Mapping a Zero-Trust AI Gateway to NIST''s Upcoming COSAiS Single-Agent and Multi-Agent Overlays
NIST is teeing up the Concept of Operations for Securing AI Systems (COSAiS) overlays in two forms: a Single-Agent overlay and a Multi-Agent overlay, plus an AI RMF Profile for Critical Infrastructure. Federal contractors and critical infrastructure operators will be measured against these. The pre-map advantage is real: federal procurement reviews already reference the work in progress. This article walks the overlay structure, where a zero-trust AI gateway maps to each control family, and the evidence artifact each control consumes.
Federal News Network reported in May 2026 on the structure of NIST's Concept of Operations for Securing AI Systems (COSAiS) work. The agency is preparing two overlay documents: a Single-Agent overlay covering individual AI deployments, and a Multi-Agent overlay covering systems where multiple agents interact across organizational boundaries. A separate AI RMF Profile for Critical Infrastructure is in parallel development. Federal contractors and critical infrastructure operators will be measured against the overlays once they finalize.
The early-mover advantage is real. Federal procurement reviews already reference the draft work in their security questionnaires. A vendor that can pre-map its controls to the overlay structure shortens the review cycle.
I want to walk through the overlay structure as it currently stands, then map a zero-trust AI gateway to each control family. The gateway evidence artifact per control is the practical part of the mapping: it is what an auditor or assessor will ask for.
What COSAiS is
The COSAiS work treats AI deployment as an operational system that has to be secured with the same rigor as any other piece of federal infrastructure. The overlays are written to extend NIST SP 800-53 and SP 800-37 with AI-specific controls. A federal contractor running an AI system in production has to demonstrate control implementation against the overlay applicable to its deployment pattern.
The Single-Agent overlay covers the case where a single AI system handles requests from a population of users. The Multi-Agent overlay covers the case where multiple AI systems interact, with delegation of authority and intermediate state. The Critical Infrastructure profile applies the overlays to sectors covered under Presidential Policy Directive 21.
Cloud Security Alliance is publishing companion work through CSA Labs that maps the overlays to commercial cloud reference architectures.
Single-Agent overlay structure
The Single-Agent overlay reuses the SP 800-53 control families and adds AI-specific augmentations. The families that an inline gateway maps to are:
- AC (Access Control): identity-aware policy at the AI request layer
- AU (Audit and Accountability): per-decision audit record with tamper-evident write
- IA (Identification and Authentication): identity assertion verification on agent-to-model traffic
- SC (System and Communications Protection): fail-closed behavior, encryption in transit
- SI (System and Information Integrity): prompt and response classification
For each family below, I list the AI-specific augmentation as it currently appears in the draft work and the gateway control that satisfies it.
AC family
AC-3 (Access Enforcement) augmentation: enforce identity-bound policy on AI request traffic.
Gateway control: every request is evaluated against identity, prompt content, and policy version. Decisions are made in tens of milliseconds. The enforcement layer is independent of the model and the application.
Evidence artifact: a sample of audit records showing decisions per identity per policy version, plus the policy decision logic available for review.
AU family
AU-2 (Audit Events) and AU-12 (Audit Generation) augmentation: AI request and response are auditable events.
Gateway control: per-request record including identity, prompt classification, tool invocations, policy version, decision, response classification, and signature. Records are written before the response returns to the application.
Evidence artifact: schema of the audit record, sample records with sensitive fields redacted, and demonstration that the application cannot modify the records after write.
IA family
IA-5 (Authenticator Management) augmentation: agent identities are authenticated and their assertions are verifiable.
Gateway control: each agent-to-model request must carry a verifiable identity assertion. Requests without identity context are blocked at the boundary. Service-account credentials are accepted but the upstream principal must be propagated via header.
Evidence artifact: the identity propagation specification, the verification logic, and a sample of records showing dual identity (agent and upstream principal).
SC family
SC-7 (Boundary Protection) augmentation: AI traffic boundaries are enforced.
Gateway control: the gateway terminates TLS, evaluates the request, and re-establishes the connection to the model. The traffic boundary between the application and the model is enforced at the gateway, not at the network layer.
Evidence artifact: the network diagram showing the gateway in the request path, the TLS configuration for both legs, and the fail-closed behavior specification.
SI family
SI-4 (System Monitoring) augmentation: prompt and response are continuously monitored for adversarial patterns and data classification.
Gateway control: every prompt and every response is classified. Classifications drive policy decisions. The classification engine is independent of the model.
Evidence artifact: the classification taxonomy, the engine specification, and a sample of records showing classification outcomes.
Multi-Agent overlay augmentations
The Multi-Agent overlay adds control families that cover delegation and cross-agent state.
Delegated authority enforcement
Augmentation: when agent A acts on behalf of user U and calls agent B, the request to agent B must carry the full delegation chain.
Gateway control: identity propagation across agent boundaries. Each request carries the lineage of every actor in the chain. Policy at agent B is evaluated against the chain, not just the immediate caller.
Evidence artifact: lineage records showing the full chain per request, plus the policy logic that evaluates against the chain.
Action lineage
Augmentation: each action taken by an agent must be traceable back to the originating user session.
Gateway control: per-request audit records carry the originating session identifier. Cross-agent state transfers record the source and the destination identifier.
Evidence artifact: a sample of audit records reconstructing a complete multi-agent transaction back to the originating user session.
Multi-agent containment
Augmentation: compromise of one agent must not propagate to others without explicit policy authorization.
Gateway control: each agent has an independent policy. Cross-agent state transfer requires an explicit allow rule. Default behavior is isolation.
Evidence artifact: the policy that governs cross-agent transfers, plus the audit records showing transfers and their authorization decisions.
Critical Infrastructure profile
The Critical Infrastructure profile layers on additional requirements for sectors covered under PPD-21. The notable additions:
- Sub-second decision latency on enforcement (the operational tempo of critical infrastructure does not tolerate slow controls)
- Air-gapped or partially-disconnected operation support
- Sector-specific data classification overlays (energy, water, healthcare, financial services)
A gateway evaluated under the Critical Infrastructure profile has to demonstrate sub-50 ms decision latency under load and graceful behavior when downstream model endpoints are unreachable. Fail-closed is the default for this profile.
What a procurement review looks like under COSAiS
Federal procurement reviews under the overlays will run a control-by-control map. The vendor is asked to demonstrate each control's implementation, the evidence artifact, and the operational testing that validates the control under realistic load. A vendor with a pre-built map shortens the review from weeks to days.
The map above is a starting position. The actual overlay text will refine the augmentations once NIST publishes the draft. CISOs preparing for federal opportunities should monitor the COSAiS workstream and update their control inventory as draft text becomes available.
Compliance posture
The COSAiS overlays will interlock with the AI RMF GOVERN, MAP, MEASURE, MANAGE functions. They will also reference back to SP 800-53 control families that most federal contractors already implement. The new work is the AI-specific augmentation, not a wholesale new control catalog. For a contractor with a mature SP 800-53 program, the gateway controls above slot into existing families. For a contractor that has not yet implemented AI-specific controls, the gap is the request-layer enforcement and the per-decision audit.
DeepInspect
This is exactly what DeepInspect does. DeepInspect is an inline policy enforcement layer at the AI request boundary. The control inventory above is the literal evidence map the product produces. Each family is supported by audit records, configuration artifacts, and policy logic that can be handed to an assessor as part of an SP 800-53-aligned package.
If you are preparing for a federal procurement review and want to see the COSAiS pre-map applied to your deployment, book a demo today.
Frequently asked questions
- When will COSAiS be finalized?
NIST has not published a final date. The current public statements indicate draft publication in the second half of 2026 with a public comment window. Final overlays typically follow comment-window close by six to twelve months.
- Does an existing NIST AI RMF implementation cover COSAiS?
Partially. The AI RMF GOVERN and MAP functions overlap with COSAiS at the program level. The COSAiS overlays add technical augmentations that the AI RMF does not specify in implementation detail. The gateway controls above are the augmentation layer.
- Are federal contractors already being measured against COSAiS draft work?
Procurement reviews vary by agency. Several agencies are referencing draft COSAiS work in security questionnaires already. A vendor with a pre-map is in a stronger position than one without.
- How does the Critical Infrastructure profile affect commercial deployments?
The profile applies to PPD-21 sectors. Commercial deployments outside those sectors are not directly affected but may use the profile as a reference. For sectors that may become covered (financial services, healthcare), pre-mapping is a hedge.
- What is the relationship between COSAiS and the EU AI Act Article 12 logging requirement?
Both regimes require per-decision recording of AI system activity. The audit record produced for Article 12 also satisfies the AU family augmentation in COSAiS. A single audit primitive can feed multiple regimes.