Executive Summary

Anthropic published “Zero Trust for AI Agents” last month — thirty-six pages of security architecture for autonomous systems deployed inside enterprises. Cryptographic identity, least agency, behavioral baselines, anomaly detection, automated containment. Serious engineering. Disesdi Shoshana Cox, in her Angles of Attack intelligence brief, was among the very first to read the threat landscape correctly: the systems these controls are built to protect resist the protections by design.

Both readings are correct. Both are incomplete.

The Anthropic paper describes every architectural failure the EU AI Act penalizes — behavioral drift, privilege accumulation, supply chain opacity, the inability to document what a system will do before it runs — and prescribes controls that map, almost one-to-one, to the AI Act’s essential requirements. The paper never makes that connection. The security community’s coverage never makes that connection. The compliance community has not read the paper at all.

Two teams, staring at the same system failure, building the same engineering response, reading each other’s output as someone else’s problem. The organization that treats these as two separate programs will pay for the same infrastructure twice and still have a gap between them — because the gap is in the join that neither side makes.

I stated it on the public record on March 8, 2026, in a formal response to NIST’s Request for Information on AI Agent Security — Docket NIST-2025-0035, publicly accessible on regulations.gov. The submission mapped three convergence points in detail: prompt injection as simultaneous cybersecurity breach and intended-purpose invalidation, tool misuse as simultaneous unauthorized access and deployer-to-provider conversion under the regulation, and privilege accumulation as simultaneous lateral movement and structural invisibility to the human oversight function. The conclusion: security guidelines that do not account for the regulatory obligations attached to the same vulnerabilities will leave organizations with a false sense of security.

Two months later, Anthropic published the security framework that proves it — without making the connection. Days after that, the OWASP GenAI Security Project published the convergence map as Section 2.8 of its State of Agentic AI Security and Governance report (v2.01) — “Towards Unified Governance: The Security-Compliance Convergence.” I wrote that section. It maps every OWASP Agentic Top 10 threat to the EU AI Act obligation it simultaneously triggers, introduces the N^D formulation for the compositional outcome space, and proposes the operational envelope as the governance response. The report is free and available now.

The Comfortable Lie

Here is what the market wants to believe: the security team handles the breach and the compliance team handles the regulator.

This belief persists because it matches the org chart. Security reports to the CISO. Compliance reports to Legal or Risk. They have separate budgets, separate reporting lines, separate vendors, and separate conferences. When an agent misbehaves, security opens an incident ticket. When a regulator asks questions, compliance opens a case file.

The comfortable part is the separation. The lie is that the separation describes two different problems.

A prompt injection that hijacks an agent’s operational purpose is simultaneously a cybersecurity breach and an invalidation of the system’s documented intended purpose — the anchor point for every compliance obligation the provider filed. The security team sees a compromised execution path. The compliance team does not know the agent’s documentation no longer describes what the agent does. The incident report closes in one department. The violation sits open in the other, undiscovered, until the regulator discovers it for both of them.

The alternative is harder. It requires a single architectural response that serves two authorities simultaneously — the security function and the regulatory function reading the same telemetry, the same behavioral baselines, the same departure alerts, under two different names. That is what it costs to close the gap. Everything else is two teams patching one half of the same hole.

The Paper That Proved It Without Knowing It

Anthropic’s paper is the most detailed security framework for autonomous agents published by a frontier AI company. Its controls address the five threat categories that define the OWASP Agentic Top 10 — prompt injection, tool and resource misuse, identity and privilege abuse, supply chain compromise, and memory and context poisoning — through a three-tier maturity model ranging from cryptographic identity and least-agency enforcement to behavioral anomaly detection and automated containment. Every entry in that taxonomy simultaneously triggers an obligation under the EU AI Act. The Agentic Top 10 is the Rosetta Stone between the two frameworks — the shared language that makes the convergence visible. Anthropic’s paper reads one side. The AI Act reads the other. The taxonomy connects them.

The framework is technically sound. It is also, sentence by sentence, a compliance architecture wearing security clothing.

Start with behavioral monitoring. The paper instructs organizations to establish baseline agent behavior, detect deviations from that baseline, and respond automatically when behavior exceeds defined boundaries.

It specifies three tiers: manual definition of expected patterns, automated baseline learning, and continuous drift detection. That engineering — define the assessed boundary, monitor for departure, treat every crossing as an event requiring response — is the operational envelope. Anthropic built it as a security control. Under the EU AI Act, the identical mechanism is the only architecturally honest answer to risk management for systems whose runtime behavior cannot be pre-computed. Same mechanism. Two names. Two budgets. One problem.

Move to supply chain. The paper acknowledges what static security models were never designed to handle: agentic systems assemble their capabilities at runtime, pulling in external tools and agent configurations dynamically rather than from a fixed catalogue. That architectural property breaks both frameworks simultaneously. For security, runtime composition means the attack surface expands with every action the agent takes — the paper is right about this. For compliance, it means the conformity assessment filed before deployment describes a system that no longer exists by the time it runs in production. The behavioral documentation assumes a fixed operational boundary. The architecture is designed to exceed it.

Move to privilege management. The paper’s least-agency principle — restrict what each agent tool can do, how often, and where — is sound security engineering. It is also the operational specification for cybersecurity resilience under the AI Act, which requires high-risk systems to be resilient against unauthorized use and attempts to alter their use or performance by exploiting vulnerabilities. The paper’s privilege scoping tiers — static least-privilege, dynamic elevation, just-in-time provisioning with automatic expiration — are the same controls a provider would need to demonstrate conformity with that essential requirement. Anthropic built them for breach containment. The AI Act requires them for market access.

Move to logging. The paper requires comprehensive action logging, immutable audit trails, and full provenance chains linking every agent decision to the triggering event. The regulation requires logging sufficient to enable post-market monitoring and assessment of compliance with essential requirements. These are the same specification written in two vocabularies — one by a security architect, one by a legislator. An organization that builds the Anthropic logging stack has also built the regulatory logging infrastructure. An organization that builds them separately has built the same system twice.

Every section of the paper follows this pattern. The controls are dual-use by construction — they serve security containment and compliance demonstration simultaneously — and the paper only invoices one.

The Security Community’s Verdict

The security community’s response to the Anthropic paper landed where it deserved to land. Disesdi Shoshana Cox’s analysis in Angles of Attack — mapping the Anthropic paper against ASI04, Agentic Supply Chain Vulnerabilities from the OWASP Agentic Top 10 — delivered the security verdict the paper itself wouldn’t state plainly: the systems these controls are designed to protect are architecturally resistant to the protections. The threats are intrinsic to what makes agents agents — runtime composition, dynamic tool selection, autonomous goal pursuit. The defensive architecture cannot close what the system’s own design holds open. Cox is right. And that verdict is the security half of a two-sided failure.

The regulatory half is what this article delivers.

The agent that composes its behavior at runtime cannot be secured because the attack surface is unbounded. The same agent cannot be conformity-assessed because the behavioral documentation is structurally incomplete the moment it runs. The agent that resists privilege containment because autonomy requires latitude also resists the human oversight function the AI Act requires — because effective oversight demands visibility into what the agent is doing, and unbounded agents are designed to exceed the scope anyone anticipated.

The security community sees this as a containment failure. The regulation sees it as a documentation failure. The provider who cannot describe what the system does before it runs has a security problem and a compliance problem that share the same mathematical root: the compositional outcome space — N actions across D steps — grows too fast to enumerate, too fast to secure, and too fast to document. The Pre-Computation Fallacy hits both frameworks at the same structural joint.

The empirical picture confirms the structural one. An independent audit by Capsule Security — the broadest data-driven security assessment of the agentic ecosystem to date — measured the exposure at scale in April 2026. 402,599 hosts running AI agent infrastructure on the public internet. 76.4% of dangerous-tool files with no input validation. 9.5% of agent skill files installing the lethal trifecta — code execution, credential access, and external communication — in a single step. Fewer than 5% of prompt-building repositories showing any sanitization. The first CVE ever assigned to an agentic prompt injection.

Every one of those numbers has a convergence twin.

402,599 exposed hosts is 402,599 systems that cannot demonstrate the cybersecurity resilience the AI Act mandates for high-risk deployment. 76.4% with no input validation is 76.4% that cannot show an assessor the controls the essential requirements demand. 9.5% installing unsupervised code execution with credential access is 9.5% operating with capabilities no conformity assessment documented — because the capabilities were never in the scope.

The security exposure is measured. The regulatory exposure attached to the same numbers is not. Nobody is reading both columns.

What the security community’s coverage misses is the consequence that follows.

A system the provider cannot secure is a system the provider cannot lawfully place on the EU market. The security verdict is the compliance verdict. The community delivered one half and stopped.

The Convergence Map

Control by control, here is what the Anthropic framework builds and what the EU AI Act requires — stated side by side so the organization that reads both can build once instead of twice. The threat layer underneath is the OWASP Agentic Top 10 — the taxonomy that names the risks both frameworks are responding to.

Behavioral baselines and anomaly detection serve dual authority. In the Anthropic framework, they detect compromise — a hijacked agent deviating from established patterns triggers containment. Under the AI Act, the identical mechanism detects substantial modification — behavioral drift beyond the boundaries assessed during conformity assessment that triggers reassessment obligations. The engineering is one system. The triggers fire into two different reporting chains. An organization that builds behavioral monitoring for security and a separate drift-detection infrastructure for compliance has built the same telemetry pipeline twice, reading the same data, alerting different people, and leaving a gap between the alerts where neither team sees the other’s signal.

Least agency and privilege scoping serve dual authority. Anthropic’s framework restricts what agents can access, for how long, with automatic expiration — because overprivileged agents are breach amplifiers. The regulation requires resilience against attempts to alter the system’s use or performance through exploitation — because overprivileged agents operating in high-risk domains create liability the provider documented around, not against. The control is the same: scope the agent’s operational permissions to the minimum required. The security team builds it to contain blast radius. The compliance team needs it to demonstrate that the system operates within its assessed boundaries. Build it once, under both names.

Action logging and traceability serve dual authority. The Anthropic framework requires request IDs linking actions to triggering events, distributed tracing across multi-agent workflows, and full provenance chains from input to output with intermediate steps — because incident investigation requires reconstructing what the agent did and why. The regulation requires logging sufficient to assess compliance with essential requirements — because post-market monitoring requires the same reconstruction. The logs are the same logs. The provenance chains are the same chains. The only difference is who reads them and what they call the report.

Identity and authentication serve dual authority. Anthropic requires cryptographic agent identity because attribution without identity is impossible — you cannot audit what you cannot name. The regulation requires that persons assigned to human oversight understand the system’s capabilities and be able to correctly interpret its output — which presupposes knowing which agent performed which action under whose authority. An organization whose security team tracks agent identity through cryptographic certificates and whose compliance team independently tracks agent actions through a separate oversight dashboard has built two attribution systems for the same agents performing the same actions.

Input validation and output controls serve dual authority. The Anthropic framework filters manipulation attempts at the boundary — prompt injection detection, content filtering, output sandboxing. The regulation requires resilience against unauthorized third-party attempts to exploit vulnerabilities. The filter that blocks a prompt injection is simultaneously a security control and a compliance control. The organization that builds input validation for security and a separate robustness-testing regime for regulatory conformity has tested the same attack surface twice with different names on the report.

Automated response and containment serve dual authority. The Anthropic framework terminates suspicious sessions, revokes credentials, and orchestrates graduated escalation — because compromised agents cause damage at machine speed and manual response is too slow. The regulation requires human oversight with the authority and technical capability to intervene during operation — which, for systems operating at machine speed, requires exactly the automated detection-and-escalation pipeline the security team already built. The security team’s containment trigger is the compliance team’s intervention mechanism. Wire them to the same signal, or build two alert pipelines watching the same agent and routing to different teams who do not read each other’s tickets.

The convergence map is not a metaphor. It is an engineering specification.

Building them separately doubles the cost and leaves the join — the point where a security event becomes a regulatory event — unwired.

The implementation layer that wires the join is now emerging. The Agent Control Standard (ACS) — an open specification built in alignment with the OWASP ecosystem — defines standardized middleware hooks at every agent decision point: input, output, tool call, memory operation, code execution, sub-agent invocation.

A Guardian Agent intercepts the action, evaluates it against policy, and returns a verdict before the action reaches production. Each hook is simultaneously the point where a security control fires and where a compliance obligation attaches. ACS is built explicitly to serve both the EU AI Act’s requirement for demonstrable human oversight and the NIST AI Risk Management Framework’s requirement for continuous monitoring and disengagement capability — and it integrates with the OWASP Agentic Top 10 and OpenTelemetry, the same taxonomies and telemetry standards the convergence map depends on. The standard is open-source, Apache 2.0 licensed, and vendor-neutral. It is the shared control plane both teams can build against, once, under both authorities.

One Problem, Two Invoices

The cost is not abstract.

An organization deploying agents in a high-risk domain — employment screening, credit assessment, insurance underwriting, any Annex III use case — needs behavioral monitoring, privilege management, logging, identity attribution, input validation, and automated response. The security team will scope, procure, and build these controls against the threat landscape. The compliance team will scope, procure, and build documentation, drift detection, logging, oversight mechanisms, and conformity evidence against the essential requirements.

They will hire different vendors. They will issue different RFPs. They will build on different infrastructure. They will produce different dashboards. They will report to different executives. And the behavioral monitoring stack the security team built will detect the same departure from baseline that the compliance team’s drift-detection infrastructure was designed to catch — except neither team’s alerting pipeline routes to the other, and when the agent drifts, two teams will discover it independently, investigate it separately, and file reports that describe the same event in two languages neither team reads.

This is the structural cost of the wall between the security framework and the AI Act. The wall is not in the technology. It is in the org chart, the budget, and the conference schedule.

The security team attends RSA. The compliance team attends IAPP. The Anthropic paper is discussed at one. The EU AI Act is discussed at the other. The agent sits in both rooms and answers to both authorities.

It means a single telemetry pipeline feeding both authorities. A single behavioral baseline serving both as the security anomaly detector and the compliance drift monitor. A single privilege-scoping layer documented once and submitted to both the security audit and the conformity assessment. A single logging infrastructure that satisfies the incident investigation and the regulatory record simultaneously.

The organization that builds it once, under both names, saves the duplicate engineering and closes the gap. The organization that builds it twice pays double and keeps the gap open — because the gap was never in either framework. It was in the space between them where nobody was looking.

What Regulators Will Ask

Show us the behavioral baseline your agent was assessed against. Show us the mechanism that detects when the agent departs from it. Show us who receives the alert and what happens next.

The security team built it. It is called anomaly detection. The compliance team does not know it exists because it sits in the SOC, not in the conformity assessment file. The regulator will ask for it by its regulatory name — evidence that the system continues to operate within the boundaries established during the initial conformity assessment — and neither team will recognize the question as the other team’s answered problem.

Show us how the agent’s permissions are scoped to the minimum required for its documented function. Show us that the scoping is enforced at the infrastructure level, not through a system prompt.

The security team built it. It is called least agency with JIT provisioning. The compliance team documented something called “appropriate technical and organizational measures to ensure cybersecurity resilience.” They are describing the same control in two vocabularies, and neither team has read the other’s documentation.

Show us the audit trail that links every agent action to the triggering event, through every tool call, every sub-agent delegation, every intermediate step. Show us that the trail captures why the agent selected this action and not another.

The security team built it. It is called distributed tracing with full provenance chains. The compliance team needs it for post-market monitoring and assessment of compliance with essential requirements. The logs are the same logs. The chains are the same chains. The report goes to two authorities under two names.

The regulator does not care which team built the control. The regulator cares whether the control exists and whether the documentation describes it. An organization whose security controls and compliance documentation describe the same system in two vocabularies that do not cross-reference each other will spend the regulatory inquiry explaining what it already built — if it can find it.

Share

What To Do Now

Four questions. Each one tests whether the wall between the security function and the compliance function is still standing.

1. Does your behavioral monitoring infrastructure — the baseline, the anomaly detection, the automated response — feed into the conformity assessment file as evidence of ongoing compliance, or does it sit in the SOC where the compliance team has never seen it?

2. Does your privilege-scoping architecture appear in both the security audit and the regulatory technical documentation under the same specification, or are two teams maintaining two descriptions of the same control?

3. Does your logging and traceability infrastructure serve both the incident investigation function and the post-market monitoring function, or are two separate pipelines capturing the same data under two different retention policies?

4. When your security team detects behavioral drift in an agent, does the alert route to the person responsible for determining whether that drift constitutes a change significant enough to trigger reassessment — or does the security team close the ticket and the compliance team never learns the agent left its assessed boundaries?

If the answer to any of these is “they’re separate,” you are building twice and paying twice for one problem.

Conclusion

The NIST submission is on the public record. Section 2.8 is published. The Anthropic paper is free to download. Every piece of the convergence — the security framework, the regulation, the map between them — is now publicly available, timestamped, and verifiable.

The security community delivered the security verdict: these systems resist the protections by design. The compliance community has not read the paper. Neither community holds the complete picture alone. The join between them is where the exposure lives — and where the architecture that closes it must be built.

Two teams. One hole.

Close it once, or answer for it twice.

Zero-Day Dawn publishes weekly enforcement intelligence on agentic AI governance, standards architecture, and the gap between what the market sells and what survives the regulator. Subscribe at zerodaydawn.com.

References

Anthropic, “Zero Trust for AI Agents: A Security Framework for Deploying Autonomous AI Agents in the Enterprise,” May 2026.

OWASP GenAI Security Project, “State of Agentic AI Security and Governance,” v2.01, June 2026. Section 2.8: “Towards Unified Governance: The Security-Compliance Convergence” (Violeta Klein).

Violeta Klein, “Security Considerations for Artificial Intelligence Agents,” Response to NIST Request for Information, Docket NIST-2025-0035, Document Number 2026-00206, March 8, 2026.

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), OJ L 2024/1689, 12.7.2024.

OWASP Top 10 for Agentic Applications for 2026, (Agentic Top 10). Available at genai.owasp.org.

Disesdi Shoshana Cox, “Attacking & Threat Modeling The Agentic Top Ten: ASI04 — Agentic Supply Chain Vulnerabilities,” Angles of Attack: The AI Security Intelligence Brief, Edition 53, June 2026.

Capsule Security, “The State of AI Agent Security,” April 2026.

Agent Control Standard (ACS), Open Specification, Apache 2.0.

Disclaimer: This article is educational analysis of regulatory architecture, enforcement dynamics, and standards development. It does not constitute legal advice. Organizations should consult qualified legal counsel for determinations specific to their AI systems and regulatory obligations.