Public Comment on NCCoE Concept Paper

Execution-Boundary Governance for AI Agents

On March 26, 2026, ZLAR founder Vincent Nijjar submitted a public comment to the NIST National Cybersecurity Center of Excellence (NCCoE) in response to their concept paper on accelerating the adoption of software and AI agent identity and authorization.

The comment argues that while current standards address agent identity, authentication, and delegated authority, they leave an architectural gap at the point that matters most: the moment of action. Authenticated is not authorized. Delegated is not governed. Reasoning is not execution.

The comment proposes that NCCoE demonstration architectures include per-action authorization at the moment of execution, non-bypassable enforcement outside the agent process, bounded human-to-agent delegation, verifiable governance receipts, tamper-evident auditability, and prompt-injection containment through external policy enforcement.

Documents