Policy February 2026

What NIST Gets Right About AI Agent Authorization
(And What the Industry Needs to Build)

On February 18, 2026, NIST launched the AI Agent Standards Initiative and issued a Request for Information with a March 9 deadline. The initiative's goal, in NIST's own words:

Read that again. Authorize access and actions taken by software agents.

That is exactly the problem Permission Protocol was built to solve. And NIST is right to prioritize it — because right now, the industry has no answer.

1. NIST Named the Right Problem

The AI security conversation has focused mostly on model safety: jailbreaks, prompt injection, hallucinations, bias. Important problems. But they're not the most urgent one for organizations deploying AI agents in production today.

The most urgent problem is authorization.

AI agents are taking real-world actions — deploying code, modifying infrastructure, sending communications, moving money. And in the vast majority of production deployments, there is no external system that asks and enforces: "Was this action actually approved?"

The AWS Kiro incident made it concrete in a different way. Amazon's AI coding agent decided to delete and recreate an entire production environment. It had the permissions to do so. It had no authorization — no external system requiring sign-off before a destructive action executed. The result was a 13-hour outage.

NIST is asking the right question. Now here's the answer.

2. Why Authorization Must Live Outside the Agent

The instinct is to build authorization into the agent — train the model to ask permission, write system prompts that restrict behavior, implement instruction hierarchies that prioritize safety over task completion.

These approaches are necessary. They are not sufficient.

A model is a probabilistic system. Under adversarial pressure — a carefully crafted prompt, an injection attack via tool output, a sufficiently compelling sequence of context — a model that "knows" it shouldn't do something can be made to do it anyway. More capable models are better at task completion, and better at circumventing internal constraints when task and constraint conflict.

There is a fundamental architectural principle here, and Permission Protocol's master plan states it as a non-negotiable:

This isn't just philosophy. It's the same principle behind payment authorization (the card network is separate from the merchant), certificate authorities (the signer is separate from the code), and hardware security modules (the key store is separate from the application).

The agent is the application. Authorization infrastructure is the key store. They must be architecturally separate, or the security boundary doesn't exist.

3. The Receipt Model: Cryptographic Proof, Not Logs

Once you accept that authorization must live outside the agent, the question becomes: what does that authorization look like?

The wrong answer is logs. Logs record what happened. They don't authorize it. A malicious or compromised agent can act and produce a log entry indistinguishable from a legitimate action. Post-hoc logging is forensics, not enforcement.

The right answer is receipts. A cryptographic receipt is issued before the action executes, by an external system, and is required for the action to proceed at all.

What a receipt looks like:

{
  "receipt_id": "rcpt_01HV3K9...",
  "action": {
    "type": "code_deployment",
    "artifact": "commit:abc123",
    "target": "production",
    "repository": "acme/backend"
  },
  "authorization": {
    "approver": "alice@acme.com",
    "approved_at": "2026-02-26T14:30:00Z",
    "expires_at": "2026-02-26T16:30:00Z",
    "scope": "single-use"
  },
  "cryptography": {
    "algorithm": "Ed25519",
    "signature": "7f3a...",
    "timestamp_token": "rfc3161-token"
  }
}

The receipt is signed by the authorization service. The action executor validates the receipt independently of the agent. No valid receipt means the action is blocked — not logged, not warned about. Blocked.

This architecture satisfies NIST's three pillars directly:

• Identify: The receipt records who authorized this agent, for what action, with what scope.
• Manage: The authorization service enforces policy before issuing receipts — scope constraints, approval requirements, rate limits, time bounds.
• Authorize: The receipt is the authorization. Cryptographic, timestamped, immutable, externally held.

The critical property: receipts cannot be forged by the agent. The agent requests authorization; the authorization service decides; the receipt is issued externally. A compromised agent cannot issue itself a receipt.

4. Deploy Gate: The Architecture in Production Today

Permission Protocol's reference implementation of this model is Deploy Gate.

Code deployment is the highest-stakes autonomous action most AI-assisted teams take every day. Every company has a CI/CD pipeline. Deploy Gate inserts the receipt model into that pipeline as a GitHub required status check:

1. AI agent opens a pull request
2. Deploy Gate triggers as a required check
3. Deploy Gate calls the PP authorization API with the commit SHA, repo, and deployment target
4. PP evaluates policy — is this deployment pre-approved? Does it need human sign-off?
5. If approved, PP issues a cryptographic receipt bound to that specific commit and target
6. Deploy Gate validates the receipt and marks the check as passing
7. The merge is permitted — and the receipt is in the immutable ledger

If no receipt is present or validation fails: merge blocked. Not a warning. Not a soft gate. A hard stop.

The elegance of this approach: the agent can never bypass it. Required status checks are enforced by GitHub, not by the agent. The agent can't merge without the check passing. The check can't pass without a valid receipt. The receipt can't exist without authorization from PP. The authorization can't come from the agent itself.

5. What the Industry Needs to Build (With NIST's Help)

Deploy Gate is one implementation of the receipt model. What the industry needs is a standard — so that receipts are interoperable across authorization providers, and so that compliance teams have something concrete to point at.

We'd ask NIST to prioritize three things:

A standard receipt schema. The equivalent of JWT for authorization tokens — an open, interoperable format for AI agent authorization receipts. What fields are required? What signature schemes are valid? What does a receipt ledger look like? These questions have good answers; they need standardization.

External authorization as a threshold requirement. NIST's guidelines should distinguish between probabilistic controls (model-level constraints) and deterministic controls (external enforcement). For high-consequence deployments — production code, financial transactions, infrastructure — external authorization should be a requirement, not an enhancement.

Fail-closed as the default. The default stance for AI agent actions with external state effects should be: blocked until authorized. Not warned. Not logged. Blocked. Standards that describe "soft" authorization gates for production systems are describing a gap, not a solution.

The industry is months away from AI agents being the primary authors of production code at most software companies. The authorization infrastructure has to be ready before that becomes the default, not after the first catastrophic incident at scale.

NIST asked the right question. The architecture to answer it exists today.