NIST and AI agents: 1Password’s approach to agent identity

At 1Password, we approach security through simplicity. We are developing an agent identity architecture to simplify and enhance the security of AI agents, ensuring interoperability with existing systems. Our approach is built in collaboration with customers, partners, and the standards community. 

As part of this work, we recently responded to NIST’s AI agent authorization paper. Our view is that agent identity is not a single problem. It is a set of challenges spanning identification, attestation, enrollment, authentication, and authorization for machine workloads with reasoning capabilities. The ability to reason is what sets AI agents apart from traditional machine workloads. 

This post is the first in a multi-part series on why agent-driven systems require us to rethink identity to enable continuous authentication and authorization for reasoning agents, and how that shapes both our response to NIST and our own approach to agent identity. 

The agent identity problem

Where traditional machine workloads have a “set and forget” policy, the nature of reasoning workloads means a static policy can become out of date as the agent interprets and takes its next action. Agents that automatically deploy software are a great example of this escalation chain. A deployment agent begins with access to QA resources, but its access needs evolve when tests pass and may then require access to production services. 

The principle of Zero Trust maintains that you should provide only the minimum access needed, but infinitely evolving logic makes it difficult to apply the correct access for the lifetime of an agent process. This paradox is what sets agent workloads apart and makes them more challenging than traditional machine actors. An identity and access management architecture for agents more closely matches the needs of a human rather than a traditional machine workload, but that architecture needs to engage machines instead of human actors. Simultaneously, an agent identity architecture must apply Zero Trust principles in real-time. 

Existing identity and access management (IAM) protocols address some agentic requirements, and they are a practical starting point for maintaining interoperability. At the same time, approaches built on federation or on cryptographic trust anchored to a central authority can introduce performance overhead and added complexity as autonomy increases. These tradeoffs are reasonable in the near term, particularly as the ecosystem continues to mature. Over time, the direction should move toward identity standards that reduce coordination costs and provide a more direct path to fully autonomous identity verification.

What’s an identity?

Digital identity has taken many forms over the years, but it is easier to understand through its issuer. Operating systems, directories, and federation all tie an identifier back to an authoritative source. An issuer provides a cryptographic guarantee that an identifier is a trusted identity, and any system that trusts the issuer can trust the identities tied to it. Digital identity is cryptographically bound to the issuer, meaning there is no (trusted) identity without a trusted issuer. 

How do issuers come to trust an identity? 

At their core, an identity is a collection of attributes about an identity that others can verify. In the same way a web browser validates a domain by verifying a certificate’s signature against a trusted public key, a relying party validates a digital identity by checking its signature against the issuer’s public key. This verification process creates confidence that the entity is who they say they are and is authorized to act within a fixed scope. 

Enabling autonomous systems

Non-cryptographic signals, such as where a process is running, who initiated it, and other provenance data, provide context that can be evaluated alongside, or in some cases independently of, a trusted issuer. This is the basis of attestation, where verifiable evidence about a workload is used to establish trust and, in many systems, to bootstrap enrollment into an issuing authority. 

Attestation is a key part of the agent identity challenge because it enables issuers to automatically, in real time, bind an AI agent workload to an identity without human intervention. Automatic identity generation is critical for enabling and preserving autonomous systems and, therefore, allowing agents to operate more securely without humans in the loop.

Real-time Zero Trust

Automatic identity issuance also enables continuous enforcement of Zero Trust policies. Each attestation produces fresh, verifiable evidence of the workload, which can be used to dynamically adjust access. Instead of granting standing permissions, access is derived from the most recent attestation and constrained to what is justified at that moment. This is a real-time application of the Zero Trust principle, and is a first-order requirement for any agent identity framework.

In our feedback to NIST, we “recommend that Zero Trust Architecture (line 144) be a hard requirement for any solution NIST designs and accepts.” Prompt injection attacks are increasingly common, and we must accept that any framework securing a system susceptible to this broad threat must be treated as compromised by default. Zero Trust policy must be applied in real time, as close as possible to each agent action, with as little human intervention as possible. It must set the default path to the secure path, and the secure path must be the automated path. 

The Zero Trust requirement is relevant to NIST’s framing of agent use cases. In our feedback, we recommend “splitting the use case on line 169, Enterprise AI Agents for Software Development and Deployment, into two separate use cases. The threat model for using an agent to develop software is very different from deploying software in production systems.” Generating code and taking action on production systems are two different trust domains. When an agent has access to customer data, infrastructure, or sensitive configurations, including API keys, a real-time Zero Trust system becomes even more relevant. 

Securing agents starts with identity 

Agent identity requires a model of authorization and authentication that can adapt in real time as agent behavior changes. 1Password is one of many organizations working to address the challenges of agent identity and access management, and meaningful progress depends on collaboration across the ecosystem. We are working with partners across foundation model providers, standards bodies, and emerging startups to shape an approach that is comprehensive, practical, and interoperable.

We encourage readers to review NIST’s work on AI agent authorization and to follow emerging drafts from the IETF and W3C. These efforts offer early visibility into evolving protocols and help clarify where the industry is converging.

From our perspective, advancing identity in this space will come through shared development rather than a single defining solution. Progress will depend on contributors aligning around architectures that support a range of enterprise, government, and consumer use cases. We welcome engagement from others working in this area, as well as perspectives that challenge or refine this approach.