The Standards Are Coming. Are You Ready?

The history of IAM standards has a familiar trajectory. The National Institute of Standards and Technology (NIST) publishes guidance. Industry frameworks adopt it. Regulators reference it.

Auditors start asking about it. Litigation cites it as the standard of reasonable care. What begins as a voluntary best practice becomes, within a few years, a compliance obligation.

The standards are coming. New AI agent identity and authorization guidelines being developed right now are following exactly that pattern. 2026 is the point at which the forward-looking organizations are engaging, not waiting.

This post maps the landscape: what's being developed, by whom, what it covers, and what it means for IAM programs that need to get ahead of the curve.

NIST: The Most Consequential Work Happening Right Now

NIST is the primary locus of agentic AI security standards at the federal level, and what it publishes will set the baseline for enterprise compliance programs across sectors.

The AI Agent Standards Initiative (February 2026)

On February 17, 2026, NIST's Center for AI Standards and Innovation formally launched the AI Agent Standards Initiative, the first US government program dedicated to the security and interoperability of agentic AI systems. The initiative is organized around three pillars: facilitating industry-led standards development with US leadership in international bodies, fostering open-source protocol development, and advancing research in agent authentication and identity infrastructure.

This is not a research project in search of a problem. NIST's own empirical research from January 2025 demonstrated that novel attack strategies against AI agents achieved an 81% success rate in red-team exercises. The urgency is grounded in tested evidence.

NCCoE Concept Paper: Agent Identity and Authorization

In February 2026, NIST's National Cybersecurity Center of Excellence published a concept paper specifically addressing how identity and authorization practices should apply to AI agents in enterprise settings. The paper's scope covers authentication (what constitutes strong authentication for an agent), authorization (how zero-trust principles apply to dynamic agent behavior), audit and non-repudiation (how organizations ensure agent actions are logged and attributable), and prompt injection prevention.

The standards and frameworks the paper identifies as relevant are a useful reading list for IAM architects: OAuth 2.0/2.1 and its extensions, OpenID Connect, SPIFFE/SPIRE, the System for Cross-domain Identity Management, Next Generation Access Control (NGAC), NIST SP 800-207 Zero Trust Architecture, and SP 800-63-4 Digital Identity Guidelines.

The comment period closed April 2, 2026. The outcome will be one of the primary federal reference architectures for enterprise AI agent governance.

COSAiS: SP 800-53 Control Overlays for AI

Separately, NIST's Computer Security Division is developing SP 800-53 control overlays specifically for AI systems under the COSAiS project. Two of the five use cases directly address agentic deployments: single-agent and multi-agent systems.

For any organization operating under FISMA, FedRAMP, or SP 800-53-aligned frameworks, these overlays will translate directly into required controls. Full publication is expected in late 2026 to 2027, and the discussion drafts are already available for gap analysis.

SPIFFE/SPIRE: The Technical Foundation for Agent Identity

While NIST develops the policy framework, SPIFFE and SPIRE provide the technical infrastructure that makes cryptographically verifiable agent identity practical at scale.

SPIFFE (Secure Production Identity Framework For Everyone) is an open standard that defines a secure, workload-level identity framework. Rather than relying on long-lived secrets or passwords, SPIFFE issues cryptographically verifiable identities (SVIDs) tied to workloads rather than people. SPIRE (the SPIFFE Runtime Environment) is the reference implementation that issues, rotates, and manages those identities automatically.

For AI agents, the relevance is direct: each agent instance can receive a unique SPIFFE identity that proves its origin, is short-lived (rotating automatically), can be validated by any system it contacts, and is revoked the moment the agent's task completes. This is the architecture that makes "you can't attach a cryptographic key to an agent and call it done" solvable at scale.

HashiCorp's Vault Enterprise recently added native SPIFFE authentication support, extending this infrastructure into one of the most widely deployed secrets management platforms in enterprise environments. The signal is clear: SPIFFE-based agent identity is moving from architectural principle to production tooling.

OAuth 2.1 and the Evolving Authorization Stack

OAuth 2.0 was designed for human-centered authorization, specifically a user delegating access to an application on their behalf. The AI agent use case requires a different model: a non-human actor that must authenticate to multiple systems, carry least-privilege authorization for a specific task, and propagate that authorization across a chain of systems it interacts with.

The OAuth ecosystem is evolving to address this. Key developments include: RFC 8705 (mutual TLS for client authentication), RFC 8707 (resource indicators for scoping token authority), and emerging work on transaction tokens, which are short-lived, cryptographically bound tokens that carry the context of a specific operation and can be validated as they traverse a multi-agent workflow.

The integration of SPIFFE-based workload identity with OAuth authorization flows creates a complete picture: an agent that proves who it is cryptographically, carries authorization tokens scoped to its current task, and can be traced through every system it touches. This is the target architecture. Most enterprise environments are not there yet, but the technical building blocks exist.

The Model Context Protocol: Infrastructure for Governed Agent Access

The Model Context Protocol (MCP) has emerged as the leading open standard for how AI agents connect to data sources and tools. It functions as the interface layer between an agent and the systems it needs to act on. Developed initially by Anthropic and rapidly adopted across the industry, MCP provides a consistent way for agents to authenticate to data sources, call tools, and receive results without proprietary integrations.

NIST has identified MCP as a candidate for integrating identity and security controls directly into the agent ecosystem, serving as the protocol layer where authentication and authorization decisions can be enforced at invocation time rather than retrofitted at the infrastructure level. As of early 2026, MCP compliance is beginning to appear in enterprise RFPs as organizations seek to prevent vendor lock-in in their AI infrastructure.

The practical implication for IAM teams: governance of MCP servers, covering what agents can connect to, under what authorization, and with what scope, is becoming a required capability in agentic identity programs.

What This Means for IAM Program Owners Today

The most actionable framing comes from the legal analysis of NIST's initiative: what begins as voluntary guidance becomes the standard of reasonable care. Organizations that build agent identity and audit capabilities in now will find it substantially easier to satisfy forthcoming compliance requirements than those that retrofit. The pattern has played out in every previous identity standards cycle.

Concretely, this is what IAM program owners should be doing in 2026:

• Conduct a gap analysis against the NCCoE concept paper framework. Even before the final guidance is published, the questions it asks (authentication, authorization, audit, least privilege, delegation) map to identifiable gaps in current programs
• Evaluate whether SPIFFE/SPIRE-based workload identity is appropriate for your agent deployment architecture, particularly if you're running Kubernetes, cloud-native workloads, or multi-agent frameworks
• Assess your OAuth integration posture: which tokens are long-lived, what scopes they carry, whether refresh tokens are indefinitely valid
• Establish governance coverage for MCP servers by mapping which agents connect to which systems and under what authorization
• Begin documenting your agent inventory. NIST's compliance frameworks will require it, and doing it reactively after mandate is considerably more expensive than building the practice proactively

The Regulatory Timeline Is Compressing

Amazon filed suit against Perplexity in late 2025 over unauthorized agent activity that violated system identification headers. When organizations are litigating over agent identity, standardization has stopped being theoretical.

The Gravitee State of AI Agent Security 2026 Report found that only 14.4% of organizations report their AI agents go live with full security approval. When regulators and litigants begin citing NIST's agent security standards as the benchmark, and they will, that statistic is going to become a significant liability exposure.

The organizations that treat NIST's current initiative as a compliance requirement, even while it remains technically voluntary, will be better positioned when sector regulators, procurement authorities, and plaintiffs' attorneys begin citing agent security standards as evidence of reasonable care.

Interested in support for your own non-human identity program or expansion? Reach out to our team now for a free strategy discussion.