This article is part of a series examining how the field’s leading governance frameworks address identity, trust, and control for AIgentic systems. The central thesis, established in Governing AIgentic Actors: Identity, Trust and Control, is that the governance problem in AIgentic systems is not solved by verifying Actors more carefully; it is dissolved by building environments where the scope of what an Actor can do is constrained before any verification occurs. Each article in this series evaluates one framework against that thesis: what it contributes, where its verification posture reaches a structural limit, and what a security leader must add to close it.
NIST’s National Cybersecurity Center of Excellence has published the most operationally specific pre-guidance from any US government body on AI agent IAM. The concept paper, “Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization,” published February 5, 2026, identifies five focus areas and proposes a laboratory demonstration using commercially available technologies. It is not a standard and carries no compliance force. The evaluation question it raises is precise: do the five focus areas, applied as independent IAM controls without a lifecycle governance discipline, close the governance gap or describe it?
The answer is partial. The five focus areas identify correct problem domains. Applying them without the lifecycle governance sequence that ties them together addresses five distinct technical problems but not the governance discipline. Revocation is the explicit missing lifecycle stage.
Identification. Distinguishing AI agents from human users and managing the metadata required to scope and bound permissible agent actions.
Authorization. Extending OAuth 2.0 and policy-based access control mechanisms to apply to agents as a new class of digital principal.
Access Delegation. Linking user identities to AI agents in ways that maintain accountability and prevent privilege escalation through delegation chains.
Logging and Transparency. Attributing specific AI agent actions to their non-human source for audit and forensic purposes.
Tracking Data Flows. Maintaining provenance of user prompts and data input sources to support risk determinations and policy decisions regarding actions taken by an AIgentic Actor.
Four of the five areas compose a partial identity governance sequence: Identification establishes how an AIgentic Actor receives its credentials; Authorization defines what it is permitted to do with them; Access Delegation encodes the delegation relationship to a Human Actor; Logging and Transparency ensures every action is attributed afterward. The fifth area, Tracking Data Flows, addresses a complementary governance dimension: the provenance of the prompts and data inputs that shaped the Actor’s decisions. The lifecycle governance stage absent from all five is revocation.
[DIAGRAM: five NCCoE focus areas — four mapped to Actor Identity Lifecycle stages (Identification → provisioning, Authorization → scoping, Access Delegation → delegation, Logging and Transparency → audit), Tracking Data Flows shown as a complementary data provenance dimension outside the identity lifecycle; revocation shown as the governance stage present in the Actor Identity Lifecycle but absent from all five concept paper areas — use /diagram skill]
What does the NCCoE concept paper establish for agent IAM?
The concept paper is a proposal for a demonstration. NIST’s NCCoE plans to implement and test agent identity and authorization mechanisms using commercially available technologies in a laboratory setting. The result will be implementation guidance, not normative guidance, a special publication, or a mandatory control set. This is the earliest-stage signal from a US federal body about what governed agent IAM must look like.
Existing IAM frameworks were designed for human users and static software services. Neither behaves as AI agents do. An AI agent may access tools, query databases, execute code, and operate across multiple systems in a single task. Per-action human authorization does not scale to that operational pattern.
The institutional context matters for how security architects should weight this signal. NIST’s Center for AI Standards and Innovation launched the AI Agent Standards Initiative on February 17, 2026, organized around three pillars: industry-led standards development, open-source protocol work for agents, and research in AI agent security. That research has produced evidence about the attack surface. NIST and UK AI Security Institute researchers found that optimized attack strategies against AI agents achieved an 81% success rate in structured exercises, compared to 11% for baseline defenses.1 Optimizing the attack prompt alone produced a sevenfold improvement in attacker success.
The concept paper names OAuth 2.0 extensions as the Authorization mechanism for agents. The operative specification is the IETF’s OAuth On-Behalf-Of draft, which introduces the act claim and requested_actor parameter to carry delegation semantics inside the token, making the authorization chain attributable at every hop.2 The concept paper’s Access Delegation focus area points toward this draft as the encoding mechanism for bounded, scoped delegation from Human Actor to AIgentic Actor.
NIST’s Computer Security Division is separately developing Control Overlays for Securing AI Systems (COSAiS): SP 800-53 control overlays tailored to single-agent and multi-agent AI system deployments. As of publication, no overlays for agent use cases have been published.3 When finalized, COSAiS will be the first systematic federal control catalog built for the agent threat model.
Why do five focus areas without a lifecycle discipline reach a structural limit?
The structural limit appears when the five areas are deployed as independent governance controls, each solved in isolation, without a governance sequence that applies them to every AIgentic Actor in the environment and closes the Actor’s identity lifecycle when it ends.
The default enterprise deployment pattern is the Identity Inheritance Model. Most AIgentic Actors run under credentials inherited from the Human Actor who initiated them, with no independent identity, no scoped authorization, and no explicit delegation record. The Identity Crisis at the Heart of AIgentic Systems documents this failure mode at enterprise scale. The NCCoE’s Identification focus area directly addresses this: AIgentic Actors should authenticate as distinct non-human principals, not under user credentials. NIST’s direction is toward least privilege (access scoped to the specific task), just-in-time access (access that expires at task completion), and delegation chains bounded in scope and duration.
A security architect who solves the five problems independently, however, has not governed the AIgentic Actor population. The Identification focus area provides a provisioning mechanism. The Authorization focus area provides a scoping mechanism. The Access Delegation focus area provides a delegation chain encoding mechanism. The Logging and Transparency focus area provides an audit mechanism. The Tracking Data Flows focus area provides a data provenance mechanism. None of the five answers what happens when the Actor’s task completes, when its authorization window expires, or when it is decommissioned. Credentials persist. Delegation records persist.
The problem scales with Agentlets. An orchestrator executing a complex task may spawn dozens of short-lived Agentlets, each inheriting the orchestrator’s scope, with none individually provisioned with per-Actor credentials under the concept paper’s framework. Governing the AIgentic Actor population at production scale requires governance at the Actor class level: what class of Agentlet is permitted to spawn, what scope it inherits, what its maximum lifetime is, and what revocation trigger applies at lifetime end.
What does a security architect need to add to make NIST’s direction operational?
Three gaps remain after the five focus areas are applied. Each requires an explicit operational decision.
The first is revocation. At provisioning time, each AIgentic Actor receives a distinct identity credential with explicit scope and a TTL. That credential must expire at Actor lifecycle end. Revocation requires three operational components: a credential store with a revocation mechanism, enforcement points that validate credential status at each request, and an operational process that triggers deprovisioning when tasks complete or Actors are terminated. Without an explicit revocation mechanism, just-in-time access is an intent, not a property of the deployment. The Governing AIgentic Actors whitepaper presents the full Actor Identity Lifecycle as the governance sequence that makes NIST’s direction operational.
The second is topological enforcement. The concept paper’s five focus areas operate within the AIgentic Actor’s permitted action space and data provenance. They do not address structural impossibility at the network layer. The Semantic Proxy Pattern describes the out-of-band enforcement substrate that constrains an AIgentic Actor’s reachable action space before any authorization evaluation occurs. A prompt-injected AIgentic Actor that presents a valid credential and passes authorization checks can still be constrained by network topology from reaching systems it is attempting to misuse. The topology-first architectural design pattern and NIST’s authorization record answer different structural questions; neither substitutes for the other.
The third is enforcement infrastructure. The IETF AIGA draft, which the NCCoE concept paper does not address, specifies tiered hardware isolation requirements, an Immutable Kernel Architecture with Constitutional Constraints enforced at the hardware level, and liveness tokens providing ongoing governance attestation. The IETF AIGA Draft: An Evaluation describes those requirements in full. NIST specifies the authorization record. AIGA specifies the enforcement substrate that makes that record meaningful. COSAiS, when finalized, will provide the SP 800-53 control overlays that map between the two.
Frequently asked questions
What is the difference between the NCCoE concept paper and a NIST standard?
The concept paper is a proposal for a laboratory demonstration, classified as an initial public draft. It is not a NIST Special Publication (SP) or Internal Report (IR), and it has no compliance force in any jurisdiction or sector. A NIST SP carries normative weight in federal procurement contexts and may be incorporated by reference in sector-specific regulations. The concept paper’s value is directional and institutional: it is the most specific statement any US federal body has made about what governed agent IAM should look like.
How does the Actor Identity Lifecycle address the revocation gap?
The Actor Identity Lifecycle sequences five stages: provisioning, scoping, delegation, audit, and revocation. The NCCoE concept paper addresses the first four through its focus areas. Revocation closes the loop. Operationally, this requires a credential store with a revocation mechanism, enforcement points that check revocation status rather than caching credential validity, and an operational process triggered at task completion or Actor decommission. Without this fifth stage, the authorization discipline the concept paper specifies operates only on the way in.
How do the NCCoE focus areas relate to the OAuth On-Behalf-Of draft?
The OAuth On-Behalf-Of draft, draft-oauth-ai-agents-on-behalf-of-user-01, is the operative specification for the concept paper’s Access Delegation focus area. The act claim encodes the acting agent’s identity; the sub claim preserves the delegating principal’s identity; the requested_actor parameter explicitly names the agent being delegated to. Together, these claims make the authorization chain auditable at every hop in a multi-Actor architecture. Without this encoding, audit logs record what happened without recording who authorized it.
What is COSAiS and when will it be available?
COSAiS is NIST’s Computer Security Division project to develop SP 800-53 control overlays for five AI use cases, including single-agent and multi-agent AI systems. It was announced in August 2025. As of publication, no overlays for agent use cases have been published and no specific publication timeline has been announced. When finalized, COSAiS will provide the first systematic federal control catalog tailored to the agent threat model.
Footnotes
-
NIST / UK AI Security Institute joint research, January 2025. Enhanced AgentDojo evaluation framework, Claude 3.5 Sonnet deployment. 81% attack success rate for optimized strategies vs. 11% for baseline defenses. https://www.nist.gov/news-events/news/2025/01/technical-blog-strengthening-ai-agent-hijacking-evaluations ↩
-
IETF. “OAuth 2.0 Extension: On-Behalf-Of User Authorization for AI Agents, draft-oauth-ai-agents-on-behalf-of-user-01.” Individual Internet-Draft. https://www.ietf.org/archive/id/draft-oauth-ai-agents-on-behalf-of-user-01.html ↩
-
NIST Computer Security Division, SP 800-53 Control Overlays for Securing AI Systems (COSAiS). https://csrc.nist.gov/projects/cosais ↩