The June 2, 2026 executive order makes CISA the lead for defending civilian federal systems as agencies adopt advanced AI. Section 2 tells agencies to upgrade for AI, but upgrading without governance widens the attack surface rather than narrowing it. This brief sets out the four capabilities a Binding Operational Directive should require, why an AI agent belongs in CDM as a reportable asset, and how JetStream maps to named provisions of the order.

The Executive Order of June 2, 2026, Promoting Advanced Artificial Intelligence Innovation and Security, makes CISA the lead for protecting civilian Federal systems as agencies adopt advanced AI. Section 2(c) directs the Secretary of Homeland Security, through the Director of CISA, to issue Binding Operational Directives and other guidance that expedite the cyber defense of civilian Federal information systems, expand programs delivering AI-enabled defensive tools, and facilitate agency access to cybersecurity tools and covered frontier models.

CISA positioning

Section 2 directs agencies to upgrade their systems for advanced AI. Upgrading without governance makes the attack surface harder to defend, not easier. An agency that fields agentic systems before it can inventory and observe them gains capability it cannot supervise and cannot report to CISA.

Federal agencies already find system-to-system communication hard to account for, and that is in the comparatively controlled world of networked IT, where an Authorizing Official approves connections and changes move through formal change control. Agentic AI removes that friction but creates an entirely new level of risk, because it can be done without the awareness of any IT Security team, Privacy team, CIO, CISO, or CAIO. A team can stand up an agent that talks to other systems, invokes tools, and moves data in an afternoon, with no Authorizing Official in the loop and no change record. The technical barrier that change-control used to rely on has effectively collapsed.

That is the gap a directive must close. Adding advanced AI multiplies the number of autonomous actors operating inside and across agency boundaries. If an agency cannot inventory those actors, tie each to an accountable owner, and observe what they do at runtime, the upgrade leaves agencies, CISA, and the federal enterprise with less visibility into the attack surface, not more.

Binding Operational Directive recommendations

A directive scoped to this gap should require four capabilities from FCEB agencies. Each tracks the NIST guidance Accelerating the Adoption of Software and AI Agent Identity and Authorization (February 6, 2026), which extends Federal identity and access management into the agentic domain.

1. AI visibility. A continuous, authoritative inventory of AI agents, models, tools, datasets, and the human, agentic, and non-human identities that use them.
2. AI governance. Approved operating designs for agentic workflows, defined before deployment, so behavior is reviewable before an incident rather than reconstructed after one.
3. AI runtime awareness. Continuous comparison of live agent behavior against the approved design, with variance surfaced as it happens.
4. Agent authorization. Every agent action bound to an accountable identity and scoped to least privilege, with immediate revocation of a compromised agent.

These four are the difference between deploying AI and governing it. They are also the minimum an agency needs before it can report its AI footprint to CISA with any accuracy.

Continuous Diagnostics and Mitigation (CDM): the AI agent as a reportable asset

CISA already operates the Continuous Diagnostics and Mitigation program, where agency dashboards feed a federal dashboard providing a federal-wide operational view of hardware and software assets. An AI agent that holds credentials, reaches data, and acts on systems is a cybersecurity asset by any practical definition. There is no principled reason it sits outside the inventory every server and application is held to.

The direct step under this order is to require AI agents, and the models, tools, and data they touch, as reportable assets in CDM. That gives CISA the same government-wide view of the AI attack surface it already has for traditional assets. The prerequisite is an inventory continuous and accurate enough to report, which is the capability most agencies do not have today.

JetStream Security capability mapping

The JetStream SAIG Platform™ (Security-first AI Governance) is an AI governance control plane an agency or critical-infrastructure operator deploys inside its own authorization boundary and integrates with its existing identity providers, clouds, and models. Its capabilities line up against named provisions of the Order, not against the order in the abstract.

Section 2(c)(ii), expand AI-enabled defensive tools. JetStream’s proprietary semantic scanning detects credential leakage, unicode smuggling, and obfuscated malware in AI components, classifies MCP server tools as read-only or destructive, and re-scans new versions within hours on an always-on pipeline. This is an AI-enabled defensive tool an agency can field now, not a program to be built.

Section 2(c)(iii), facilitate access to cybersecurity tools and covered frontier models. The JetStream AI Hub™ deploys in the consumer’s own VPC and governs access to commercial and on-prem frontier models (OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI). Virtual Keys scope and isolate access per agent and per user, and inline model control blocks use of unsanctioned models. JetStream is available on the AWS, Microsoft Azure, and Google Cloud marketplaces, which puts it within reach of the agencies, State and local authorities, and operators named in the clause, including rural hospitals, community banks, and local utilities.

Section 2(d), the AI cybersecurity clearinghouse. JetStream’s Verified MCP™ Catalog validates MCP servers before use, its scanning surfaces risks and vulnerabilities in MCP server code and the AI supply chain, and it discovers locally installed MCP servers, AI applications, and exposed API tokens and license keys. Cryptographic attestations on the OCI open standard produce a portable, verifiable record an agency or the clearinghouse can act on.

Section 2(e), advanced AI vulnerability detection. The same semantic scanning and supply-chain verification is advanced AI vulnerability detection, which grant-funded programs identified by OMB could deploy directly.

Section 3(b)(ii), access to covered frontier models under defined protections. This clause names a control set, and JetStream supplies it: confidentiality and IP protection through in-VPC deployment and per-agent Virtual Keys; cybersecurity through scanning and cryptographic attestations; insider-risk through identity binding, least-privilege scoping, drift detection, and immediate revocation; use and nondisclosure enforcement through JetStream AI Blueprints™ that constrain what a model or agent is permitted to do and record every action as audit-ready evidence. When the Federal Government takes early access to a covered frontier model, this is the layer that holds that access to the Order’s own conditions.

Section 4, enforcement against employing AI agents to unlawfully access data. JetStream both prevents and proves. Every agent action is bound to an accountable identity, human, agentic, or non-human, through Virtual Keys; Blueprints set the approved behavioral baseline; JetStream AI Drift Detection™ flags an agent operating outside its scope as it happens; and immediate revocation stops a compromised agent. Request and response logging, cryptographic attestations, and SIEM forwarding via Cribl produce the attributable evidence an investigation under 18 U.S.C. 1030 would rely on.

Gateway proxies or endpoint tools are not enough

Two common approaches fall short of what the four requirements demand. LLM gateway proxies govern only the traffic routed through them; their guardrails, logging, and cost controls stop at the proxy boundary, so direct model calls, agent-to-agent traffic, and shadow AI go unseen. They generally lack a governance graph of agents, models, data, and identities, per-agent identity binding, runtime drift detection, and supply-chain scanning, so they cannot produce a complete inventory or prove what an agent did. Endpoint and EDR tools see processes on managed devices but not the agentic context: they do not govern AI traffic inline, bind per-agent keys, or hold an approved behavioral baseline to measure against.

JetStream is a control plane, not a proxy or an endpoint agent. It deploys in the agency’s own VPC and covers endpoints across Windows, macOS, and Linux, API integrations, web traffic, and MCP. It binds every agent to a virtual key, maps each workflow in a Blueprint, scans for credential leakage and tampering with cryptographic attestations on the OCI open standard, detects drift against the baseline, and forwards evidence to the agency SIEM. That breadth of coverage is what a reportable inventory and genuine runtime awareness require, and it is the gap proxy-only and endpoint-only tools leave open.

FedRAMP readiness

JetStream expects its FedRAMP High authorization in June 2026, and means agencies no longer must choose between speed and trust. They can deploy AI at production scale knowing every agent is known, every workflow is authorized, and every action is traceable back to an identity.

In addition, JetStream’s controls map to NIST SP 800-53 account management (AC-2), audit events (AU-2), and information retention (SI-12), and to the February 2026 NIST guidance on AI agent identity and authorization.

Engagement

JetStream can support CISA and FCEB agencies on the operational side of Section 2: building a reportable AI inventory, defining approved agent designs, and enforcing agent authorization and runtime awareness inside an existing boundary. JetStream can also stand up a reference deployment for evaluation. Book a demo today.