NIST 800-171 and Agentic AI: What Autonomous Systems Mean for CUI Protection

About the author: Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI. Over the last 15 years, he has authored standards, guidance and best practices with ISO, NIST, and other governing bodies. Smith strives to create actionable resources for organizations seeking to minimize technological risk and increase value to customers. His expertise encompasses ISO 27110, the NICE Workforce Framework, the NIST Cybersecurity Framework, security framework analysis, process creation, process improvement, and data analysis.

AI and agentic systems are changing what 800-171 requires in practice

NIST Special Publication 800-171 defines a precise set of security requirements for organizations that handle Controlled Unclassified Information (CUI) outside of federal systems.

For defense contractors, subcontractors, and their engineering teams, these controls are non-negotiable with the advent of the Cybersecurity Maturity Model Certification (CMMC) program, which dictates how CUI must be accessed, logged, transmitted, and protected across every system in scope.

That scope is shifting. Agentic AI systems (autonomous software agents capable of reasoning, making decisions, and executing multi-step workflows without human oversight) are now embedded in infrastructure that processes and stores CUI.

According to Teleport’s 2026 Infrastructure Identity Survey: State of AI Adoption, 79% of organizations are already exploring or deploying agentic AI. Gartner also predicts that by 2026, 40 percent of enterprise applications will feature embedded task-specific agents, up from less than five percent in early 2025. For organizations subject to 800-171, this is not a future concern. It is an operational reality.

The controls themselves have not changed. What has changed is the complexity of applying them. An autonomous agent queries a database, triggers a workflow, or passes data to an external service. It exercises the same kinds of access that 800-171 was designed to govern. But traditional assumptions about human-driven sessions, static role assignments, and predictable audit trails no longer hold.

The question facing SREs, DevOps engineers, and security architects is direct: how do you meet the same requirements when the actor is not a person, and its behavior may not be fully predictable?

Where AI and agentic systems meet specific 800-171 controls

Access Control and Authentication

The Access Control family in 800-171 requires organizations to limit system access to authorized users. It mandates enforcement of least privilege, separation of duties, and session controls. These requirements assume an identity model built around human actors whose roles and access needs are defined in advance.

Agentic AI systems break that model. An autonomous agent operating within a CI/CD pipeline, an incident response workflow, or a data processing chain may need access to different resources at different stages. Its access requirements shift dynamically based on the task, the data it encounters, and the decisions it makes at runtime.

Traditional role-based access control (RBAC) struggles to accommodate this pattern. A static set of permissions is assigned to a role and that role is assigned to an identity. An agent given broad permissions to ensure task completion violates least privilege. An agent given narrow permissions may fail unpredictably when it encounters a task that exceeds its authorization.

The practical path forward involves attribute-based access control (ABAC). These models evaluate contextual factors (data sensitivity, time of day, current risk posture, the specific operation being attempted) before granting access. This lets organizations enforce least privilege dynamically rather than statically. It aligns with the intent of 800-171 while accommodating autonomous systems.

Equally important is to treat each agent as a distinct, auditable identity. Agents should not inherit the permissions of the human who deployed them. They need their own credentials, their own authorization boundaries, and their own session management. All of this is subject to the same rigor 800-171 demands for human users.

Audit and Accountability

The Audit and Accountability family requires organizations to create, protect, and retain system audit logs. These logs must enable monitoring, analysis, investigation, and reporting of unauthorized activity. Actions must be traceable to individual users so they can be held accountable.

When the actor is an autonomous agent, the volume and structure of audit data change fundamentally. A single agentic workflow can generate hundreds of discrete actions in seconds: API calls, database queries, file operations, inter-service communications. Standard application logging captures which endpoint was called and which record was modified. It often misses the why.

Without capturing the agent's planning steps, its chain-of-thought reasoning, and its tool-selection logic, an audit trail cannot explain how a given action occurred. Without that context, the 800-171 requirement for traceability becomes difficult to satisfy.

The challenge grows in multi-agent architectures, where one agent delegates tasks to others. A compliant audit trail must capture the full chain of delegation: which agent initiated the action, which agent executed it, and what data passed between them.

The same Teleport survey found that while 43% of organizations report AI systems making infrastructure changes without human oversight at least monthly, 7% of organizations report this figure as “unknown.” This indicates that many organizations do not yet have visibility into how AI systems are interacting with their infrastructure. For organizations protecting CUI, those blind spots represent direct compliance risk.

Building audit infrastructure that captures agentic decision-making (not just agentic actions) is essential to meeting the standard.

Third-party and supply chain considerations

800-171 addresses external system connections and the use of external service providers. Organizations must control the flow of CUI across system boundaries. They must ensure that third parties who handle CUI meet equivalent security requirements. These controls become more complex when agentic systems are involved.

Consider a common pattern: An autonomous agent invokes an external API, passes CUI-adjacent data to a third-party model for processing, and ingests the results back into an internal system. Each step creates a potential boundary crossing governed by 800-171.

This raises concrete compliance questions. The external model may be hosted by a cloud provider whose security posture has not been validated against the standard. The agent may transmit CUI to a third-party service for enrichment without the required agreements in place. The agent's decisions may depend on an external model whose training data and behavior the organization does not control.

As agentic systems increasingly integrate with external tools, APIs, and model providers, the supply chain surface area for CUI exposure grows. Organizations need to map every external dependency in their agentic workflows, classify the data flowing through each connection, and verify that each third-party participant meets the security requirements 800-171 demands.

This mapping must be continuous, because agentic architectures evolve as agents learn, adapt, and integrate new tools.

NIST 800-171 draws from 800-53 and connects to CMMC

Understanding 800-171's place in the broader NIST ecosystem matters for compliance planning.

The controls in 800-171 are derived directly from NIST SP 800-53, the comprehensive security and privacy control catalog used by federal agencies. While 800-53 is broad and general-purpose. 800-171 extracts the specific subset relevant to protecting CUI in nonfederal environments.

Revision 3 of 800-171, published in May 2024, refined this mapping by reducing the control count from 110 to 97 and adding new control families, including Planning, System and Services Acquisition, and Supply Chain Risk Management.

For defense contractors, 800-171 compliance is verified through the CMMC program. CMMC Level 2 maps directly to the 800-171 control set but adds a critical dimension: third-party assessment. While 800-171 compliance was historically self-attested, CMMC requires independent verification by certified assessors.

Discover how CMMC assessors are evaluating AI systems.

The 48 CFR CMMC Acquisition Rule

The 48 CFR CMMC Acquisition Rule took effect on November 10, 2025, and the DoD began including CMMC requirements in select new contracts. By October 2026, all new DoD contracts will require CMMC certification.

For organizations with agentic AI in their infrastructure, this means not just implementing controls. It means being prepared to demonstrate to an external assessor how those controls apply to autonomous systems.

The AI Agent Standards Initiative

NIST has also signaled future guidance. In February 2026, NIST's Center for AI Standards and Innovation (CAISI) launched the AI Agent Standards Initiative. This includes the development of SP 800-53 control overlays addressing both single-agent and multi-agent AI systems.

While this guidance remains in development, it confirms that compliance frameworks will increasingly require organizations to account for how autonomous systems interact with controlled data.

Practical takeaways for meeting 800-171 requirements as AI scales

The requirements in NIST 800-171 are not changing to accommodate agentic AI.

Organizations must meet the same controls whether their systems are operated by humans, automated scripts, or autonomous agents. What changes is the engineering effort required to satisfy those controls in practice.

AI interacting with CUI needs identity and access control

Start with identity and access management. Every agentic system interacting with CUI should operate under its own identity with dynamically scoped permissions.

Attribute-based access control provides the flexibility to enforce least privilege without creating brittle permission sets that break as agent behavior evolves. Session management for agents should include automatic expiration and re-authentication, not persistent credentials.

Expand audit logging to include reasoning

On the audit side, invest in observability infrastructure that captures agentic reasoning, not just agentic actions. This includes logging the planning steps, tool selections, and decision points that lead to each action on CUI.

For multi-agent systems, capture delegation chains and inter-agent data flows. Without this depth, demonstrating compliance to a CMMC assessor becomes harder. Map supply chain dependencies across AI systems

For supply chain governance, map every external dependency in your agentic workflows. To do this:

• Classify the data flowing through each integration point.
• Verify that third-party services meet equivalent security requirements before allowing agents to transmit CUI-adjacent data across those boundaries.
• Treat this mapping as a living document that evolves alongside your architecture.

Be prepared to demonstrate agentic controls

Finally, prepare for the assessment.

CMMC's third-party verification model means your compliance posture must be demonstrable, not just implemented. Document how your controls apply to agentic systems, and build the evidence artifacts (including access control policies, audit log samples, and supply chain mappings) that an assessor will need.

The organizations that treat agentic AI as a first-class consideration in their 800-171 compliance program will be best positioned as both the technology and the regulatory landscape continue to evolve.

How Teleport helps organizations meet NIST 800-171 requirements

Teleport simplifies NIST 800-171 and CMMC compliance by unifying humans, machines, workloads, and AI systems into a single identity, access, and audit layer.

Learn more about how Teleport increases infrastructure resilience and accelerates audits for FedRAMP, NIST 800-53, SOC 2, and more.

Related articles

→ CMMC Requirements for AI Systems: What Assessors Actually Look For
→ How to Apply NIST 800-53 to AI Systems
→ How AI Agents Impact SOC 2 Trust Services Criteria
→ Streamlining NIST 800-171 Compliance
→ FedRAMP. AI. Player 3 Has Entered the Game.

Frequently asked questions (FAQs)

How do agentic AI systems fit into NIST 800-171 access control requirements?

Under the Access Control (AC) family in NIST 800-171, organizations must limit system access to authorized users and enforce least privilege. For agentic AI, this means treating each agent as a distinct identity with its own credentials and authorization boundaries. Because agents require different levels of access across multi-step workflows, access decisions should be evaluated dynamically based on context such as data sensitivity, task, and risk, rather than static roles.

What audit and logging changes are needed to stay compliant when using AI agents?

The Audit and Accountability (AU) family requires organizations to create audit records that trace actions to specific identities. With agentic AI, this extends beyond logging actions to capturing decision context, including task execution steps and delegation between agents. Consistent audit trails across systems help organizations demonstrate how CUI was accessed, modified, or transmitted.

Can agentic AI systems handle CUI without violating NIST 800-171 or CMMC requirements?

Agentic AI systems can handle CUI if organizations control how data moves across systems and external services. This includes mapping third-party dependencies, classifying the data flowing through each integration, and validating that external providers meet required security standards. All interactions with CUI should be traceable to a specific system identity as agent behavior evolves.