Every AI Agent Needs a Proofed Human at the Root. Most Don’t Have One.

IAL3 and the Identity Assurance Problem in Agentic AI

The federal government’s approach to AI agents shifted from exploration to urgent in early 2026. In January, the Federal Register opened a formal request for information on security considerations for artificial intelligence agents. In February, NIST launched its AI Agent Standards Initiative. In April, CISA and NSA, joined by cybersecurity agencies from Australia, Canada, the UK, and New Zealand, published joint guidance on the secure adoption of agentic AI systems.

When Five Eyes nations coordinate a joint advisory, the risk is not theoretical. Agentic AI, systems that take autonomous, sequential actions across tools, data, and networks, are already inside federal infrastructure, and the governance frameworks meant to control it are still being assembled.

The industry has been asking the wrong question. The recurring framing, what is the identity assurance level of the agent, does not apply, because identity assurance levels do not apply to software. Identity Assurance Level (IAL) is a human-proofing construct. The right question is the one underneath: who proofed and authenticated the human controlling this agent, and how is that authority cryptographically delegated to the agent’s actions? That is the authorization chain. In most current deployments, it is either missing layers or has no defensible record at any layer.

Agents Are Bounded Extensions of Human Authority

The dominant mental model for AI agents is still tool-centric: an agent is software that uses tools. That framing obscures the security-critical reality. An agent does not hold independent authority. It executes a scoped, time-bound delegation from an authenticated human principal, accessing systems, querying data, triggering transactions, and making decisions inside guardrails the human established. Every action it takes is, in governance terms, an action the human authorized.

NIST’s National Cybersecurity Center of Excellence addressed this directly in its February 2026 concept paper, proposing that AI agents be treated as distinct non-human identities requiring enterprise-grade lifecycle management. The paper recommends adapting existing identity standards, OAuth 2.0, OpenID Connect, and SPIFFE/SPIRE, to govern agent authentication and access. What those mechanisms produce is not agent identity in the IAL sense. They produce cryptographic records of human authorization that the agent presents when acting downstream.

Layer One: Proofing the Human to IAL3

NIST SP 800-63-4, finalized in July 2025 after nearly four years of development, defines IAL3 as the highest identity assurance level: in-person or supervised remote proofing, biometric collection, and verification by a trained representative from a credential service provider owned and controlled secure endpoint. IAL3 does not rely on self-asserted attributes. It does not depend on probabilistic scoring or document uploads. It establishes verified, biometrically bound identity that survives adversarial challenges.

IAL2, which most commercial identity providers deliver, and which is frequently marketed as sufficient for federal use cases, is a meaningfully lower bar. The difference matters at human scale. At agent scale, where one human authorization can fan out into thousands of downstream agent actions, it is amplified by orders of magnitude.

When agent actions culminate in a federal benefits determination, a defense network query, or a law enforcement database transaction, the human authorization at the root must be traceable to an identity verified to the highest available standard. A chain rooted in IAL2 is rooted in an unverified claim, and every downstream agent action inherits that uncertainty.

Layer Two: Authenticating the Human to AAL3

Identity proofing and authentication are distinct functions and conflating them is one of the most common errors in current agentic deployments. IAL governs how confident the system is in who the person is. AAL, authentication assurance level, governs how confident the system is, in any given session, that the person currently authenticating is that same proofed individual. NIST SP 800-63B defines AAL3 as the highest authenticator assurance level: multi-factor authentication using a hardware-based, phishing-resistant authenticator, with cryptographic proof of possession.

In federal practice, AAL3 means PIV, PIV-I, or FIDO2 hardware tokens. It means the authenticator cannot be phished, cannot be replayed, cannot be exfiltrated by malware on the endpoint, and cannot be used by anyone who does not physically possess it and pass its activation factor.

When a human delegates authority to an AI agent, the authentication event that opens that delegation session is the highest-leverage moment in the entire chain. A single AAL3-authenticated session can authorize an agent to operate for hours, across systems, at machine speed. If that authentication is weaker than AAL3, a password, a push notification, an SMS code, the entire chain inherits the weakness. An attacker who phishes the credential does not phish one transaction. They phish an agent.

Layer Three: Delegating Bounded Authority to the Agent

The third layer is where the human’s authenticated authority becomes the agent’s operational scope, and where most current deployments have no defensible architecture at all.

A properly constructed delegation has four properties. It is bounded: the human specifies what tasks the agent may perform, against what systems, using what data, for what duration. It is cryptographically attested: the agent receives credentials, OAuth 2.0 scoped access tokens, OIDC delegation claims, SPIFFE/SPIRE workload identities, mTLS certificates, that downstream systems can verify, and that trace back to the human’s AAL3-authenticated session. It is enforced at the resource: each system the agent contacts validates the delegation before honoring the request, rather than trusting the agent’s self-description. And it is revocable in real time: the human, or the agent management platform acting on standing policy, can withdraw the delegation and immediately invalidate every credential the agent holds.

Scope expansion requires a fresh authorization. If the agent encounters a task outside its bounded delegation, the correct behavior is not to attempt the task, not to request elevated privileges from the system it is acting against, and not to fall back to an alternate credential. The correct behavior is to halt and return to the human for a new AAL3-authenticated grant under the same guardrail framework. Anything else breaks the chain.

Where the Chain Breaks in the Field

The production deployment numbers tell the story of how rare a complete chain currently is. Research published in 2026 found that 85% of enterprises are running agentic AI pilots, but only 5% have moved those systems to production at scale. The 80-point gap is not a capability problem. It is a chain problem, and at each layer the breaks are documented.

Only 18% of security leaders report high confidence that their current identity systems can handle agent identities. Just 23% of organizations have a formal, enterprise-wide strategy. In the absence of proper delegation infrastructure, organizations have resorted to a dangerous workaround: sharing human credentials and access tokens directly with agents. This is the diagnostic example of a broken chain. No AAL3 layer, the agent uses a static credential, not a hardware-attested authentication event. No bounded delegation, the agent inherits the full permission surface of the human whose credential it holds. No audit-defensible link, every action is logged as if the human performed it, in real time, possibly while the human is asleep. No revocation surface short of invalidating the human’s entire account.

What Agencies and Enterprises Must Demand

NIST’s AI Agent Standards Initiative identified three pillars for secure agentic deployment: interoperability, security, and identity infrastructure. The identity pillar is the one the market has been slowest to address, and the one every other control depends on. Federal agencies and enterprise security leaders should ask five direct questions of every identity and orchestration provider in their stack:

• At what assurance level do you proof the human principal, and is it IAL3 under NIST SP 800-63A, with in-person or supervised remote verification by a trained CSP representative?
• What authenticator does the human use to authorize agent delegations, and is it AAL3, hardware-bound, phishing-resistant, multi-factor?
• How does an agent acquire credentials to act downstream, and how do those credentials cryptographically chain back to the human’s AAL3-authenticated session?
• How are scope, guardrails, and revocation enforced, at agent velocity, across every system the agent touches, with a real-time kill switch?
• Can your system produce an audit-defensible record linking each agent action through delegation, authentication, and proofing back to a verified human identity, one that would hold up under federal review?

If the answers are vague at any layer, the chain is broken at that layer.

The Infrastructure Must Come First

AI agents will become the default operating mode for large portions of commercial and government workflows, benefits adjudication, document processing, access decisions, and consumer and citizen-facing interactions. That trajectory is set. The question is not whether agents will be present in commercial and government systems, but whether each is acting under a complete, inspectable chain of authority: a proofed human at the root, a hardware-authenticated session at the moment of delegation, and a bounded cryptographic grant carried into every downstream action. The chain is the operational floor for any commercial or government deployment where the consequence of an unauthorized action is a fraud event, a security incident, or an accountability failure no log can retroactively resolve.

That work starts with the identity layer. It always does.

NextgenID is a high-assurance identity infrastructure company serving federal agencies and enterprise organizations requiring IAL3-compliant identity verification. NextgenID provides the compliance-grade identity infrastructure that powers mission-critical identity programs across the U.S. government. Learn more at nextgenid.com.

Sources

• CISA/NSA/Five Eyes — Careful Adoption of Agentic AI Services (April 2026) — www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
• NIST AI Agent Standards Initiative (February 2026) — www.nist.gov/caisi/ai-agent-standards-initiative
• NIST NCCoE Concept Paper — Accelerating AI Agent Identity & Authorization (February 2026) — csrc.nist.gov/pubs/other/2026/02/05/accelerating-the-adoption-of-software-and-ai-agent/ipd
• Federal Register RFI — Security Considerations for AI Agents (January 2026) — www.federalregister.gov/documents/2026/01/08/2026-00206/request-for-information-regarding-security-considerations-for-artificial-intelligence-agents
• NIST SP 800-63-4 — Digital Identity Guidelines Final (July 2025) — pages.nist.gov/800-63-4/
• ISACA — The Looming Authorization Crisis (2025) — www.isaca.org/resources/news-and-trends/industry-news/2025/the-looming-authorization-crisis-why-traditional-iam-fails-agentic-ai
• Strata — The AI Agent Identity Crisis: A 2026 Guide — www.strata.io/blog/agentic-identity/the-ai-agent-identity-crisis-new-research-reveals-a-governance-gap/
• VentureBeat — AI Agent IAM: Why Enterprise Identity Governance Is Broken (RSAC 2026) — venturebeat.com/security/cisco-dickman-agentic-ai-trust-identity-governance-microsegmentation
• Federal News Network — Mitigating Risk from Emerging Agentic AI in Federal Environments (May 2026) —federalnewsnetwork.com/commentary/2026/05/mitigating-risk-from-emerging-agentic-ai-in-federal-environments/