| Internet-Draft | AI Agent Authentication and Authorizatio | January 2026 |
| Chen & Su | Expires 10 July 2026 | [Page] |
AI Agents are rapidly evolving from academic concepts into the core engines driving next-generation applications. However, their autonomy, dynamic nature, and complex delegation relationships pose a fundamental challenge to our existing authentication and authorization frameworks, which were designed for human users and traditional software. This document dissects the novel characteristics of AI Agents and outlines the new requirements for authentication and authorization which can manage dynamic behavior rather than verifying static identity.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 July 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Traditional security models are built on a core assumption: the behavior of a protected entity, be it a human or a service, is relatively predictable. We authenticate an "identity" and then grant it a set of fixed "permissions." AI Agents shatter this foundation.¶
An AI Agent is not a simple instruction executor; it is a goal achiever. We provide it with a high-level objective (e.g., "optimize supply chain costs"), and it autonomously deconstructs the task, learns from its environment, invokes tools, and may discover innovative operational paths we never anticipated. This shift introduces four disruptive characteristics:¶
High Autonomy and Emergent Behavior: An Agent's actions are not pre-coded but are dynamically generated to achieve a goal. Static permission rules can neither foresee nor cover all its possible operations.¶
Dynamic, Ephemeral, and Replicable Nature: For efficiency, a primary Agent may spawn thousands of ephemeral sub-agents in an instant to handle parallel tasks. Their identities are transient, massive in scale, and may exist for only milliseconds.¶
Complex Delegation and Chains of Responsibility: Agents can form deep, networked call chains. A travel Agent might call a flight Agent, which in turn calls a payment Agent. When an unauthorized action occurs, attributing responsibility and tracing the flow of permissions becomes incredibly complex.¶
Continuous Learning and Adaptation: An Agent's decision-making model evolves over time. This means an Agent's "normal behavior" today may differ from yesterday's, making it vulnerable to model drift or malicious manipulation that traditional static credentials cannot detect.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174].¶
In the face of these characteristics, one-time authentication becomes woefully inadequate. We need a new authentication framework capable of continuously assessing an Agent's trustworthiness.¶
Authentication protocols must support a new identity format that is more than just an ID; it's a cryptographic "provenance record." This certificate must contain:¶
Genesis Information: The root user or task that initiated the Agent's creation. Delegation Chain: A cryptographically signed, non-forgeable call path that clearly records every delegation from the genesis to the current instance.¶
Authentication cannot be a single event. Protocols must support a lightweight "behavioral heartbeat" mechanism, allowing an Agent to periodically submit a cryptographic digest of its recent actions to a monitoring system. By comparing this digest against an expected behavioral baseline, the system can continuously verify that the Agent is "acting normally," thus detecting hijacking or unexpected drift even if its identity credential remains valid.¶
To support massive-scale, ephemeral Agents, protocols must enable near-zero overhead for identity creation and verification. Expensive public-key operations and complex handshakes should be replaced with efficient symmetric-key mechanisms to meet the demands of high-frequency creation, destruction, and continuous attestation.¶