Sign in Subscribe
5 min read

You Can’t Integrate Agentic AI into Your ISMS

Agentic AI cannot simply be added to an existing ISMS. This article explains why CISOs must redesign governance around delegated decisions, explicit authority, accountability and the realities of machine-driven action.
Share
You Can’t Integrate Agentic AI into Your ISMS
"The Broken Governance Model" prompted by E. Mehler with ChatGPT 2026

You Have to Redesign What Your ISMS Actually Governs

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

I’ve reviewed a few internal papers lately where teams tried to “integrate AI into the ISMS.”

They all looked reasonable. A short section in the policy. A few controls extended. Maybe a new risk category. Nothing wrong with any of that.

But it misses the point.

Not because it’s incorrect — but because it assumes that Agentic AI behaves like everything else we’ve integrated before.

It doesn’t.

Most ISMS setups — even good ones aligned with ISO/IEC 27001:2022 — are built around a fairly stable picture of the world:

There are systems. There are processes. There are people responsible for both.

Controls are designed accordingly.

You assign ownership. You define access. You assess risk based on expected behavior.

That model has worked surprisingly well.

But it depends on one thing we rarely question:

That decisions are made by actors we can clearly identify.

Agentic systems start to blur that line.

Not in an obvious way.

They don’t announce: “I am now making decisions.”

They just… start doing it.

They prioritize. They interpret. They take actions that used to require a person in the loop.

And in many cases, they do it well enough that nobody intervenes.

That’s where things get interesting.

Because your ISMS still describes a world where:

  • humans decide
  • systems execute

But your operations increasingly look like:

  • systems decide
  • humans review (if at all)

That gap is not visible in your documentation.

But it’s very real in practice.

What I see in many organizations is an attempt to fit this into existing structures.

Agents become “assets.” Someone gets assigned as “owner.” Risks are described in familiar terms.

That creates order on paper.

But it doesn’t answer the question that actually matters:

Who decided that this system is allowed to make that decision?

Take a simple example.

An agent in your environment:

  • triages incidents
  • prioritizes alerts
  • maybe even triggers containment actions

Technically, that’s just automation.

From a governance perspective, it’s something else.

You’ve delegated a piece of operational decision-making.

Was that explicit? Was it discussed? Was it limited?

Or did it just evolve because the tool made it possible?

That’s where I would start if I were to “integrate” Agentic AI into an ISMS.

Not with controls.

With a conversation most ISMS never forced us to have:

Which decisions are we actually willing to hand over?

Once you ask that question seriously, a few things become visible very quickly.

First, responsibility becomes fuzzy.

Your current model probably distinguishes between:

  • asset owners
  • process owners
  • risk owners

Now introduce an agent that acts across all three.

Who is accountable for what it does?

In theory, you can assign that.

In practice, many organizations end up with something like:

Everyone is responsible — which means nobody really is.

Second, identity starts to feel inadequate.

We are used to thinking in terms of users and services.

Agentic systems don’t fit neatly into either category.

They don’t just execute predefined tasks.

They derive actions from goals and context.

So the question shifts.

It’s no longer just: “Who is allowed to access this system?”

It becomes:

“Who is allowed to decide to use this access — under which conditions?”

If your access model doesn’t reflect that, it will look correct in an audit — and still fail you in practice.

Third, you will notice that your logs don’t tell the full story anymore.

You can log every interaction:

  • every API call
  • every data access
  • every output

And still be unable to answer a simple question:

Why did the system take that path?

Not in technical terms.

In decision terms.

What was the goal? How was it interpreted? Why was one option chosen over another?

If you can’t reconstruct that, your evidence is incomplete.

And in an incident, that matters.

Then there is risk.

Most ISMS-driven risk models are quite structured.

They rely on:

  • known scenarios
  • identifiable weaknesses
  • defined impacts

Agentic systems introduce behavior that doesn’t always fit that mold.

They don’t just fail because something is broken.

They fail because:

  • something was misunderstood
  • context was incomplete
  • small deviations accumulated

It’s less about a single point of failure and more about a chain of “reasonable” decisions that leads to a problematic outcome.

That’s harder to capture.

But it’s exactly where your exposure is.

At some point, this all leads back to leadership.

ISO/IEC 27001:2022 emphasizes leadership responsibility.

In many organizations, that translates into:

  • approving policies
  • reviewing reports
  • accepting risks

With Agentic AI, the nature of those decisions changes.

You’re no longer just deciding: “Is this control sufficient?”

You’re deciding:

“Are we comfortable with not being the direct decision-maker in this situation?”

That’s a different level of responsibility.

And it’s not something you can delegate back to the system.

So what does “integration into the ISMS” actually look like?

In my experience, it starts with making implicit things explicit.

  • Explicitly define which types of decisions can be delegated
  • Explicitly define boundaries and conditions
  • Explicitly assign responsibility for those decisions
  • Explicitly document where you are not willing to delegate

Only then do controls make sense again.

Because they are anchored in something real.

Otherwise, you end up with a well-structured ISMS that still passes audits.

But describes a world that no longer matches your operations.

And that’s the real risk.

Not that your controls are wrong.

But that they are applied to the wrong model of reality.

So if you’re currently working on “integrating Agentic AI into your ISMS,” I would suggest a small shift in perspective.

Don’t start with the question: “How do we control this technology?”

Start with:

“Where have we already allowed decisions to move — without formally acknowledging it?”

Everything else follows from there.

Because in the end, your ISMS is not just about protecting systems.

It’s about ensuring that:

  • decisions are made consciously
  • responsibilities are clear
  • risks are understood

Agentic AI doesn’t remove that requirement.

It just makes it much harder to pretend we’ve fulfilled it.

And one final thought.

If an autonomous system in your environment makes a decision tomorrow that leads to a serious issue:

Can you point to the place in your ISMS where that type of decision was explicitly allowed?

Not technically enabled.

Explicitly allowed.

If you can’t, you don’t have an AI problem.

You have a visibility problem in your governance.

And that’s much harder to fix after the fact.

Publication Note & Disclaimer
This article was originally published on LinkedIn on May 14, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion