NCCoE — AI Agent Identity & Authorization

Submitted to: National Cybersecurity Center of Excellence (NCCoE), AI Agent Identity & Authorization programme
Submission date: 2026-03-22
Status: Submitted — formal response on file
License: CC-BY-SA-4.0

What it is

A formal response to the NCCoE’s call for input on AI agent identity and authorization, arguing that the existing IAM stack — designed for humans and service accounts — does not extend cleanly to autonomous AI agents, and that a third actor class (aIAM) with its own authorization model (IBAC) is needed to govern them.

The submission distills the AIAM-1 specification suite into a public-policy artifact addressed to NCCoE’s working programme.

Position summary

AI agents are a third actor class distinct from humans and service accounts. They have durable identity but transient intent, broad capability scope, and accountability that rests on their delegating principal rather than on the agent itself.
Existing IAM primitives over-scope or under-scope agents. RBAC and ABAC as currently practised force a choice between giving agents broad credentials (over-scoped, dangerous) or constraining them to non-functional narrowness (under-scoped, useless).
Intent-Bound Access Control (IBAC) adds an explicit intent dimension to the authorization predicate: f(identity, action, intent context). This makes the authorization decision sensitive to the purpose at moment of action, not just the static role-or-attribute set.
AEGIS provides a working reference for IBAC and the surrounding aIAM primitives in the AIAM-1 v0.1 suite.

Canonical text

The authoritative submission lives at aegis-governance/docs/position-papers/nccoe/ in Markdown and PDF. PDF is the version-of-record.

Relationship to other AEGIS work

The full technical specification this submission summarizes: AIAM-1 — Identity & Access Management for AI Agents, 12 chapters, 5 schemas, RFC-0019.
The architectural argument for runtime-evaluated identity and intent is developed in the Cross-Cutting Runtime Enforcement paper.
The companion submission to NIST under the AI RMF: NIST AI RMF Position Statement.