Anthropic's CISO Playbook for Agentic AI Names Four Questions Every Security Team Must Answer Before Deployment
Source
Zero risk isn't the job: a CISO's guide to agentic AI
Anthropic
Via Anthropic
What happened
Anthropic published 'Zero risk isn't the job: a CISO's guide to agentic AI', a security-focused operational guide directed at CISOs and compliance teams managing agentic AI deployments. The guide is structured around four concrete questions practitioners should answer before authorizing any agent: what content sources the agent ingests and how trustworthy they are, what actions the agent is permitted to take, what the blast radius of a misconfiguration or failure would be, and whether the agent's behavior is sufficiently observable after deployment. Rather than positioning risk elimination as the goal, the guide argues that calibrated, documented risk acceptance is the realistic standard for responsible deployment. The publication arrives as agentic systems move from experimental to production environments across industries, and as regulators in the EU, Singapore, and the United States begin incorporating agentic AI into formal guidance. Anthropic frames the guide as a practical complement to the structural governance questions that security teams are beginning to face from auditors and regulators.
Why it matters
- ·The four-question framework maps directly onto controls that auditors and regulators are beginning to test in agentic deployments, particularly around permission scope, action reversibility, and audit log completeness; compliance teams that cannot answer these questions in writing face increasing documentation gaps as frameworks like the IMDA Model AI Governance Framework for Agentic AI and EU oversight requirements mature.
- ·The blast radius concept formalizes a risk boundary that most organizations have not yet defined for AI agents, meaning that any agent with write access to systems, data, or external services represents an unmapped operational risk until explicit containment controls are documented and tested.
- ·Observability requirements for agents are distinct from standard application monitoring: agents executing multi-step tasks across systems can cause harm through sequences of individually benign actions, so compliance teams that rely on output-level monitoring alone will miss the behavioral anomalies that precede incidents.
Governance controls affected
What to do now
- ☐Map every deployed or approved AI agent against the four Anthropic questions and document answers in your AI model registry, flagging any agent where blast radius or observability cannot be fully characterized.
- ☐Define explicit blast radius boundaries for each agent by identifying the maximum set of systems, data stores, and external services the agent can modify, and enforce those limits through permission controls rather than policy alone.
- ☐Review agent audit log configurations against AGT-006 standards to confirm that multi-step behavioral sequences are captured, not only final outputs, so that incident investigations can reconstruct the full action chain.
- ☐Establish a pre-deployment readiness checklist that requires documented answers to all four questions as a gate condition before any agent moves from testing to production, and assign a named reviewer responsible for sign-off.
- ☐Schedule a tabletop exercise simulating agent misconfiguration or prompt injection to test whether observability controls surface the failure in time for human intervention before irreversible actions occur.
What to watch next
Compliance teams should monitor whether Anthropic expands this guide into a formal assessment methodology or integrates it with third-party audit standards, as practitioner frameworks from frontier labs increasingly influence what regulators and auditors treat as baseline expectations. The IMDA Model AI Governance Framework for Agentic AI from Singapore and pending EU-level agentic AI guidance are likely to reference similar operational criteria, making early internal alignment with this four-question structure a hedge against future conformity requirements. Organizations in regulated sectors should also watch for enforcement actions or supervisory letters that cite inadequate agent observability or undefined blast radius as control failures, as these are the dimensions most likely to surface in examinations before formal rulemaking catches up.
AI Governance Weekly
Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.
