The framing of AI agent 'security' in most regulatory discussions conflates two distinct problems: (1) agent action authorization — does the agent have permission to take this action on behalf of this user, and (2) agent context integrity — is the information the agent is acting on accurate and untampered.

Most current frameworks focus on (1) and miss (2). An agent that has perfect permission controls but draws from a poisoned or incomplete context window is still dangerous. For operations use cases, context integrity is arguably the harder problem — agents pulling from CRM, email, and ticketing systems simultaneously have large attack surfaces through injected data.

The NIST RFI would benefit from a clearer taxonomy here. Authorization and context integrity require different mitigations.