIS Readiness Assessment (Score Your Organization 0-30)
Forrester's domain structure converts cleanly into a self-assessment that a CISO can run in an afternoon. Score each of the six domains on a 0-5 scale (0 = nothing, 5 = production-grade and audited). Total: 30 points. The bands below come directly from the AEGIS principles and Forrester's phased rollout logic.
Domain 1 — Governance, Risk, and Compliance (0-5)
- 0: No AI use policy. No risk register entry for agents.
- 1: AI use policy exists, but written in English, not enforced in code.
- 2: AI risk register exists; quarterly reviews; no real-time enforcement.
- 3: Policy-as-code in pilot; manual exception workflow.
- 4: Policy-as-code in production for at least one critical app; automated exception workflow.
- 5: Real-time enforcement org-wide; mapped to NIST AI RMF, ISO 42001, EU AI Act.
Domain 2 — Identity and Access Management (0-5)
- 0: Agents share service account credentials. No ownership registry.
- 1: Each agent has its own credential, but no rotation or owner.
- 2: Vaulted credentials; named human owner; no JIT or OBO.
- 3: JIT permissions for at least one production agent class; OBO in pilot.
- 4: JIT + OBO + per-session rotation in production; MCP-audited access patterns.
- 5: Risk-based authorization; quantum-safe credential encryption; full lifecycle automation.
Domain 3 — Data Security and Privacy (0-5)
- 0: No unified sensitive-data taxonomy. Agents have broad data access.
- 1: Taxonomy exists; not consistently applied.
- 2: DSPM in place; DLP for human users only; agents still over-permissioned.
- 3: DSPM + DLP extended to agent traffic; masking in pilot.
- 4: Purpose-bounded data access enforced for top-3 agent classes; synthetic data in dev.
- 5: Org-wide purpose-bounded access; privacy-preserving operations standard; aggregation controls verified.
Domain 4 — Application Security and DevSecOps (0-5)
- 0: No AI threat modeling. Agent-generated code merges without review.
- 1: Threat modeling exists for non-AI code; AI carve-out.
- 2: AI-specific threat modeling for new agents; no AIBOM.
- 3: AIBOM produced for production agents; secure prompt engineering standards.
- 4: Agent-generated code gated by automated validation; lifecycle observability live.
- 5: Continuous AI security testing in CI/CD; AIBOM linked to runtime policy.
Domain 5 — Threat Management and Security Operations (0-5)
- 0: No agent-specific logging. SOC has no detection rules for agents.
- 1: Basic prompt/response logging; no reasoning-chain capture.
- 2: Reasoning steps logged; prompt-injection detection in pilot.
- 3: Behavioral drift detection live; agent-specific purple-teaming quarterly.
- 4: Automated response playbooks for top-5 agent threat patterns; full reasoning-chain forensics.
- 5: Real-time anomaly detection across all production agents; mean-time-to-detect under 15 minutes.
Domain 6 — Zero Trust Architecture (0-5)
- 0: Network-segmented "trust zones" only. No agent-aware micro-segmentation.
- 1: Micro-segmentation for human-driven workloads; agents in trust zones.
- 2: Continuous authentication for agents; access-only controls (no least agency).
- 3: Decision-scope constraints in pilot for one agent class; policy-as-code enforcement.
- 4: Least agency enforced for top-3 agent classes; per-action decision audit.
- 5: Org-wide least agency; decision-graph telemetry; agents fail closed on policy gaps.
Score Bands:
- 0-9: Critical exposure. A single compromised agent likely produces a disclosable breach. Halt new agentic deployments until Domains 1 and 2 reach 3+. Forrester's prediction lands on you.
- 10-15: Reactive posture. Most enterprises today. Capable of catching breaches after the fact; not capable of preventing the first one. Prioritize the 0-3 month governance/policy-as-code sprint.
- 16-21: Maturing. Production-safe for low-risk agent classes; not yet ready for autonomous decisions over financially material workflows. Push Domains 4 and 5 next.
- 22-26: Production-ready. AEGIS in active rollout across the lifecycle. Most regulated industries (finance, healthcare, public sector) should target this band by Q1 2027.
- 27-30: Best-in-class. Decision-scope controls + real-time enforcement + lifecycle observability + cross-mapped compliance. The reference architecture analysts will use to grade competitors.
Run the assessment, tally honestly, and brief the audit committee with the number — not the narrative.
Framework #2: 12-Month AEGIS Implementation Timeline
Forrester's phased rollout maps cleanly to a four-quarter delivery plan. The sequencing is deliberate: governance and policy-as-code first because they cost the least and reduce the most risk; IAM and data security next because they are the hardest dependencies to retrofit; lifecycle and threat management third because they require the prior two to be useful; Zero Trust and least agency last because they assume the rest of the stack speaks the same identity, data, and policy language.
Months 0-3 — Foundation (Domain 1, partial Domain 5)
- Publish an enforceable AI use policy with a named executive owner (CIO or CISO).
- Stand up the AI risk register; backfill all production and pilot agents.
- Pick a policy-as-code engine (OPA, Cedar, or vendor-native equivalent) and run one critical-app pilot.
- Add baseline prompt/response logging to every agent already in production.
- Output: board-ready policy, agent inventory, single policy-as-code reference implementation.
Months 3-6 — Identity and Data Modernization (Domains 2, 3)
- Assign every agent a unique identity, a vaulted credential, and a human owner; retire all shared service accounts.
- Roll out just-in-time permissions and on-behalf-of delegation to the highest-risk agent class first.
- Extend DSPM/DLP coverage to agent traffic; build the unified sensitive-data taxonomy.
- Stand up purpose-bounded access for top-3 agent workflows.
- Output: zero orphaned NHIs in scope, top-3 agent classes on JIT/OBO, agent traffic visible to DLP.
Months 6-12 — Lifecycle and Threat Engineering (Domains 4, 5)
- AI-specific threat modeling baked into the SDLC; AIBOM produced for every production agent.
- Automated validation gates on agent-generated code.
- Detection engineering for prompt injection, behavioral drift, and tool misuse; quarterly purple-team exercises.
- Automated response playbooks for the top-5 agent threat patterns.
- Output: agent lifecycle observability live, MTTD under 1 hour for known agent threat patterns.
Months 12+ — Zero Trust and Least Agency (Domain 6)
- Continuous authentication and micro-segmentation for all agent classes.
- Decision-scope constraints (least agency) rolled out class by class, starting with financially material workflows.
- Decision-graph telemetry fed back into Domain 1 policy refinement.
- External audit against NIST AI RMF / ISO 42001 / EU AI Act mapping.
- Output: org-wide least agency, third-party-attested AEGIS conformance, ready for board-level risk reporting.
The pattern matters: each phase produces an auditable artifact (policy, inventory, AIBOM, MTTD metric, attestation) that the CFO can underwrite, the CRO can report, and the CISO can defend.
Case Study: EchoLeak as the AEGIS Template
EchoLeak — disclosed publicly in June 2025 against Microsoft 365 Copilot — is the cleanest available reference for why AEGIS reads the way it does. A zero-click prompt injection delivered through an inbound email caused the production Copilot deployment to exfiltrate confidential tenant data without a single user click or visible action. Map the incident to AEGIS and the failure modes are explicit, in order:
- Domain 1 (GRC): No real-time compliance enforcement on outbound data flows from the agent context — the policy existed in writing, not in code.
- Domain 2 (IAM): The agent inherited the user's broad mailbox and tenant scope by default — no purpose-bounded scoping, no OBO scope limiting.
- Domain 3 (Data Security): No DLP coverage on agent-generated traffic; sensitive-data taxonomy not applied to agent outputs.
- Domain 4 (AppSec): Prompt-injection vectors not modeled in the threat catalog; no input sanitization between untrusted email content and trusted agent context.
- Domain 5 (Threat Ops): No detection rule for "agent exfiltrates data after consuming untrusted external content" — a pattern now standardized by MITRE ATLAS.
- Domain 6 (Zero Trust): Access controls (the email account had legitimate access) passed; decision controls (should the agent act on instructions found inside untrusted email content?) did not exist. Least agency was absent.
The composite Forrester argument is that every one of these failure modes is detectable and preventable at maturity level 3 on the AEGIS readiness assessment — and that the cost of getting there in 12 months is materially lower than the cost of being the next public case study. The Moltbook breach (1.5M autonomous agents on a single platform hijackable via an unsecured database; researchers cataloged 506 prompt injections spreading through the network before patching) is the same template at scale.
What to Do About It
For CIOs: Commission the AEGIS readiness assessment this quarter. Pick a single policy-as-code engine and a single critical agent class for the 0-3 month sprint. Do not let "platform selection" delay Domain 1 work — every existing agent vendor (Microsoft, ServiceNow, Salesforce, Kore.ai, Sierra) has to land on AEGIS-shaped controls regardless. Get the audit-committee briefing on the calendar now, with a real score.
For CISOs: Treat agents as a new identity class, not a new application class. The 100:1 NHI-to-human ratio means your existing IAM toolchain is mathematically the wrong shape. Budget identity governance for agents on the same scale as identity governance for humans — Domain 2 is where the EchoLeak template gets disarmed. Add prompt-injection and behavioral-drift detection rules to the SOC backlog this quarter.
For CFOs: Move AI security funding out of the AI build budget and into a distinct line. The 17x spending gap Gartner flagged is the symptom of running both lines through the same approval gate. Underwrite each AEGIS phase against a specific risk-reduction artifact — policy-as-code (Phase 1), zero orphaned NHIs (Phase 2), AIBOM (Phase 3), least-agency attestation (Phase 4). Forrester's $4.88M-$5.72M breach-cost data is your discount-rate input.
For General Counsel and CRO: Pre-bake AEGIS's cross-mapping into the existing NIST AI RMF and EU AI Act response programs. One framework, five regulators is the highest-leverage move available in the current compliance cycle. Use it to negotiate the 2,000-claim spike Gartner is forecasting away from your company before it lands.
