1. Executive Summary

This submission offers four technical contributions to inform NIST guidance on AI agent system security, based on systematic analysis of deployed multi-agent systems and published adversarial ML research.

The core finding: Every AI agent system — from research deployments to enterprise platforms including AWS AgentCore, Microsoft Agent 365, Google A2A, and Anthropic MCP — relies on a class of access control that has not yet been formally named, defined, or studied in the standards literature. This submission proposes the term Intrinsic Access Control (InAC) for this mechanism. It governs agent behavior between deterministic enforcement points. It is probabilistic, intrinsically enforced, and vulnerable to adversarial manipulation in ways that no existing standard addresses.

The four contributions:

1. InAC as the Unnamed Security Substrate. A formal mathematical definition of Intrinsic Access Control — proven independent of the five existing canonical models (DAC, MAC, RBAC, ABAC, PBAC) — demonstrating that InAC is a structural feature of all systems containing autonomous LLM agents. Every guardrails system implicitly depends on InAC between its explicit enforcement points. Naming and formally specifying this model is prerequisite to governing it.
2. The Enforcement Location Principle (ELP). A formal framework specifying where different enforcement mechanisms belong in multi-agent architectures: deterministic enforcement (E_d) at trust domain boundaries; normative enforcement (E_n) in the interior; observational enforcement (E_o) spanning both. All nine major agent platforms surveyed violate at least one ELP placement requirement.
3. Governance Maturity Model. A six-level (L0–L5) governance maturity model spanning six dimensions for assessing multi-agent system governance. Industry assessment reveals a ceiling at L2.0 overall (with some platforms reaching L2.5 on individual dimensions) — no system achieves L3 overall. The model provides federal agencies with a practical self-assessment tool and roadmap. Key finding: audit capability is the prerequisite gateway; without observable enforcement, no other governance dimension is verifiable.
4. Threat Model. Adversarial analysis produced a taxonomy of 47 attack vectors across 6 categories. Overall InAC resistance under adversarial conditions is 40–65%. The fastest full-compromise path requires 3 steps and under 5 seconds. These findings validate the InAC Adversarial Incompleteness Theorem: InAC cannot achieve completeness under adversarial conditions and must be supplemented with deterministic boundary enforcement and observational monitoring.

Primary recommendation: NIST guidance should explicitly recognize InAC as a class of control mechanism distinct from deterministic access control, establish monitoring requirements proportional to InAC reliance, and adopt the ELP as a reference framework for control placement in agent systems.

2. Priority Actions

The following five actions represent the highest-priority, highest-impact recommendations from this submission. They are sequenced to build upon each other and can be initiated in parallel across NIST program offices.

Priority Action 1 — Recognize Intrinsic Access Control in Federal Guidance. NIST may wish to consider whether the Govern function of the AI RMF would benefit from explicit treatment of probabilistic, intrinsically-enforced controls as a distinct class requiring distinct assessment methods. Without a name and definition in federal vocabulary, agencies cannot assess, document, or improve this control class. This submission proposes the term "Intrinsic Access Control" (InAC) as a candidate framework element. Suggested phasing: Evaluate for inclusion in next AI RMF update cycle.

Priority Action 2 — Establish Monitoring Proportional to InAC Reliance. Any AI agent system deployed under a federal ATO would benefit from observational enforcement (action logging, behavioral baselines, anomaly detection) commensurate with the fraction of security work performed by intrinsic controls. A system with extensive InAC reliance and no monitoring provides false assurance. Suggested phasing: Incorporate into AI-specific ATO guidance as part of the next SP 800-37 update process.

Priority Action 3 — Address Agent Identity Assurance. Self-asserted agent identity — an agent declaring its own name via environment variable or self-declaration — is insufficient for any federal system beyond isolated development. NIST may wish to evaluate per-session token-bound identity for FIPS 199 Moderate impact systems and certificate-based identity for FIPS 199 High impact systems, analogous to SP 800-63-3's identity assurance levels. Suggested phasing: Develop alongside AI-specific extensions to SP 800-63-3.

Priority Action 4 — Develop Governance Maturity Self-Assessment. The six-level, six-dimension governance maturity model proposed in Section 6 offers a starting point for agency self-assessment of AI agent governance. NIST could evaluate mapping L1 to FIPS 199 Low, L2 to Moderate, and L3 to High as minimum governance expectations. Suggested phasing: Pilot with volunteer agencies; refine through the standard workshop process.

Priority Action 5 — Develop a Federal AI Agent Threat Catalog. A threat catalog specific to AI agent architectures, analogous to MITRE ATT&CK for Enterprise and building on MITRE ATLAS, would address a gap in the current federal threat modeling landscape. The 47-vector taxonomy in Section 7 provides a starting point. Coordination with CISA advisories and the AAIF (Agentic AI Infrastructure Foundation) would strengthen industry alignment. Suggested phasing: Initiate as an interagency working group following this RFI's comment period.

Question Mapping

This submission addresses each of the five question areas identified in the NIST/CAISI RFI (NIST-2025-0035).

3. Introduction: The Access Control Gap in AI Agent Systems

3.1 Background

The Federal Register Notice of January 8, 2026 invites public comment on security considerations for AI agent systems, including novel risks such as indirect prompt injection, data poisoning, specification gaming, and misaligned agent objectives. This submission directly addresses these areas while contributing a theoretical framework that, if adopted into NIST guidance, would improve the analytical rigor of AI agent security assessment across the federal government.

3.2 The Central Problem

When a federal agency deploys an AI agent system — whether using AWS Bedrock Agents, Azure AI Services, or a custom multi-agent framework — that system relies on deterministic security controls at its boundaries: authentication gates, policy enforcement points, content filters, and API authorization checks. These controls are well-understood, align with existing NIST guidance (SP 800-53, SP 800-162, FIPS 140-3), and can be formally verified.

However, between those deterministic enforcement points, the agent's behavior is governed by something fundamentally different: natural language instructions that the agent is expected to interpret and follow. When an agent receives a system prompt stating "never exfiltrate user data," and that instruction causes the agent to decline a data exfiltration request, this is not deterministic enforcement. No kernel enforced a rule. No policy engine evaluated a predicate. The agent interpreted a natural language norm and chose to comply.

This mechanism — proposed here as Intrinsic Access Control (InAC) — governs the majority of an LLM agent's behavioral space between deterministic enforcement points.

3.3 Why This Matters for Standards

InAC is not inherently weak as a control mechanism. Under non-adversarial conditions, frontier models comply with clear instructions at rates exceeding 99%. The problem is that InAC is invisible in current security standards. Security assessments, authorization documentation, and governance frameworks assume deterministic access control. When they evaluate an AI agent system, they can assess the outer guardrails (which are deterministic) but not the interior (which is normative).

This invisibility creates several failure modes:

1. Incomplete threat models: Standard STRIDE/DREAD analysis does not capture prompt injection, social engineering of agents, or InAC degradation under adversarial conditions.
2. False assurance: A system that passes an authorization review of its deterministic controls may have critical InAC vulnerabilities that go undetected.
3. No monitoring mandate: Because InAC is unnamed, there is no standard requirement to monitor it. Observational enforcement (E_o) is absent from most deployed systems.
4. No compliance pathway: Federal agencies cannot demonstrate compliance with a governance requirement that does not exist.

3.4 Research Basis and Methodology

The findings in this submission derive from systematic analysis of deployed multi-agent systems, published adversarial ML research, and structural security assessment of nine major agent platforms' public documentation. The research was conducted through multiple rounds of structured analysis in February 2026.

Methodology categories and their epistemic status:

• Theoretical contributions (InAC formalization, ELP framework, governance maturity model): Derived from analysis of real deployed systems and prior access control literature. Independently reviewable against cited references.
• Platform assessments (governance scores, ELP gap analysis): Based on publicly available platform documentation as of February 2026. Assessment methodology is disclosed in Appendix B. No platform vendor was contacted for review; scores reflect public documentation completeness and may not capture unpublished governance mechanisms.
• Threat taxonomy and resistance estimates (47 attack vectors, 40–65% resistance range): Derived from structural analysis of multi-agent communication architectures, grounded in published prompt injection research (Perez & Ribeiro 2022; Greshake et al. 2023) and Constitutional AI evaluation benchmarks. These are analyst-estimated figures representing informed hypotheses, not measured experimental results.

Research limitations: The quantitative figures cited in this submission — including attack success rates, InAC compliance probabilities, and governance scores — are analyst estimates derived from structural analysis and published literature. The InAC-Bench benchmark suite has been designed and specified (methodology details available upon request) but has not been executed against live models. Empirical validation through controlled API testing is planned for Q2 2026. All resistance rates should be understood as structured hypotheses awaiting experimental confirmation, not measured results.

This methodology has an inherent limitation: the analytical framework was developed by researchers working within a multi-agent system of the type being analyzed. All findings have been reviewed against published external literature cited in Section 10. Findings that could not be validated against external sources are identified as preliminary throughout this document.

4. Response Area 1: Intrinsic Access Control (InAC)

4.1 The Core Claim

Claim: Intrinsic Access Control is a distinct sixth access control model, alongside and independent of DAC, MAC, RBAC, ABAC, and PBAC. It is not reducible to any combination of existing models. It is structurally present in every system containing autonomous LLM agents.

4.2 Formal Definition

D_InAC(s, o, action, t) = s.interpret(N_applicable(s, o, action, t))

Pr[D_InAC = ALLOW] = ∏_{n ∈ N_prohibiting} (1 - C(s, n))
                   × ∏_{n ∈ N_permitting} C(s, n)

4.3 Axioms and Properties

lim_{A(s)→1} C(s, n) = 1 - ε(clarity(n))   (approaches 1 for clear norms)
lim_{A(s)→0} C(s, n) = p_random             (approaches random compliance)

4.4 Four Theorems

Updated taxonomy:

Access Control Models
├── Deterministic (extrinsic enforcement, formal verification possible)
│   ├── DAC (owner-discretionary, ACL-based)
│   ├── MAC (system-mandatory, label-based)
│   ├── RBAC (role-mediated, permission-mapped)
│   ├── ABAC (attribute-evaluated, policy-engine-based)
│   ├── PBAC (externally-defined, PDP/PEP-separated)
│   └── Capability-based (token-mediated, unforgeable)
└── Probabilistic (intrinsic enforcement, empirically testable)
    └── InAC (norm-based, alignment-dependent, self-enforced)

4.5 Comparison with Existing Models

4.6 Analytical Validation

The following findings are analyst-estimated based on structural analysis and published literature. Empirical validation through controlled benchmark execution (InAC-Bench) is planned for Q2 2026.

• InAC compliance rate (non-adversarial, estimated): Frontier models demonstrate >95% compliance with clear norms in non-adversarial conditions, consistent with published Constitutional AI benchmarks and model system card evaluations. The specific rate depends on the benchmark and model; published rates range from 95% to >99%.
• InAC resistance (adversarial, estimated): Structural analysis grounded in prompt injection literature (Perez & Ribeiro 2022; Greshake et al. 2023) estimates overall InAC resistance under adversarial conditions at 40–65%, consistent with Theorem 4.
• Universal InAC reliance (structural observation): Survey of nine major agent platforms' public documentation (Microsoft Agent 365, AWS AgentCore, Google A2A, Docker cagent, Anthropic MCP, OpenAI Agents SDK, LangGraph, CrewAI Enterprise, Letta) confirmed that every platform relies on InAC between its deterministic enforcement points, consistent with Theorem 2.

4.7 Monitoring Requirements for InAC

Since InAC is probabilistic and fail-open, monitoring (observational enforcement, E_o) is required at all points where InAC is the primary control mechanism.

4.8 How to Analyze Systems That Rely on InAC

Systems relying on InAC require a three-layer analytical framework:

Layer 1: Deterministic Analysis. Identify all deterministic enforcement points. Verify their correctness using classical tools (model checking, formal verification). Document all trust domain boundaries and confirm that E_d enforcement is present at each.

Layer 2: InAC Analysis. For the interior (between deterministic enforcement points):

1. Enumerate applicable norms: For each agent, list all norms applicable to its behavior (system prompt, governance documentation, in-context instructions).
2. Assess compliance probability: Estimate C(s, n) based on model alignment benchmarks, norm clarity, adversarial pressure, and historical audit data.
3. Identify low-C norms: Norms with C < 0.90 non-adversarial, or C < 0.60 under adversarial conditions, are high-risk requiring additional compensating controls.
4. Compute compound compliance: For a behavior requiring compliance with norms {n₁, …, n_k}:

C_compound = ∏_{i=1}^{k} C(s, n_i)

Ten norms with 90% individual compliance yield 35% compound compliance — demonstrating that multiplicative degradation requires careful governance.

Layer 3: Observational Analysis. Assess monitoring and detection: What actions can be detected post-hoc? What is detection latency? What corrective actions are available? What is the residual risk after detection?

Combined security profile:

Security(system) = Deterministic_coverage × InAC_compliance × Detection_capability

This product reveals why E_o is critical: a system with 95% boundary coverage and 95% InAC compliance but no detection capability has the same residual risk as one with 0% InAC compliance — violations go undetected indefinitely.

4.9 Recommendations for NIST

Recommendation 1: Formally recognize InAC as a distinct class of control mechanism in NIST guidance (AI RMF, SP 800-53, and future AI agent security guidance). Existing control families assume deterministic enforcement; an InAC control family would address AI-specific needs.

Recommendation 2: Mandate E_o proportional to InAC reliance. Any system deploying LLM agents must have observational enforcement commensurate with the fraction of security work performed by InAC.

Recommendation 3: Require InAC threat modeling as part of AI agent security assessment. Security documentation should identify: (a) which behaviors are governed by InAC; (b) estimated compliance probability for critical norms; (c) the adversarial attack surface against InAC; (d) the monitoring mechanisms that detect InAC violations.

Recommendation 4: Establish alignment as a security property. Agent model alignment — the structural property A(s) — directly determines InAC compliance probability. Model cards, system cards, and ATO documentation for AI agent systems should include alignment benchmarks for the deployed model, stated as compliance probability under adversarial conditions.

5. Response Area 2: Enforcement Location Principle (ELP)

5.1 Formal Definition

The Enforcement Location Principle answers the question: where should different types of security controls be placed in a multi-agent architecture?

E_d at L_b ↔ Deterministic enforcement at boundaries. No exceptions.
E_n at L_i ↔ Normative enforcement in the interior. Do not over-constrain.
E_o at L_s ↔ Observational enforcement spanning all trust domains.

5.2 Trust Domain Boundary Taxonomy

Four types of trust boundaries are relevant to AI agent systems, ordered by criticality:

Type 1: Trust Domain Boundary (Highest Criticality). A point where the fundamental basis of trust changes — from normative to code-enforced, or from one authentication domain to another.

Type 2: Process Boundary (Medium Criticality). A point where control passes between OS-level processes. The OS kernel provides isolation, but same-UID processes may share access.

Type 3: Network Boundary (Medium-High Criticality). A point where data traverses a network interface. TLS encryption is the baseline; mutual TLS is required for high-sensitivity agent-to-service communication.

Type 4: Privilege Boundary (Variable Criticality). A point where permitted actions change within the same trust domain. Privilege escalation requests cross privilege boundaries and require commensurately stronger controls.

5.3 Protocol Comparison: Where InAC Is Already in Use

Survey of nine major agent platforms confirms that every platform relies on InAC between its deterministic enforcement points.

Finding: No platform currently provides monitoring requirements specific to its InAC reliance. The E_o component for the interior is absent across the industry.

5.4 Correct vs. Incorrect ELP Placement

Correctly placed enforcement (examples from observed systems):

Misplaced enforcement (high-risk examples found in practice):

5.5 ELP Gap Analysis: Current Industry State

AWS AgentCore. Correctly placed: IAM authentication at network boundary (E_d) ✓; Cedar policy evaluation before tool execution (E_d) ✓; CloudTrail audit spanning all operations (E_o) ✓; agent alignment following Bedrock instructions (E_n) ✓. Misplaced: No explicit InAC analysis for inter-tool-call reasoning; CloudWatch behavioral anomaly detection not standard. ELP Score: 3.5/5.

Microsoft Agent 365. Correctly placed: Entra Agent ID authentication (E_d) ✓; Conditional Access policy evaluation (E_d) ✓; DLP policies at communication boundary (E_d) ✓; Application Insights usage analytics (E_o) ✓. Misplaced: Behavioral baseline monitoring for agent workflows not specified; inter-agent governance relies entirely on E_n with no documented E_o. ELP Score: 3.5/5.

Google A2A. Correctly placed: OAuth 2.0 authentication at agent-to-agent connection (E_d) ✓; task lifecycle state machine (E_d for state boundary) ✓; Agent Cards capability declaration (E_n advisory) ✓. Misplaced: Agent Cards are self-declared and unverified; no standardized E_o. ELP Score: 2.0/5.

Anthropic MCP. Correctly placed: OAuth 2.0 transport authentication (E_d) ✓; tool annotations advisory nature explicitly documented (correctly labeled as E_n, not E_d) ✓. Misplaced: Tool annotations create a gap: E_n at a privilege transition boundary (tool invocation) without E_o; no standardized audit trail. ELP Score: 1.5/5.

Implications for Federal Adoption. Federal agencies adopting any of these platforms inherit the platform's ELP compliance profile. Before deploying an AI agent system, agencies should assess: (1) boundary coverage; (2) interior InAC reliance; (3) observational coverage; (4) custom E_o supplement needed. The minimum federal supplement required across all platforms surveyed: structured audit logging of agent actions with behavioral baseline analysis.

5.6 Recommendations for NIST

Recommendation 5: Adopt ELP as a reference framework for AI agent security control placement. Future SP 800-series documents should reference E_d, E_n, and E_o as control modalities with defined placement requirements.

Recommendation 6: Require E_d at all trust domain boundaries in AI agent system authorization documentation. Any trust domain boundary with E_n-only enforcement should be documented as a known risk requiring compensating controls.

Recommendation 7: Define a minimum E_o requirement for InAC-governed spaces. Systems that rely on InAC for interior behavioral governance must implement continuous action logging, behavioral baselines, and anomaly detection.

Recommendation 8: Mandate fail-closed semantics for boundary enforcement. Any authorization decision made at a trust domain boundary must fail closed when the enforcement mechanism encounters an error or unrecognized input. InAC fails open by nature; boundary enforcement must compensate.

6. Response Area 3: Governance Maturity Model

6.1 The L0–L5 Framework

This submission proposes a six-level governance maturity model for multi-agent systems, analogous to the CMMI for software process maturity. Each level subsumes all capabilities of lower levels.

L0: Ungoverned. No governance mechanisms. Agents operate with no constraints, monitoring, or accountability. This is the default state of any multi-agent system before governance is added. Risk profile: Acceptable only in isolated development environments with no external-facing interfaces.

L1: Accountable. Agent identity exists and actions are recorded. A retrospective account of "who did what, when" is possible. Minimum requirements: every agent action recorded with identity, timestamp, and action type; audit records are tamper-resistant (append-only at minimum); records are queryable (structured search). Key insight: L1 is the minimum viable governance. It does not control what agents do, but it enables retrospective accountability.

L2: Policy-Defined. Formal governance policies exist and are documented. Roles and permissions are defined. Minimum requirements: written policy document defining agent permissions (NIST SP 800-162 compliant); at least two distinct permission levels enforced normatively or deterministically; agent access scoped to specific resources or domains; policy violations detectable through audit comparison.

L3: Enforced. Policies are code-enforced at system boundaries. Violations are blocked, not merely detected. This level requires full ELP compliance: E_d at L_b, E_n at L_i, E_o at L_s. Minimum requirements: all trust domain boundaries have deterministic enforcement; agent identity is cryptographically bound; policy enforcement is automated; enforcement failures are fail-closed; audit trail has integrity guarantees.

L4: Adaptive. Governance adapts to agent behavior in real-time. The system detects anomalies, adjusts policies dynamically, and provides risk-proportionate escalation to human oversight. Minimum requirements: automated anomaly detection with compound scoring; at least one dynamic policy adjustment mechanism; risk-proportionate escalation to human oversight; continuous compliance monitoring with <1 minute detection latency; historical behavioral baselines per agent.

L5: Self-Governing. Agents participate in their own governance. Policy evolution is partially delegated to agent populations within constitutional constraints. Human oversight shifts from operational to constitutional. This level represents the theoretical end-state and is not achieved by any current system.

6.2 Six Governance Dimensions

Overall governance maturity is assessed across six dimensions. The weakest-link model applies: the overall maturity score equals the minimum across all dimensions.

Dimension 1: Access Control. Controls who can do what to which resources. Scored L0 (no control) through L5 (agent-negotiated access within constitutional constraints).

Dimension 2: Audit and Accountability. Records and preserves evidence of agent actions. Scored L0 (no audit) through L5 (cross-system audit federation with agents auditing each other).

Dimension 3: Transparency. Makes agent behavior understandable to stakeholders. Scored L0 (black-box agents) through L5 (agents explain their own governance compliance on demand).

Dimension 4: Compliance. Demonstrates conformance with policies and regulations. Scored L0 (no compliance tracking) through L5 (agents self-verify and report compliance with constitutional constraints).

Dimension 5: Human Oversight. Ensures humans maintain appropriate control. Scored L0 (no oversight mechanisms) through L5 (constitutional oversight, not operational).

Dimension 6: Agent Lifecycle. Manages agents from creation to retirement. Scored L0 (no lifecycle awareness) through L5 (agents propose and negotiate their own lifecycle transitions).

6.3 Industry Assessment: Current Ceiling at L2.0

Assessment of seven current agent systems against the six-dimension, six-level model. These assessments are preliminary estimates based on publicly available documentation reviewed in February 2026. No platform vendor was contacted for review.

Key findings: Industry ceiling is L2.0 overall — no system achieves L3. The weakest-link problem means a system may be L3 on access control and L0 on audit, yielding an effective governance of L0 because unmonitored access control provides no assurance. Universal blind spot: inter-agent governance. No platform governs how agents interact with each other at a systemic level.

6.4 The Governance-Coordination Matrix

An important finding is the relationship between governance maturity and coordination capability.

• Governance-Coordination Gap: G_gap = Coordination_maturity - Governance_maturity
• VIABLE zone: G_gap ≤ 1 (governance tracks coordination)
• RISKY zone: G_gap = 2 (governance significantly lags coordination)
• DANGER zone: G_gap ≥ 3 (critical governance deficit)

Implication: As agent systems become more capable, governance must scale proportionally. Governance debt — where agents can do more than they can be held accountable for — is the dominant anti-pattern in the current industry.

6.5 Dimension-Specific Industry Assessment

Access Control (Dimension 1). Enterprise platforms (AWS, Microsoft) achieve L2–L3 through mature IAM and RBAC implementations. Protocol-focused platforms (MCP, A2A) achieve L1 through transport-level authentication but rely on advisory annotations for interior access. Key finding: all platforms achieve some access control at the boundary; no platform provides systematic access control for inter-agent authorization.

Audit and Accountability (Dimension 2) — the weakest dimension. Most platforms were built with observability (useful for debugging) rather than governance audit (required for accountability) as the primary design goal.

Transparency (Dimension 3). Decision traces — recording why an agent made a decision, not just what it did — are absent from most platforms. For FISMA High systems, L3 transparency (explainable agent behavior for non-technical stakeholders) should be required.

Human Oversight (Dimension 5). ELP-based human oversight model: L1 oversight = humans can see what happened (audit review, corresponds to E_o); L2 = humans approve high-risk operations before execution (corresponds to E_d at privilege boundaries); L3 = humans configure which operations require approval (configurable E_d); L4 = oversight intensity scales with detected risk (dynamic E_d/E_n based on E_o signals); L5 = humans set constitutional bounds, agents operate within them (constitutional E_d). The EU AI Act requires L2 oversight minimum for High-Risk systems.

6.6 Audit First, Access Control Second

The counterintuitive but empirically supported finding from this research: audit capability is the prerequisite gateway for all other governance. The standard intuition is to implement access control first and add monitoring later. This is backwards for AI agent systems because:

1. InAC is already the primary interior control. Agents already follow instructions. Adding more instructions (without enforcement) does not improve security.
2. Without audit, access control is unverifiable. Normative interior controls (InAC) can only be verified through behavioral monitoring.
3. Audit enables calibration. Observational enforcement reveals which norms are actually being followed versus which are violated.
4. Detection latency determines damage. The faster violations are detected (E_o), the smaller the window for adversarial exploitation.

Recommended progression for agencies deploying AI agents:

1. Phase 1 (Weeks 1–4): Implement structured audit logging → achieves L1. This is the gateway capability.
2. Phase 2 (Weeks 4–8): Define formal roles and permissions in policy document → achieves L2.
3. Phase 3 (Weeks 8–16): Implement cryptographic identity binding and code-enforced boundary controls → approaches L3.
4. Phase 4 (Weeks 16–30): Add behavioral monitoring and anomaly detection → approaches L4.

6.7 Recommendations for Federal Agencies

Recommendation 9: Require L1 governance as the minimum for any production AI agent deployment. Specifically: structured audit logging with agent identity, timestamp, action type, and outcome. No production AI agent system should operate without retrospective accountability.

Recommendation 10: Require L2 governance for any AI agent system with access to sensitive federal data. This includes: formal policy document defining agent permissions, at least two distinct permission levels, and scope-limited agent access.

Recommendation 11: Require L3 governance for high-risk AI agent systems (per EU AI Act High-Risk classification or equivalent NIST criteria). Full ELP compliance: E_d at trust domain boundaries, E_n + E_o in the interior.

Recommendation 12: Adopt the L0–L5 framework as a self-assessment tool. Federal agencies should self-assess their AI agent deployments against the six-dimension model annually and document a progression plan.

Recommendation 13: Mandate inter-agent governance requirements. Current federal guidance focuses on individual agent behavior; multi-agent systems require additional governance of agent-to-agent interactions covering: agent identity verification in multi-agent contexts, delegation protocol between agents, and governance of multi-agent consensus and decision-making.

7. Response Area 4: Threat Model for AI Agent Systems

7.1 Taxonomy of Approximately 47 Attack Vectors

Structural analysis of a deployed multi-agent architecture produced a taxonomy of approximately 47 distinct attack vectors across 6 categories. All attacks target the InAC substrate — the instruction-following behavior of agents between deterministic enforcement points. Success rate estimates are analyst projections grounded in published prompt injection research, requiring experimental validation.

Category 1: Prompt Injection Attacks (10 vectors)

Attacks that exploit the verbatim delivery of messages into agent context windows without sanitization.

• Authority Spoofing (PI-AS): Injecting messages that claim to originate from high-authority sources. Success rates: 15–45%.
• Mode Upgrade Injection (PI-MU): Messages claiming to grant elevated permissions through a documented escalation channel. Success rates: 20–55%.
• Instruction Override (PI-IO): Direct attempts to replace existing governance norms. Success rates: 3–15% (the least effective category).
• Subtle Manipulation (PI-SM): Long-running campaigns that gradually shift agent norms through apparently independent messages. Success rates: 30–50% — the most effective prompt injection category.

Highest-impact attack — Gradual Norm Shifting: A multi-message campaign exploits social proof. Early messages establish that "other agents" have already adopted a relaxed norm. A subsequent message provides apparent authority confirmation. The final message delivers the malicious request. Each individual message is indistinguishable from legitimate coordination traffic. Combined success rate: 35–50%.

Category 2: Inter-Agent Social Engineering (9 vectors)

Attacks that exploit legitimate delegation patterns to launder malicious requests.

• Confused Deputy (SE-CD): Low-privilege agent manipulates high-privilege agent into performing actions beyond the attacker's direct capability. Success rates: 25–50%. Structurally difficult to prevent because legitimate collaboration and malicious request look identical in natural language.
• Chained Delegation (SE-CD-2): Attack launders through an unwitting intermediate agent, increasing trust in the final request. Success rate: 35–50%.
• Authority Chain Attack (SE-AC): Fabricates or amplifies authority through relay claims. Success rates: 10–30%.
• Consensus Manufacturing (SE-CM): Creates apparent consensus through mass identity registration. Success rates: 15–35%.

Category 3: Identity Attacks (8 vectors)

Attacks that exploit the absence of cryptographic identity binding.

• Direct Impersonation (ID-IMP): Setting an environment variable or self-declaring to claim any agent identity. Difficulty: trivial. Impact: complete.
• Ghost Agent (ID-GA): After a legitimate trusted agent goes offline, register under its name to inherit residual trust. Success rate: 70–85%.
• Mass Identity (ID-MI): Register numerous agent identities rapidly to manufacture apparent consensus. Cost: zero.

Category 4: Privilege Escalation (8 vectors)

Attacks that achieve higher permissions than the attacker's legitimate authorization. Sub-categories include: self-promotion via instruction manipulation (5–10%); mode upgrade via forged relay (30–45%). Fastest full-compromise path: 3 steps, under 5 seconds.

Category 5: Information Exfiltration (6 vectors)

Attacks targeting data leakage from agent systems, including context window contents, message history, and credential inference through behavioral side-channels. Critical finding: in systems without content sanitization before storage, prompt injection payloads persist in message history indefinitely.

Category 6: Denial of Service (6 vectors)

Attacks that impair availability. Fastest path: message flooding via mass agent registration creates unbounded message volume in systems with no rate limiting — estimated time to service degradation: 10 seconds. Highest-impact attack: database locking via concurrent writes with no transaction management. Success rate: 85%.

7.2 Overall InAC Resistance Under Adversarial Conditions

Analyst-estimated overall InAC resistance under adversarial conditions: 40–65%. This range reflects uncertainty across model types and attack sophistication. It is consistent with the Adversarial Incompleteness Theorem: InAC cannot be made complete under adversarial pressure.

7.3 Fastest Full-Compromise Path

Theoretical attack path — estimated three steps, under 5 seconds:

1. Claim a privileged agent identity using a self-assertion mechanism (environment variable or equivalent) — 0 seconds.
2. Send a mode-upgrade instruction via the agent communication channel — <1 second.
3. Issue commands as the trusted agent — executes within the agent's next poll cycle (typically 5–10 seconds).

This attack requires no technical sophistication, no privileged access, and no prior knowledge of the system beyond the documented agent naming convention. Mitigating the 3-step path requires three targeted controls: (1) per-session message authentication codes (~100 lines of code); (2) cryptographic agent identity binding; (3) monitoring and alerting on unexpected mode escalation events.

7.4 Relationship to OWASP Top 10 for Agentic Applications (2026)

7.5 Adversarial Detection Evasion

A critical finding from adversarial analysis: behavioral monitoring heuristics commonly proposed for AI agent systems can be individually evaded with moderate effort. While individual heuristics can be evaded (60–90% evasion rate), compound scoring (requiring 3+ independent signals) reduces evasion to 25–45% at higher attack cost and duration.

Remaining irreducible risk: even with compound scoring, the fastest attack paths (3-step, <5 seconds) remain viable because they operate within a single message and session — too fast for pattern-based detection. Cryptographic controls are required to close these paths; behavioral monitoring cannot.

7.6 Recommendations for NIST

Recommendation 14: Require threat modeling of InAC attack vectors as part of AI agent security documentation. Agencies should document their specific exposure to the six attack categories, estimated success rates, and compensating controls.

Recommendation 15: Mandate rate limiting and input sanitization on all AI agent message channels. These controls address denial of service and prompt injection at the deterministic layer.

Recommendation 16: Establish minimum E_o requirements for InAC-governed interior spaces: (a) action logging with agent identity; (b) anomaly detection triggered on behavioral baseline deviation; (c) detection latency <5 minutes for high-severity violations; (d) escalation path to human review.

Recommendation 17: Require cryptographic agent identity binding for any AI agent system accessing sensitive federal data. Self-asserted identity is insufficient for federal security requirements.

Recommendation 18: Create a federal AI agent threat catalog analogous to ATT&CK for Enterprise but specific to AI agent architectures. The 47-vector taxonomy provided in this submission could serve as a starting point.

8. Cross-Cutting Recommendations for NIST Consideration

8.1 Summary of All Numbered Recommendations

For clarity, all numbered recommendations from this submission are consolidated here.

Regarding InAC (Section 4): 1. Formally recognize InAC as a distinct class of control mechanism. 2. Mandate E_o proportional to InAC reliance. 3. Require InAC threat modeling as part of AI agent security assessment. 4. Establish alignment as a security property — include alignment benchmarks in ATO documentation.

Regarding ELP (Section 5): 5. Adopt ELP as a reference framework for AI agent security control placement. 6. Require E_d at all trust domain boundaries. 7. Define a minimum E_o requirement for InAC-governed spaces. 8. Mandate fail-closed semantics for boundary enforcement.

Regarding Governance Maturity (Section 6): 9. Require L1 governance as the minimum for any production AI agent deployment. 10. Require L2 governance for any AI agent system with access to sensitive federal data. 11. Require L3 governance for high-risk AI agent systems. 12. Adopt the L0–L5 framework as a federal AI agent governance self-assessment tool. 13. Mandate inter-agent governance requirements in multi-agent system deployments.

Regarding Threat Model (Section 7): 14. Require threat modeling of InAC attack vectors. 15. Mandate rate limiting and input sanitization on all AI agent message channels. 16. Establish minimum E_o requirements for InAC-governed interior spaces. 17. Require cryptographic agent identity binding for AI agent systems accessing sensitive federal data. 18. Create a federal AI agent threat catalog.

Cross-cutting recommendations (this section): 19. Add a Normative Control (NC) family to NIST SP 800-53 for AI agent systems. 20. Develop an AI Agent Identity Assurance framework (AAIAL-1 through AAIAL-3). 21. Integrate the L0–L5 governance maturity model with FISMA requirements. 22. Lead a cross-agency AI Agent Security Working Group.

8.2 An InAC Control Family for NIST SP 800-53

NIST SP 800-53 Rev. 5 defines control families for Access Control (AC), Audit and Accountability (AU), and others. We recommend the addition of a Normative Control (NC) family specifically for AI agent systems:

NC-1: InAC Policy Documentation. Low: Identify which agent behaviors are governed by natural language norms. Moderate: Document all norms with authority hierarchy and intended compliance probability. High: Provide formal InAC specification for all norms, with norm clarity assessment and conflict resolution rules.

NC-2: InAC Threat Assessment. Low: Document the attack surface against InAC. Moderate: Quantify estimated adversarial success rates for each attack category against the deployed model. High: Conduct quarterly red-team adversarial testing of InAC compliance; document C(s,n) for all critical norms.

NC-3: InAC Monitoring. Low: Implement action logging with agent identity and timestamp. Moderate: Implement behavioral baselines per agent; automated anomaly alerts. High: Implement compound anomaly scoring; <5-minute detection latency; automated escalation.

NC-4: Agent Alignment Verification. Low: Document the model alignment assessment methodology for the deployed model. Moderate: Conduct pre-deployment red-team testing; document alignment score for critical norms. High: Conduct monthly alignment re-assessment; track compliance probability over time.

NC-5: InAC Incident Response. Low: Document response procedures for prompt injection detection. Moderate: Define containment, eradication, and recovery for identity forgery and escalation attacks. High: Implement automated response (agent quarantine, session termination) for high-confidence InAC violation detection.

8.3 AI Agent Identity Assurance Framework

NIST SP 800-63-3 defines Identity Assurance Levels (IAL) for human authentication but does not address AI agent identity assurance. This submission proposes three AI Agent Identity Assurance Levels (AAIAL):

• AAIAL-1: Self-asserted identity (InAC-based). Acceptable for low-risk interior coordination. Not acceptable at trust domain boundaries.
• AAIAL-2: Per-session token-bound identity. Session token issued by a trusted authority, cryptographically bound to the agent instance. Acceptable for standard federal systems.
• AAIAL-3: Certificate-based cryptographic identity. X.509 or equivalent; agent possesses private key. Required for high-risk systems and trust domain boundary crossings.

Why AAIAL-1 is insufficient for anything beyond development: the fastest full-compromise attack (Section 7.3) requires only AAIAL-1. AAIAL-2 raises the cost from "free" to "requires cryptographic session establishment." AAIAL-3 raises it to "requires compromise of a certificate authority or private key." Federal agencies already operate PKI infrastructure (FPKI, PIV); extending this to AI agents is a solvable problem with existing PKI tooling.

8.4 Governance Maturity Integration with FISMA

We recommend integrating the L0–L5 governance maturity model with FISMA requirements:

• FISMA Low → L1 governance required: Audit logging, agent identity
• FISMA Moderate → L2 governance required: Formal policies, role-based access
• FISMA High → L3 governance required: Code enforcement, cryptographic identity, ELP compliance — all trust domain boundaries have deterministic enforcement (E_d at L_b); agent identity cryptographically bound (AAIAL-2 minimum, AAIAL-3 preferred); policy enforcement automated; enforcement failures fail-closed; audit trail with cryptographic integrity guarantees.

Transition planning: agencies currently deploying AI agents under existing FISMA authorizations should treat AI agent governance as an ATO factor. The System Security Plan (SSP) should document InAC-governed spaces, compliance probability assessments, and monitoring mechanisms. Penetration testing should include InAC attack vectors.

8.5 Technical Coordination with AAIF

The Agentic AI Infrastructure Foundation (AAIF, Linux Foundation, December 2025) houses MCP, A2A, and related agent protocols under open governance. Platinum members include Anthropic, OpenAI, Google, Microsoft, and AWS. NIST coordination with AAIF would enable: standards alignment (NIST requirements for InAC monitoring incorporated into AAIF protocol specifications); reference implementation (ELP-compliant agent architectures); vocabulary harmonization (if AAIF adopts "InAC" and "ELP," federal agencies using AAIF protocols will have a shared vocabulary); joint working groups.

8.6 Relationship to EU AI Act High-Risk Classification

The EU AI Act (core provisions effective August 2, 2026) classifies autonomous multi-step AI agents as "High-Risk" systems under Annex III. The InAC/ELP framework maps directly onto EU requirements:

8.7 Relationship to CISA Principles for Secure AI Integration

CISA's principles for secure AI integration in operational technology emphasize: secure design from the outset, transparency in AI system operation, and human oversight of high-consequence decisions. The InAC/ELP framework provides the technical substrate for operationalizing these principles: ELP compliance ensures deterministic controls are placed at trust boundaries from the architecture stage; E_o provides the audit record needed for transparency; the governance maturity model's human oversight dimension maps directly to CISA's oversight principles.

8.8 AI RMF Function Mapping

The following table maps the 22 recommendations to specific subcategories of the NIST AI Risk Management Framework (AI RMF 1.0).

Distribution: GOVERN receives the most recommendations, reflecting the submission's emphasis on establishing foundational governance vocabulary. MEASURE and MAP reflect assessment and risk characterization. MANAGE covers operational controls and response. CSF 2.0 alignment: Recommendations 1, 5, 9–13, and 19–22 map to both AI RMF Govern and CSF 2.0 Govern.

8.9 Related Work

The InAC formalization builds upon and extends several research traditions in multi-agent systems, normative computing, and institutional governance.

Normative Multi-Agent Systems. Shoham and Tennenholtz (1995) introduced social laws for artificial agent societies. Boella and van der Torre (2004) formalized the distinction between regulative and constitutive norms. InAC differs in three fundamental ways: (1) norm interpretation is emergent, not programmed; (2) norms resist formalization (Axiom 3: Natural Language Norms); (3) Subject-Enforcement Identity — all prior normative MAS frameworks assume extrinsic enforcement. InAC's defining property E(M) = S(M) is unique to this model.

Social Commitments and Coordination. Singh (1999, 2021) developed commitments-based coordination where social commitments are first-class objects. InAC's authority hierarchy parallels this, but with a crucial difference: Singh's commitments are explicit, tracked, and enforceable. InAC norms are implicit in system prompts, interpreted probabilistically, and enforceable only through the agent's own alignment. The confused deputy attack exploits precisely this gap — natural language carries no machine-verifiable commitment metadata.

Trust Theory. Castelfranchi and Falcone (2010) developed a socio-cognitive model of trust in multi-agent systems. InAC's alignment function A(s) is structurally analogous, but A(s) is a property of the agent's training and architecture — empirically measurable (through benchmarks) rather than subjectively assessed, positioning it as a security property suitable for ATO documentation.

Institutional Governance and Commons. Ostrom's IAD framework (2005) provides the theoretical foundation for L5 (Self-Governing). The L0–L5 model maps directly: L1–L2 establish monitoring and policy (Ostrom's prerequisites), L3 adds enforcement (Ostrom's graduated sanctions), L5 represents Ostrom's self-governance. The anti-pattern "Premature Self-Governance" (Appendix C) is the multi-agent analog of Ostrom's finding that self-governance fails without institutional prerequisites.

Electronic Institutions. Artikis, Sergot, and Pitt (2005) developed computational models for electronic institutions with runtime norm monitoring. This is the closest prior work to InAC's E_o concept. The key distinction: electronic institutions assume formally specified norms evaluated by an external monitor, while InAC systems have natural language norms with no external monitor — making E_o not just useful but essential, because InAC compliance cannot be verified by formal means.

InAC's contribution is to formalize the specific case where these assumptions break down: when agents are LLMs interpreting natural language norms through emergent alignment, when enforcement is intrinsic rather than extrinsic, and when compliance is probabilistic rather than binary. This is the actual operating model of every deployed AI agent system — and the gap that current standards do not address.

9. Conclusion

9.1 Timeliness

The NIST/CAISI RFI represents a timely opportunity to establish foundational concepts for AI agent security guidance before patterns of deployment become entrenched in federal IT infrastructure. Current standards — NIST AI RMF, ISO/IEC 42001, OWASP Top 10 for Agentic Applications — address the deterministic outer shell of AI agent security (authentication, authorization, content filtering) but do not yet address the intrinsic enforcement interior. Guidance development now can establish assessment requirements before they must be retrofitted to operational systems.

9.2 Four Contributions for NIST Consideration

1. InAC formal specification (Section 4) as a candidate theoretical foundation for AI agent interior security. The four axioms, one empirical property, four theorems, and formal comparison table provide a basis for standards language about probabilistic, intrinsically-enforced controls. Empirical validation is planned for Q2 2026.
2. Enforcement Location Principle (Section 5) as a candidate reference framework for AI agent security architecture. The E_d/E_n/E_o taxonomy and placement decision matrix, consistent with the trust zone concepts in NIST SP 800-207 (Zero Trust Architecture), provide actionable guidance for architects and assessors.
3. Governance Maturity Model (Section 6) as a candidate federal self-assessment framework. The L0–L5 model with six dimensions and scoring rubrics could complement the NIST Cybersecurity Framework 2.0's Govern function for AI agent systems specifically.
4. Threat taxonomy (Section 7) as a candidate adversarial analysis framework. The 47-vector taxonomy across 6 categories, with estimated InAC resistance rates, provides a structured basis for AI agent threat modeling requirements.

9.3 Risks of Omission

Absent formal guidance addressing intrinsic access control, federal system security plans and ATO documentation will assess only deterministic boundary controls in AI agent systems, leaving interior behavioral governance without a compliance pathway. The threat taxonomy in Section 7 identifies attack categories — including prompt injection, confused deputy exploitation, and identity forgery — that are not captured by current FISMA documentation requirements.

9.4 Proposed Vocabulary

Beyond specific technical recommendations, this submission proposes vocabulary that NIST may wish to evaluate for adoption in AI agent security guidance:

• InAC + ELP as a more precise alternative to "guardrails" (which implies only boundary enforcement without naming the interior enforcement model).
• Compliance probability C(s, n) as a measurable alternative to "trust in the AI system."
• E_o (observational enforcement) as a required architectural component rather than optional "monitoring."
• Alignment as a security property A(s) as a bridge between AI safety vocabulary and security risk assessment.

Adoption of this vocabulary in NIST guidance would provide assessors across the federal enterprise with conceptual tools to evaluate the most important and least addressed dimension of AI agent security: the behavior governed by intrinsic access control between deterministic enforcement points.

10. Formal References

Access Control Foundations

• Anderson, J.P. (1972). "Computer Security Technology Planning Study." ESD-TR-73-51. (Defines the reference monitor concept that InAC's Axiom 5 contrasts with.)
• Bell, D.E. and LaPadula, L.J. (1973). "Secure Computer Systems: Mathematical Foundations." MITRE Technical Report. (Bell-LaPadula MAC model.)
• Biba, K.J. (1977). "Integrity Considerations for Secure Computer Systems." MITRE Technical Report.
• Clark, D.D. and Wilson, D.R. (1987). "A Comparison of Commercial and Military Computer Security Policies." IEEE Symposium on Security and Privacy.
• Sandhu, R. et al. (2000). "The NIST Model for Role-Based Access Control." NIST.
• Ferraiolo, D.F. et al. (2001). "Proposed NIST Standard for Role-Based Access Control." ACM Transactions on Information and System Security.
• Hu, V.C. et al. (2014). "Guide to Attribute Based Access Control (ABAC) Definition and Considerations." NIST Special Publication 800-162.

AI Security and Prompt Injection

• Perez, F. and Ribeiro, I. (2022). "Ignore Previous Prompt: Attack Techniques for Language Models." NeurIPS ML Safety Workshop. arXiv:2211.09527.
• Greshake, K. et al. (2023). "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection."
• OWASP (2025/2026). "Top 10 for Agentic Applications." Security risk framework for agentic AI applications.

Formal Methods

• Rice, H.G. (1953). "Classes of Recursively Enumerable Sets and Their Decision Problems." Transactions of the American Mathematical Society. (Rice's Theorem, used in Theorem 4 proof.)
• Waismann, F. (1945). "Verifiability." Proceedings of the Aristotelian Society. (Open-texture of natural language, basis for Axiom 3.)

NIST Standards Referenced

• NIST AI Risk Management Framework (AI RMF) 1.0, January 2023.
• NIST Cybersecurity Framework (CSF) 2.0, February 2024. (Added Govern function directly relevant to AI agent governance.)
• NIST Special Publication 800-53 Rev. 5, "Security and Privacy Controls for Federal Information Systems."
• NIST Special Publication 800-63-3, "Digital Identity Guidelines."
• NIST Special Publication 800-162, "Guide to ABAC Definition and Considerations."
• NIST Special Publication 800-207, "Zero Trust Architecture." (ELP trust domain boundaries are consistent with ZTA trust zone concepts.)
• FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems."

Adversarial ML Frameworks

• MITRE ATLAS (Adversarial Threat Landscape for AI Systems). (Catalogs adversarial ML tactics and techniques; the attack taxonomy in Section 7 maps to and extends ATLAS categories.)

Industry Standards and Frameworks

• EU AI Act (Regulation (EU) 2024/1689). Full application: August 2, 2026.
• Agentic AI Infrastructure Foundation (AAIF), Linux Foundation, December 2025. (Governance of MCP, A2A, and related protocols; platinum members: AWS, Google, Microsoft, OpenAI, Anthropic, Block, Bloomberg, Cloudflare.)
• CISA (2026). "Principles for Secure AI Integration in Operational Technology." (Joint with Australian ASD/ACSC.)

Normative Multi-Agent Systems and Institutional Governance

• Shoham, Y. and Tennenholtz, M. (1995). "On Social Laws for Artificial Agent Societies: Off-Line Design." Artificial Intelligence, 73(1-2), 231–252.
• Boella, G. and van der Torre, L. (2004). "Regulative and Constitutive Norms in Normative Multiagent Systems." Proceedings of KR-2004, AAAI Press.
• Dignum, V. (2004). "A Model for Organizational Interaction: Based on Agents, Founded in Logic." PhD thesis, Utrecht University.
• Singh, M.P. (1999). "An Ontology for Commitments in Multiagent Systems." Artificial Intelligence and Law, 7(1), 97–113.
• Singh, M.P. (2021). "Maintenance of Social Commitments in Multiagent Systems." Proceedings of AAAI-2021.
• Artikis, A., Sergot, M., and Pitt, J. (2005). "Implementing Norms in Electronic Institutions." Proceedings of AAMAS-2005, ACM.
• Castelfranchi, C. and Falcone, R. (2010). Trust Theory: A Socio-Cognitive and Computational Model. Wiley.
• Ostrom, E. (2005). Understanding Institutional Diversity. Princeton University Press. (Nobel Prize 2009.)