Published 2026-04-12.
Why we're publishing this
On April 4, 2026, we submitted comments to the NIST NCCoE concept paper, Accelerating the Adoption of Software and AI Agent Identity and Authorization.
Our main point was straightforward: identity and authentication are necessary, but they are not enough for agentic systems. Enterprises also need runtime, intent-aware authorization that can evaluate actions continuously as agents change tools, context, and goals.
That is the security layer we focus on at Kontext: runtime authorization and credential control for AI agents acting across real enterprise systems.
Below is the submitted response. We preserved the substance and cleaned up only obvious formatting artifacts from the email export.
Submitted Response
Dear NIST NCCoE team,
Thank you for publishing the draft concept paper, Accelerating the Adoption of Software and AI Agent Identity and Authorization. We appreciate the opportunity to provide comments. Overall, we support the direction of the proposed project and its focus on practical, standards-based guidance for enterprise adoption of software and AI agents. Our comments below are focused on one area we believe deserves additional emphasis: the need for runtime, intent-aware authorization controls that can operate at the speed of agentic systems. For clarity, we have linked each comment to the specific line(s) in the concept paper that it addresses.
Runtime authorization should be central (lines 91–94)
We support NCCoE's focus on authorization for software and AI agents, and our main recommendation is that the project make real-time intent evaluation and runtime authorization a central design objective. For agentic systems, the core security problem is not only establishing identity, but determining whether each action remains authorized as context, tools, and goals evolve during execution.
Static permissions are not enough (lines 57–63)
The paper correctly notes that the scale and range of agent actions may increase significantly with autonomy. That point deserves even greater emphasis. Static scopes, pre-assigned entitlements, or valid tokens alone are not enough to establish that a specific action is in policy when agents can generate and execute novel action sequences at machine speed.
Centralized decisions with distributed enforcement are a useful model (lines 138–143)
A useful model for the project to examine is a centralized policy decision point combined with distributed enforcement at the tools, APIs, and resources an agent accesses. This would align well with the paper's discussion of event-driven policy updates, delegation, and least privilege, while providing consistent decision-making across systems.
Intent should be treated as a first-class input (lines 102–104)
We encourage NIST to treat intent as a first-class authorization input for agentic systems. Provenance and data-flow tracking are important, but the key decision at runtime is whether the requested action is still consistent with the approved task, delegated purpose, and current context.
Least privilege must be dynamic (lines 142–143)
The paper's reference to least privilege is important, and we suggest making clear that for agents, least privilege is a runtime problem rather than only a provisioning problem. Permissions often need to be narrowed dynamically to the minimum needed for the current action, then re-evaluated as context changes.
Delegation should stay tightly bound to purpose (lines 95–97)
We agree with the focus on access delegation, and recommend emphasizing that "on behalf of" authority should remain tightly bound to the approved task, not treated as a broad transfer of user privilege. This is important both for safety and for preserving accountability.
Logging should support real-time control, not only audit (lines 98–100)
We support the focus on logging and transparency, but suggest clarifying that these controls should support real-time authorization decisions, not only after-the-fact review. In agentic systems, recent actions and prior decisions can be directly relevant to whether the next action should be allowed.
Prompt injection is an authorization containment problem (line 25)
We agree that prompt injection belongs in scope. One useful framing is that prompt injection should be treated not only as an input-security problem, but also as an authorization containment problem. The surrounding architecture should assume some attacks will succeed in influencing model behavior and should focus on limiting the resulting actions.
Existing standards should be shown working together (lines 105–148)
The standards identified in the paper are a strong starting point. The project would be especially valuable if it shows how approaches such as OAuth, OIDC, MCP, SPIFFE/SPIRE, SCIM, NGAC, and Zero Trust guidance can work together in a coherent runtime control model, rather than discussing them only in isolation.
The demonstration should focus on machine-speed control (lines 174–179)
The proposed implementation-oriented guidance will be most useful if it demonstrates how a real enterprise system can govern agents at runtime. The most valuable outcome would be a concrete example showing how intent is evaluated continuously, misuse is contained quickly, and accountability is preserved as agents interact with multiple systems.
The main gap is runtime intent evaluation (lines 184–186)
Overall, we believe the paper identifies an important and timely challenge. Our main recommendation is that NCCoE emphasize that identity and authentication are necessary foundations, but not sufficient controls on their own. The missing capability is runtime, intent-aware authorization at machine speed.