Identity Before Capability: The Agent-Authorization Stack Quietly Restructuring Agentic AI by 2028

Beneath the agentic-AI capability narrative, NIST's February 2026 AI Agent Standards Initiative, the NCCoE identity-and-authorization concept paper, OpenID Foundation's NIST response, and Okta and Microsoft Entra agent-ID releases are converging into the rails that decide which agents act on whose behalf — a 2026-2028 inflection for IAM, vendor selection and liability.

The consensus on AI and automation is that 2026 is the year agentic AI moves from demo to deployment, with frontier capability, longer context windows and tool integrations the things that matter. Beneath this sits a less obvious shift: the rapid formation of an "agent identity and authorization" stack — NIST's Center for AI Standards and Innovation, an NCCoE concept paper, OpenID Foundation submissions to federal RFIs, IETF OAuth drafts, and the pivot of dominant IAM vendors to treat agents as first-class non-human identities. These rails will determine which agents are permitted to act on whose behalf, with what audit trail. The board question is no longer "can our agents do X?" but "will our agents be allowed to do X?"

Signal Identification

A regulatory and standards pivot in early formation: the emergence of a sovereign-and-industry-led identity and authorization layer for autonomous AI agents. The signal is the convergence of US federal standards, open identity bodies and IAM vendors around a common framing — agents as identities, with delegation chains, scope-limited tokens and revocable authority — in a six-month window.

Time horizon: 2-5 years (NCCoE practice guide drafting 2026-2027; IETF and OpenID specifications ratifying 2026-2027; enterprise IAM deployment 2027; compliance and procurement convergence 2027-2028) Plausibility band: Medium-High Geographic / Jurisdictional Scope: Primary: US (NIST CAISI, NCCoE, IETF OAuth). Spillover: EU (AI Act high-risk implementing acts, ENISA); UK, Japan, Korea. Secondary: Australia, Canada, Singapore. Sectors exposed: IAM and SaaS; agent platforms; financial services (delegated transactions, FAPI); healthcare; public-sector procurement; cybersecurity; legal and compliance; cyber and professional-liability insurance.

What's Changing

The architecture is being formalised faster than enterprises notice. The (NIST Center for AI Standards and Innovation, 17/02/2026) launched the AI Agent Standards Initiative around three pillars: industry-led standards, open-source protocols, and federal research on agent security and identity. Two weeks earlier, the (NIST NCCoE concept paper, 05/02/2026) invited input on applying identity standards to AI agents in enterprise settings; comments closed 02/04/2026, with a practice guide to follow. The (OpenID Foundation formally responded, 11/03/2026), framing the core problem as "not the technology, it's the trust" and calling for a trust fabric of verifiable credentials, constrained authority and traceable accountability.

Adoption signals confirm the gap. (Deloitte's State of AI in the Enterprise 2026, 24/04/2026), surveying 3,235 leaders across 24 countries, finds 74% expect at least "moderate" agent use by 2027 yet only 21% report a mature governance model; roughly 80% lack mature agentic-governance capabilities including bounded decision rights, real-time monitoring and audit trails. The (Cloud Security Alliance research note, 16/04/2026) documents that sector concerns from CAISI's April listening sessions in healthcare, finance and education are feeding proposed Cybersecurity Overlays for AI Systems (COSAiS).

The market is moving before the standards finish. (Okta's blueprint for the secure agentic enterprise, 16/03/2026), with Okta for AI Agents generally available 30/04/2026, treats AI agents as first-class identities; it cites data that 88% of organisations report suspected or confirmed AI agent security incidents while only 22% treat agents as identity-bearing entities. (CIO's analysis of Model Context Protocol, 24/02/2026) reports fewer than 4% of MCP-related RSA 2026 submissions frame the protocol as opportunity rather than exposure — over-permissioning, tool impersonation, authentication bypass — moving governance to the protocol layer.

Disruption Pathway

Stage one (2026-2027): NCCoE practice guides, IETF specifications (OAuth 2.1, WIMSE, Identity Assertion Authorization Grant) and OpenID for Agents mature into reference implementations; major IAM vendors operationalise agent registry, scope-token vaulting and universal logout. Stage two (2027-2028): enterprise procurement requires agent-identity attestation, agent-registry inventories and identity-bearing audit logs as compliance baseline; the EU AI Act high-risk implementing acts incorporate equivalent requirements via ENISA and the EU AI Office; finance and healthcare regulators cite the standards in supervisory guidance. Stage three (2028-2030): the agent-identity layer becomes the binding determinant of which AI agents can transact with which counterparties, restructuring vendor lock-in, agent-platform economics and liability allocation.

Stresses concentrate at three points: agent-platform vendors face a forced choice between adopting open identity standards (losing lock-in) or building closed walled gardens (losing enterprise procurement); enterprise IAM teams absorb an unbudgeted workload, registering shadow agents as identities and running a credential lifecycle for non-human actors that may outnumber human staff within 18 months; compliance teams need attestable audit trails tied to delegated-authority chains, where most agents today run on shared service accounts. Two adaptations follow: operational — IAM stacks add agent registry, scope-token gateways and kill-switch as standard features; regulatory — financial and healthcare supervisors import the NIST framing into rule-making.

Why This Matters

For CIOs and CISOs, agent identity is the binding constraint on agent deployment velocity, with procurement the leading edge. For boards, IAM modernisation tied to agentic AI is the unobvious capex line likely to outpace 2026-2027 forecasts. For legal and risk committees, liability allocation now depends on whether the organisation can attest to the identity, scope and authority of every agent acting on its behalf. For agent-platform vendors, the choice is to embrace the open stack or lose the enterprise market to IAM-anchored incumbents.

Decision-action posture for this signal: Prepare — standards are in active formation and IAM-vendor product is shipping, but the 2027-2028 procurement and compliance inflection is too close to monitor passively and too early to commit hard product or contract architecture.

Counter-Argument

The strongest objection is that this is a familiar standards race that will fragment rather than converge. The (CSA listening-session note, 16/04/2026) flags sector-specific divergence; AWS, Google and Microsoft are anchoring proprietary agent-identity surfaces inside their platforms; IETF OAuth, OpenID, FIDO and W3C have overlapping drafts. The layer could end up like the WS-* generation — a graveyard of competing standards enterprises route around with proprietary glue.

This understates two forcing functions. EU AI Act implementing acts and sector supervisor guidance need a citable identity-and-authorization baseline by 2027-2028, forcing convergence even where specifications differ at the margin. IAM-vendor economics point the same way: customers want to buy the layer once, not three times. Fragmentation slows the timeline by 12-18 months without changing the outcome.

Implications

The signal catalyses durable change in the enterprise AI stack. The (NCCoE concept paper, 05/02/2026) reframes agent governance from a model-quality problem into an identity-and-authorization problem — a reframing that carries across regulators, IAM vendors and procurement and does not reverse on a slowdown in model capability. The agent-identity layer becomes the addressable market for IAM incumbents (Okta, Microsoft Entra, CyberArk, Ping) and a disqualifying constraint for agent-platform vendors that resist it. The competitive geography of agentic AI is being set not by who has the best model, but by who controls the rails that decide whose model is allowed to act.

Early Indicators to Monitor

Disconfirming Signals

Strategic Questions

Keywords

AI agent identity; agent authorization; NIST AI Agent Standards Initiative; NCCoE; OpenID Foundation; Model Context Protocol; OAuth 2.1; WIMSE; agentic AI governance; non-human identity; IAM modernisation; agent registry

Bibliography