Comment on “Accelerating the Adoption of Software and AI Agent Identity and Authorization”
Abstract
This report constitutes a public comment submitted to the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) in response to the draft concept paper “Accelerating the Adoption of Software and AI Agent Identity and Authorization” (February 2026). The submission supports the application of established identity and access management (IAM) standards—including OAuth 2.x, OpenID Connect, SPIFFE/SPIRE, NGAC, and Zero Trust principles—to software and AI agents deployed in enterprise environments. It argues, however, that identity, authentication, and authorization controls are necessary but not sufficient to manage the scaling and compositional risks introduced by dynamically context-acquiring agents. The report proposes complementing identity controls with explicit mandate specification, policy-envelope binding, and delegation-chain modeling to ensure that non-human principals operate within structurally bounded authority. It further recommends extending Zero Trust principles to continuous validation of discretionary scope, strengthening non-repudiation by binding agent actions to upstream delegating authorities, and incorporating mandate-integrity considerations into prompt-injection mitigation strategies. The objective is to enhance the governance coherence and auditability of agentic enterprise architectures without expanding beyond implementable IAM and cybersecurity standards.
Keywords
- AI governance
- infrastructure