Somewhere inside your agency, an AI system is making a decision right now. The question is not whether that system is working. The question is whether you actually know what it is doing and whether you can stop it if it does something wrong.
That was the central challenge during our latest GIST 360 webinar, moderated by Sean Applegate, CTO of Swish. The session featured Jennifer Franks, Director of Information Technology and Cybersecurity at the Government Accountability Office, whose team conducts oversight across federal civilian and defense agencies, and Elad Shulman, CEO and Co-Founder of Lasso Security, who works at the bleeding edge of AI adversarial research. Together they delivered a frank, technically grounded assessment of what federal agencies must do before their AI deployments outpace their ability to govern them.
The Zero Trust Framework Was Not Built for This
Federal Zero Trust architecture is a hard-won achievement. Years of investment, policy pressure from CISA, NSA, and OMB, and Executive Orders have produced real progress. Then AI arrived and changed every assumption underneath it.
Zero Trust works when behavior is predictable. AI systems are not. They ingest dynamic prompts, spawn autonomous agents, and produce outputs no developer explicitly programmed. OMB Memorandum M-25-21 and the Federal AI Strategy and Action Plan are pushing agencies to scale these capabilities fast, but the security infrastructure agencies built was designed for a deterministic world. The gap between those two realities is where the risk lives.
Three Shifts Every Federal Security Leader Must Make
Securing AI is not an extension of what agencies already do. It demands three fundamental shifts.
From content security to behavioral security. The threat is no longer a leaked document. It is a system that takes an action it was never authorized to take, at a speed no human can intercept. The boundary has moved from content to conduct.
From identity verification to intent verification. Valid credentials tell you almost nothing about whether what an agent is about to do aligns with your mission. Every AI action must be evaluated against what the developer intended, what the user requested, what the agent understood, and what external inputs it incorporated. When those four things diverge, that divergence is the threat signal.
From access control to action control. An agent that can reach a database is not the same as an agent that should modify it. Federal security teams must define permissible actions upfront, enforce approval gates for sensitive operations, and maintain a complete, auditable record of every decision an AI system makes. If you cannot audit it, you cannot govern it.
These are not theoretical positions. They are operational requirements agencies must build into their AI programs before the next deployment goes live.
The Attack Surface You Have Not Mapped
Most federal agencies have not applied the same security rigor to their AI stack that they apply to traditional infrastructure. The AI attack surface spans the model, its training data, retrieval data queried at runtime, prompt interfaces, orchestration layers, and every external tool agents call. Prompt injection alone is an attack vector most agencies are dangerously unprepared for. An adversary who injects malicious instructions into an agent's context window does not need to breach your network. The agent does the damage for them. GAO's cross-agency oversight work surfaces this blind spot consistently: agencies have not yet mapped how their AI systems could be turned against their own mission.
Fight Fire with Fire - Agents vs. Agents
Traditional penetration testing is no longer a clean fit for the AI era. Models update. Prompts change. Data shifts. A red team exercise from last quarter tells you nothing about the system running today.
The answer is autonomous purple teaming: AI agents trained to continuously attack your AI systems, discover vulnerabilities, and push patches in near real time. This is not a future capability. It exists now. For CIOs and CISOs facing workforce shortages and flat budgets, it is also the most scalable investment available. You cannot hire enough cybersecurity professionals to keep pace with machine speed. But you can deploy agents that do it around the clock, at a fraction of the cost, and discover your vulnerabilities before your adversaries do.
The Mission Does Not Wait
Success in the agentic AI era is not a capability milestone. It is a trust milestone. Strong identity management, human oversight, transparent governance, and behavioral monitoring are not compliance checkboxes. They are how you earn the right to operate AI at scale inside a federal mission.
Watch It. Share It. Then Act on It.
Watch the webinar on demand on our GIST 360 Platform and bring your CISO, enterprise architect, and AI program leads into the discussion. Join the GIST 360 community to stay connected with the practitioners and federal leaders actively solving these problems. Our upcoming events are where policy meets execution and where the real conversations happen. Ready to talk about your agency’s data readiness? Reach out to our team and let’s map the gap between where your data environment is today and where your AI mission requires it to be. The window for early mover advantage is open. It will not stay open forever.
