What happened
The House Appropriations Committee released the FY2027 Homeland Security Appropriations Bill on June 9, 2026, including a provision directing CISA, in consultation with NIST, to publish guidance for Federal Civilian Executive Branch agencies on secure implementation of identity security and access management for agentic AI systems. The requested best practices cover continuous discovery for all agent identities, privileged-access governance across the agent lifecycle, zero-trust least-privilege controls, and minimum acquisition and supply-chain security standards for agentic AI. The full House committee markup began June 9.
Why it matters
This is the first time a US congressional appropriations vehicle has specifically named agentic AI identity governance as a federal cybersecurity control requirement. While not yet law, it signals strong bipartisan consensus that agent identity is an unsolved federal security problem and puts CISA on notice that a deliverable is expected — making it likely that CISA will issue guidance in 2026 that commercial practitioners should anticipate and align to.
Action needed
Begin mapping your clients' agentic AI deployments to the four capability areas named in the bill (agent discovery, privileged-access governance, zero-trust least-privilege, and supply-chain standards) so they are positioned to align when CISA guidance drops, likely H2 2026.