What happened
On June 11, 2026, the House Appropriations Committee approved (34–27) the FY2027 DHS Homeland Security Appropriations Act. The accompanying bill report (docs.house.gov/meetings/AP/AP00/20260609/119380/HMKP-119-AP00-20260609-SD004.pdf) contains directed report language requiring CISA, in coordination with NIST, to publish guidance for civilian agencies on the 'secure implementation of identity security and access management for agentic AI systems.' This is the first congressional spending-bill direction specifically targeting agentic AI security at the infrastructure layer. The bill now proceeds to the House floor.
Why it matters
Directed report language in appropriations bills reliably triggers agency deliverables: CISA and NIST will be expected to produce a formal agentic-AI IAM guidance document within the fiscal year. This signals that agentic AI identity management — non-human identities, least-privilege scoping, session governance — will become a CISA/NIST normative output, following the same pipeline that produced BOD 26-04 and the SP 800 series. Practitioners should begin mapping current IAM programmes against agentic AI agent identity requirements now.
Action needed
Monitor: track the bill's floor progress and any CISA/NIST RFI or draft publication. Begin internal gap analysis against agentic AI identity and access management (non-human identities, tool-level authorisation, audit trails) ahead of the formal guidance.