persona-logo
Published May 27, 2026
Last updated May 27, 2026

Our comments to NIST: AI agent security starts with human identity verification

A summary of Persona's comments to the National Institute of Standards and Technology (NIST) about agentic standards and safety.
Will Wilkinson
Will Wilkinson
4 min

AI agents have developed advanced capabilities faster than most would have imagined. In enterprise contexts, workforces are delegating more and more tasks to them. While the promise of increased productivity is enticing, the shift from deterministic automated tools to agentic autonomous systems introduces security risks that most enterprises haven’t prepared for.

The National Institute of Standards and Technology (NIST) helps establish standards, guidelines, and frameworks for the public and private sectors. Its decisions can have a direct impact on national security, trade agreements, and contract requirements. 

NIST’s focus on agentic standards

NIST often drafts ideas and asks for comments from individuals and organizations to help guide its decisions.

Earlier this year, the Center for AI Standards and Innovation (CAISI), which is part of NIST, issued a Request for Information on security considerations for AI agents. It announced the launch of the AI Agent Standards Initiative a month later. 

In February, the National Cybersecurity Center of Excellence (NCCoE), a collaborative hub within NIST, asked for feedback on its new concept paper, Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization.

A summary of Persona’s comments on security considerations for AI agents

Persona has been building and deploying internal enterprise agents since 2024. We also issue and verify high-assurance identity signals, and we have a direct interest in how agents will be identified, authenticated, and authorized. We publicly responded to the RFI and concept paper (those links are to PDFs of our comments). Below, we share a condensed summary of our thoughts. 

AI agents break traditional enterprise security assumptions

Today's enterprise security practices are built on a premise that is quickly becoming outdated: a human actor is fully present and in the loop whenever a tool acts on their behalf.

In that world, automated, non-human activity is treated with suspicion by default. Access requests happen at human speed and are reviewable and interruptible within a window humans can manage. Relying on API keys and multi-factor authentication (MFA) works because the three traditional factors (something you have, something you know, and something you are) are anchors to a specific person at a specific moment. 

AI agents break all these assumptions because they:

  • Legitimize automated activity. When an agent makes hundreds of API calls on behalf of a user, how do you distinguish between legitimately delegated bot activity and automated abuse? Automated behavior, which used to indicate compromise, is increasingly normalized.

  • Operate much faster than humans. Incident response workflows designed to catch anomalous access aren’t calibrated for the speed at which agents can move through a system. IT teams also aren't prepared for the volume of access requests generated by agents.

  • Circumvent traditional MFA. An agent can satisfy all three classic authentication factors through legitimate delegation, and then expand its scope autonomously. Once the credential handoff happens, the human who authorized it may have no visibility into what the agent does next.

The implication isn't that agents are inherently dangerous, but that the security foundations we built were designed for a world without agents. Applying them to an agentic world can open enterprises up to significant risk.

The role of verified human identity

If the assumptions need rethinking, so do the frameworks built on top of them. While verified human identity won't address all of the gaps, enterprise security frameworks ultimately trace back to humans. The strength of the chain depends on how reliably humans are identified at critical moments. 

We suggest several areas where this becomes acute, including:

  1. Delegation: The verification chain must start with a human or organization sponsoring the agent. Without high-assurance identity verification at the moment of delegation, everything downstream rests on an assumption that may be wrong.

  2. Authorization: The agent should have limited authorization to take specific actions within specific contexts. Preexisting enterprise security practices often assume that the entity requesting authorization is capable of exercising human judgment regarding the scope of authorization, but that’s not the case with agents.

  3. Auditability: Every action should be traceable to the verified human or organization that authorized it. Otherwise, audit trails tell you what happened, but you won’t know who is actually accountable.

All of these have to be grounded in modern, configurable identity verification. Organizations must assume attackers will use high-quality deepfakes (images, videos, and audio) and sophisticated injection attack techniques. Enterprises also need verification flows that can easily adapt to risk and friction considerations based on the business’s goals, new regulations, and evolving attack vectors.

Across our comments to NIST, our primary recommendations are:

  • Require sponsorship by a verified human or organization wherever agents are being deployed.

  • Accelerate adoption by publishing reference architectures and patterns for secure delegation and agent identity.

  • Convene industry, government, and standards bodies to drive agreement on shared evaluation scenarios and documentation templates before rallying behind specific protocols.  

  • Address consumer use cases in parallel with or shortly after the enterprise focus.

These standards conversations are in their early stages, and enterprises are standing up agents without necessarily having the security infrastructure to match. NIST has a narrow window to set expectations before patterns harden and before incidents occur that make the risks impossible to ignore.

Please join us in the conversation. And get in touch if you have questions about identity verification or are ready to incorporate it for secure agentic use cases.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Will Wilkinson
Will Wilkinson
Will Wilkinson is director of government affairs at Persona. Will was previously head of policy at TBD (a division of Block), vice president for policy at the Niskanen Center, contributing opinion writer for The New York Times, and US politics correspondent for The Economist. He has published on a wide array of subjects in The Economist, The Atlantic, The New York Times, The Washington Post, The Atlantic, Bloomberg, Forbes, Politico and many other publications.
Continue reading