Boards should expect agentic AI scrutiny
Panels and governance briefings this week flagged rising expectations for boards to oversee agentic AI security, open‑source governance, and kernel‑level safeguards rather than just surface‑level policies. Practical frameworks for AI lifecycle risk—data sourcing, model drift, and third‑party audits—are being pushed into audit and nom/gov committee agendas. (hubsite365.com)
Deloitte’s State of AI survey found nearly three‑in‑four companies plan to deploy agentic AI within two years, shifting timelines boards must account for in committee charters and skills matrices. (ciodive.com) The OWASP GenAI Security Project’s Agentic Security Initiative published a Version 1.0 report in July 2025 that codifies threat scenarios and control objectives specifically for autonomous, goal‑directed agents. (mediate.com) Cloud and infrastructure teams are now treating kernel‑level isolation as a minimum control for agentic workloads, with Google Cloud documentation calling kernel isolation “non‑negotiable” for agents that execute code and commands. (cloud.google.com) Vendors and open‑source projects are packaging Landlock/seccomp, eBPF enforcement, microVMs and gVisor‑style runtimes into agent sandboxes—examples include GuardianShell, the nono kernel‑enforced sandbox project on GitHub, and recent engineering guides comparing microVMs and gVisor for agent containment. (guardianshell.com) Audit‑committee guidance from PwC and Harvard’s Forum on Corporate Governance urges a move away from point‑in‑time validation toward continuous monitoring, model inventorying and evidence‑preserving MLOps practices that internal audit can test. (auditupdate.com) Big‑four and model‑risk teams (KPMG, EY) are updating third‑party risk playbooks to require vendor attestations, contractual audit rights, and continuous capability monitoring for providers of foundation models and RAG services. (kpmg.com) Academic and civil‑society initiatives are formalizing “frontier AI” third‑party auditing standards—Averi is advocating rigorous external verification while Stanford and partner workshops have pushed for standard evaluation law and protections for independent auditors. (averi.org) Nominating/governance chairs are being asked to prioritize technology proficiency in board composition, and leading search firms and governance advisors (Russell Reynolds, Heidrick & Spencer Stuart) report rising demand for directors with AI, cybersecurity and model‑risk experience; UC Berkeley’s Center for Long‑Term Cybersecurity has also published agentic risk frameworks used by Bay Area boards. (diligent.com)
