Today, I submitted comments to NIST's National Cybersecurity Center of Excellence on its concept paper on AI agent identity and authorization. The response proposes a framework for binding agent permissions to human-declared intent, preventing prompt injection, and enabling accountability across multi-agent and multi-domain deployments.
-----
Introduction
This response to the National Cybersecurity Center of Excellence (NCCoE) Concept Paper “Accelerating Adoption of Software and AI Agent Identity and Authorization” proposes Human-Anchored Intent-Bound Delegation (HAID), a framework for managing AI agent identity and delegation that also addresses concerns about prompt injection by binding authorization to purpose. Rather than attempt comprehensive coverage of all questions posed in the concept paper, this response focuses on the areas where I believe the most significant unsolved problems lie and where HAID offers concrete architectural answers. Specifically, this response addresses:
- Identification (Question 2). The concept paper asks how agents should be identified and what metadata is essential for agent identity. HAID requires that every agent is tied to a verifiably real and unique human individual—without disclosing any of the principal’s attributes. Although the agent’s identity may be persistent and stable across workloads and domains, an agent’s authority is ephemeral and task-scoped under HAID. The framework also addresses whether agent identity should be tied to hardware, software, or organizational boundaries through its use of personhood credentials and service-scoped pseudonyms.
- Authorization and Delegation (Questions 4 and 6). The concept paper asks how zero-trust principles, least privilege, delegation of authority, and human-agent identity binding can work in agentic architectures. HAID addresses this through intent-bound authorization, which also offers a structural defense to prevent and mitigate prompt injection. This approach has demonstrated near-perfect injection resistance on standardized benchmarks not by detecting injections, but by making them irrelevant to authorization outcomes.
- Auditing and Non-Repudiation (Question 5). The concept paper asks how agent actions can be logged in a tamper-proof manner and how non-repudiation can be ensured. HAID's delegation chain, where each attestation is signed, scope-attenuating, and traceable to a human pseudonym, provides the cryptographic infrastructure for both.
This response builds on a growing body of work identifying the authorization challenges unique to agentic AI systems. The OpenID Foundation’s “Identity Management for Agentic AI” whitepaper provides a comprehensive survey of these challenges, including the need for scope attenuation in delegation chains. Similarly, work on personhood credentials and intent-based access controls have established individual building blocks that HAID draws on. What this response contributes is not new methods, but a blueprint for how intent-binding, human-anchored delegation, and scope attenuation can be unified into a single framework. The sections that follow present HAID's architecture organized around these question categories, followed by a discussion of standards-setting opportunities for NIST to operationalize the framework.
