In our previous post, we looked at the risks of agentic AI and the discipline required for careful adoption. Seven days later, the White House and the Department of War have given us a vivid picture of how high the stakes have become. The policy conversation has caught up with the operational reality, and federal IT programs now face a near-term integration problem that cannot be answered by either side alone.
The Policy Pivot
The Trump administration is preparing an executive order that would require federal agencies to partner directly with frontier AI companies on network defense. As of this writing, the order has not been signed. Bloomberg reported on May 8 that a draft would revamp existing cybersecurity information-sharing programs to include AI companies, while stopping short of mandatory pre-release model testing. National Economic Council Director Kevin Hassett described the approach to Federal News Network on May 5 as an FDA-style roadmap for releasing AI capabilities that may themselves create vulnerabilities.
The proximate trigger appears to be Anthropic’s Mythos model, which has demonstrated the ability to surface buried software vulnerabilities that conventional tools and human auditors had missed. That capability is dual-use by definition. It is also the reason the White House has, in Hassett’s words, “scrambled an all of government effort” to coordinate testing before broader release.
This is a meaningful shift. The administration spent its first sixteen months actively reducing federal AI regulatory friction, from Executive Order 14179 in January 2025 through the December 11 order on state preemption. A draft order that brings AI labs into federal cyber defense is a different posture: not regulation in the traditional sense, but operational partnership. CAISI, the NIST-housed Center for AI Standards and Innovation, now holds pre-deployment evaluation agreements with Anthropic, OpenAI, Google DeepMind, Microsoft, and xAI.
Mission Reality at Scale
Whatever final form the executive order takes, the operational picture is already running ahead of the policy. On May 7, 2026, CDAO Cameron Stanley told the AI+ Expo that during Operation Epic Fury the department processed 894 million tokens per day in agentic workflows. Palantir’s Maven Smart System synchronized roughly 13,000 targets across 38 days. Network utilization quadrupled. “We’ve handed our warfighters a Ferrari,” Stanley said, “and my only sleepless nights come from making sure we never, ever run out of the high-octane fuel that they need, which is compute.”
This is not a pilot, and it is not coming soon. It happened. The same week, the Department of War announced agreements with SpaceX, OpenAI, Google, NVIDIA, Reflection, Microsoft, Amazon Web Services, and Oracle to deploy AI capabilities on classified networks. The GenAI.mil platform crossed 100,000 deployed agents in two weeks, according to an R&E directorate official. Secretary Hegseth’s January 9, 2026 AI Strategy memo had already directed every military department, combatant command, and defense agency to identify three priority AI projects within thirty days.
The implication for federal IT is direct. Agentic AI workloads are landing on NIPR, SIPR, and JWICS today. The privilege boundaries, behavioral envelopes, and audit chains for those workloads have to live inside the same accreditation structures that govern every other system on those networks.
The Compliance Path Forward
That is where the framework picture matters, and where two distinct NIST frameworks are routinely confused.
The NIST AI Risk Management Framework (AI RMF 1.0) organizes AI trustworthiness around four functions: govern, map, measure, manage. It is the de facto federal AI standard, increasingly referenced in contracts and state law. On April 7, 2026, NIST released a concept note for a sector-specific AI RMF Profile on Trustworthy AI in Critical Infrastructure, naming energy, water, healthcare, financial services, and transportation as target sectors. The profile is not finalized; the concept note opens a community of interest period and signals where the agency is heading. Even pre-finalization, it is the clearest indication of how the AI RMF will be operationalized against named operator obligations, and it sets the template that defense and other federal sector profiles will follow.
That is separate from the cybersecurity Risk Management Framework under NIST SP 800-37 and the controls in 800-53, which federal programs already use daily to obtain and maintain Authority to Operate. It is also separate from CMMC, which protects controlled unclassified information in the defense industrial base under DFARS 252.204-7021. Conflating these is a common error in current commentary and a real risk in proposal writing, but the distinction matters operationally. An AI workload that lands inside a system boundary still needs its 800-53 controls assessed, its POA&Ms tracked, and its ConMon strategy maintained. The AI RMF adds a parallel set of governance and trustworthiness obligations on top, not in place of, the existing cyber RMF.
Section 1513 of the FY26 NDAA anticipates this. It requires the Department of War to develop a risk-based framework for implementing cybersecurity and physical security standards for AI systems. Section 1533 mandates a cross-functional team to develop frameworks for ethical principles compliance in AI model development and procurement. Both will need to reconcile with the AI RMF, with the cyber RMF, and with whatever the new executive order eventually directs.
What This Means for Federal IT Programs
The integration burden is going to fall on the program offices and the contractors who support them. AI-enabled capabilities will not be standalone systems sitting outside the ATO boundary. They will be components of mission systems that already have an ATO, a System Security Plan, a Continuous Monitoring strategy, an ISSO, and a documented set of controls.
That argues for a specific kind of partner posture. Programs do not need vendors who treat AI security as a marketing layer on top of existing offerings. They need engineering teams who can document AI component risk in eMASS the same way they document any other component risk; who can extend ConMon to cover model drift, prompt injection surfaces, and agent privilege boundaries; who can write the addendums to the SSP that reflect AI-specific control selection; and who can do all of this without inventing parallel processes that auditors will reject.
S2i2 has built its practice on exactly that integration discipline. The novelty of agentic AI is not a reason to relax the controls. It is a reason to apply them more rigorously, because the failure modes are less obvious and the audit trail has to survive contact with an inspector who has never seen this technology before. The frameworks are converging. The execution gap is what the next eighteen months will test.
