Q&A About Governing Agentic AI: Rock Lambros Discusses the Janus System, OpenClaw, and Security Takeaways

Carol Anderson, President of Imagent Inc., interviewed Rock Lambros.

Richmond Advisory Group recently interviewed Rock Lambros, Director of AI Standards and Governance at Zenity and Founder of RockCyber. The conversation explored the inevitability and necessity of using AI to govern AI, with insights into humans in the loop, non-human identities, and OpenClaw.

Traditional governance thinking and processes can’t keep up with the agentic AI world, which is moving at blazing speeds. In the past couple of months, the Model Context Protocol (MCP) accumulated 30+ CVEs, NIST launched the AI Agent Standards Initiative, and major vendors shipped agent governance tooling at RSA 2026. The gap between agent capability and governance maturity is widening, not closing.

When organizations deploy agents and rely on current governance methods, the risks may outweigh the rewards. A NIST-aligned, novel platform offers organizations an alternative way to govern AI using AI.

It’s a concept based on Janus, the two-faced Roman deity, that I’ve been thinking about for a while. Janus seems like a useful model for governing dual-component AI. The second you break out a single-agent pattern into a multi-agent pattern, the challenges explode exponentially.

Janus splits AI into two components: one is the agents that face forward and ruthlessly pursue their objectives. The other component is a governance orchestrating agent that looks backward to check the agents at machine speed. An agent checking the agents. We need this duality. Only AI can govern AI.

The agentic world is moving at blistering speeds. Two months ago, I would have said we don't have agent standards. That's changed. NIST launched the AI Agent Standards Initiative in February. AIUC-1 gives us an objective framework for classifying agent use cases. CoSAI published its Principles for Secure-by-Design Agentic Systems and an MCP security taxonomy. Zenity joined CoSAI's Project Governing Board because the open specifications that enterprises will operationalize are being written inside those workstreams right now. If you're not at the table contributing practitioner evidence, you're deploying agents on a governance framework you had no role in shaping.

The standards are arriving. The deployments aren't waiting. Most organizations still govern AI the way they govern traditional software. Deploy, audit, check a box, come back in 90 days. That fails catastrophically when an AI agent can write its own instructions, rewrite its guardrails, and pursue goals you never named, all at machine speed.

Some colleagues and I wrote a paper that describes an open-source governance platform called AAGATE, which stands for Agentic AI Governance Assurance & Trust Engine. It aligns with NIST’s AI Risk Management Framework and bridges policy, security, and AI development. The platform is a way to operationalize Janus with Kubernetes-native deployment and governance as code. It’s designed to enforce policies dynamically.

The shadow-monitor pattern, an agent watching agents, has become a product category. Multiple vendors shipped versions of it at RSA 2026. The Janus concept anticipated this. Where AAGATE goes further is the integrated stack: MAESTRO threat mapping across seven layers, AIVSS risk scoring, SSVC response prioritization, ANS-based cryptographic identity, UEBA behavioral profiling, and ZK compliance proofs. No one ships this full architecture. The governance stack must be as sophisticated as the agent architecture it monitors. A shadow agent with a kill switch is one component. The integrated platform is the contribution.

In the past few weeks, multiple major vendors launched agent governance tooling at RSA 2026, including open-source policy enforcement engines, agent red-teaming platforms, and zero trust extensions covering the full AI lifecycle. These are runtime containment and policy enforcement tools. They validate the pattern. They don't replicate the full governance architecture.

Keeping humans in the loop is an intentional architectural decision. Some human triggers need to be configurable and some will be based on a behavioral analytics engine like the UEBA in the traditional cyber world. An agent going beyond a risk threshold triggers a human. There’s never going to be a hard line on this because the triggers will change as agent behaviors change.

Whatever the interface looks like, and it could be email, WhatsApp, or Slack, agent X stops due to a rule-based policy or risk threshold. It explains why it stopped and asks how to proceed. The analyst can recommend yes, no, or other action. Or kill the agent, which should trigger an investigation before re-enabling it.

The most dangerous moment in AI governance isn’t when the system fails. It’s when it works so well that nobody bothers checking anymore. You deploy an agent, and it delivers results. The ROI is great. But humans get used to rubber stamping things. After 10 corrective actions in a row, we use the stamp. Then humans are loop-adjacent. 

In addition to policy guardrails, we need mandatory incident reviews and a dedicated incident broker that evaluates what an agent is about to do.

It’s an open-source AI agent that really took off. But in about a nanosecond, researchers found hundreds of vulnerabilities and thousands of instances where people’s secrets and API credentials were exposed to the internet.

OpenClaw was developed to be a consumer personal assistant, not an enterprise solution. But people immediately tried to slam it into their corporate environments as a magic way to solve problems. But that’s wrong. You wouldn’t expect your washing machine and dryer at home to survive in a laundromat, right?

Is OpenClaw disruptive? Is it transformational? Was it meant to be experimental in pushing the limits of what we can do with agents? Absolutely. But at the end of the day, it’s software, and there are implications for operations, security, and privacy. For example, OpenClaw self-codes by design. Without good context engineering and context management, meaning clearer context, an agent can write code and potentially drift. Old permissions can linger. I'm not trying to anthropomorphize it, but agents remember. Just like ChatGPT or Claude or Gemini remembers past interactions.

I think we’ve forgotten basic software development and lifecycle principles when it comes to rolling out AI agents. And I’m seeing a general lack of security-first thinking. Hopefully, each iteration of OpenClaw gets better.

I'm waiting to hear a story about someone who asks OpenClaw to invest $10,000 in the most tax-friendly way. And then, three months later you get a knock on the door because you're being accused of money laundering. This goes back to how you use an agent, understanding its capabilities and its limitations.

Will You Comment on Agentic AI Security?

From a security perspective, we're focused on some of the wrong things. We're obsessed about prompt injection, for example, but we really need to start obsessing over what the agent can reach once it's compromised. We need to focus on authorization boundaries and policy gates and the governance and orchestration mechanisms around them. The permissions that you give an agent are the payload.

I worry most about over-permissiveness and the lack of a good identity framework around agents. We treat agents like they’re kind of human or non-human identity hybrids, but agents are a new class of non-human identities. In a typical MCP interaction, the human user's identity disappears entirely. The MCP server sees an authenticated agent using a static API key. It has no idea who authorized the action or the scope of that authority.

Organizations give permissions to agents they would never give a human employee. We need to treat AI agents as dumb interns. An intern will likely be smart enough to escalate if something's ambiguous or fishy. An agent can't do that. An agent is going to try to complete its task, no matter what.

1. Inventory all agents used in your organization. Inventory what they can access, not what you think they’re allowed to access or do. Then, understand your use cases.

2. Implement dual-layer oversight, like the Janus system, to separate capability from governance. The actor and the monitor need have an independent incentive structure. In other words, ethical circuit breakers, and governance as code. An orchestrator can quarantine a particular pod or revoke OAuth tokens in milliseconds. Governance must be decentralized, executable, and enforceable at runtime, combined with continuous red teaming. A distributed ledger allows for the immutability of agent decisions and logs, and it provides a complete audit trail.

3. Agent identity management moved from research to active standards work in the past two months. NIST's AI Agent Standards Initiative issued a formal concept paper on AI Agent Identity and Authorization in February, with listening sessions underway now. I submitted 33 formal comments on NIST GCR 26-069 covering agentic AI gaps. The agent naming system concept, like DNS for agents, is gaining traction. OWASP has released some research about an agent naming service. OAuth has to evolve, and one of the original authors of OAuth has published an AAuth draft. The standards are coming, but the deployments aren't waiting.

4. Shadow AI is growing exponentially. Employees will deploy powerful agents on corporate machines without security reviews because they can. It’s important to have the detection capabilities to find unauthorized AI.

5. I think we’ll make progress with machine-readable governance policies and regulations this year. The EU AI Act has some logging and oversight mandates. And watch the Open Policy Agent ecosystem. It can translate regulatory text into executable rules. Additionally, we’ll hear more about multi-agent coordination. People are still trying to wrap their heads around LLMs, generative AI, and single agents. With agentic AI, we’ll see collusions or cross-agent privilege escalation or cascading failures and attack patterns that current frameworks don’t address.

Slowing agentic AI rollouts to consider agent identity management, security, governance, risk, and regulations is advisable but not likely to happen. Thoughtful assessment, clear use cases, governance-as-code and a framework for governing AI will help organizations use AI more securely. The idea of AI governing AI may not be an easy-to-digest concept, but it looks like the only way forward.  

Readers might also be interested in the OWASP GenAI Security Project Agentic Security Initiative and the Top 10 Vulnerabilities for Agentic Applications as well as a podcast featuring Rock Lambros.