Software and AI Agent Identity and Authorization

The NCCoE is interested in exploring standards-based approaches to identify, manage, and authorize access and actions taken by software agents, including AI agents, and provide practical guidelines for organizations to securely implement AI agents and benefit from their improved productivity, efficiency, and decision-making.

For well over a decade, code-based systems have been used to enable automation, cloud workloads, and the deployment of APIs. However, with the advancement of software and AI agents—systems that have the capability for autonomous decision-making and taking action to operate with limited human supervision to achieve complex goals—the scale and range of actions taken by these systems has the potential to increase exponentially. This increased scale and autonomy brings new opportunities as well as new risks.

The concept paper Accelerating the Adoption of Software and AI Agent Identity and Authorization outlines considerations for a potential NCCoE project focused on applying identity standards and best practices to AI agents. The NCCoE is seeking feedback to help determine the scope, feasibility, and potential value of the project and inform whether a demonstration effort or other NCCoE outputs would best address the challenge. Community input will inform subsequent project planning activities, including the development of a draft project description.

With the advancement of software and AI agents—systems that have the capability for autonomous decision-making and taking action to operate with limited human supervision to achieve complex goals—the scale and range of actions taken by these systems has the potential to increase exponentially.