The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence is seeking public input on a new concept paper focused on how identity standards and access control practices should apply to software and artificial intelligence agents.
NIST’s National Cybersecurity Center of Excellence said Thursday the concept paper, titled “Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization,” outlines a potential NCCoE project aimed at demonstrating how organizations can securely identify and authorize AI agents used to automate tasks across systems and data environments. Public comments will be accepted through April 2.
The Potomac Officers Club’s 2026 Artificial Intelligence Summit on March 18 convenes government and industry practitioners to explore how AI, machine learning and automation are reshaping federal operations. Discussions will focus on real-world implementation, mission-driven use cases and the challenges of deploying AI at scale across complex, security-focused environments. Register now.
Table of Contents
Why Is NIST Looking at Identity and Authorization for AI Agents?
NIST said AI agents can autonomously perform tasks using data, algorithms and access to enterprise tools, creating opportunities for improved productivity and decision-making. However, the agency warned that expanding agent access to datasets and applications introduces risks that require stronger identification and authorization controls.
The concept paper emphasizes that organizations will need to apply identity standards and best practices to mitigate threats tied to AI agents operating with broad system privileges.
What Would the NCCoE Project Cover?
NIST said the potential project would focus on applying existing identity and access management standards to agentic architectures that use tools and context dynamically to take actions.
The agency noted the effort would not address all AI system architectures. The concept paper states that retrieval-augmented generation and large-language-model-only implementations are out of scope.
NIST said it is seeking input on use cases, technical challenges and existing standards that could guide secure agent identity and access management. Other areas of interest include AI agent auditing, non-repudiation and controls to mitigate prompt injection attacks.
What Standards Could Shape AI Agent Identity Controls?
The concept paper highlights multiple existing standards and frameworks that could inform the project, including OAuth, OpenID Connect, System for Cross-domain Identity Management, Secure Production Identity Framework for Everyone and SPIFFE Runtime Environment, and Next Generation Access Control.
NIST cited existing guidance, such as Special Publication 800-207, Zero Trust Architecture, and SP 800-63-4, Digital Identity Guidelines, as potential reference points.
Related Articles
Milan “Mitch” Nikolich and James Gosler, national security experts from the Johns Hopkins Applied Physics Laboratory, have joined the Department of War’s Science, Technology and Innovation Board, or STIB. APL said Thursday Nikolich will serve as the STIB’s inaugural chair and Gosler will sit on the board as a member. APL Director Dave Van Wie said Nikolich and Gosler’s expertise will support the new board’s mission to connect technical researchers and industry partners and help national leaders maintain U.S. leadership in critical technologies. What Is the DOW STIB? The STIB is a new advisory panel established by Emil Michael, under
The Cybersecurity and Infrastructure Security Agency has introduced a new directive requiring federal civilian executive branch, or FCEB, agencies to strengthen security controls for edge devices by removing unsupported hardware and software from federal networks. CISA’s new directive highlights the continued focus on strengthening cybersecurity across government networks. As agencies and industry stakeholders track evolving requirements and threat-driven priorities, the Potomac Officers Club’s 2026 Cyber Summit will bring together leaders from across the federal cyber community. Register now to save your seat at this May 21 event! CISA said Thursday the directive—Binding Operational Directive 26-02, Mitigating Risk From End-of-Support Edge
The Department of War has issued new guidance establishing procedures for identifying, assessing and mitigating threats posed by vendors supporting U.S. military operations. According to DOW, Under Secretary of War for Acquisition and Sustainment Michael Duffey, a 2026 Wash100 awardee, approved the guidance on vendor threat mitigation, or VTM, which took effect Monday. What Is the Purpose of the Vendor Threat Mitigation Guidance? The VTM guidance establishes standardized procedures across the department to vet commercial suppliers and manage risks linked to foreign adversaries, criminal networks and extremist organizations that may exploit vendor relationships with DOW. The guidance directs DOW officials