



Internet Engineering Task Force                                  M. Chen
Internet-Draft                                                     L. Su
Intended status: Standards Track                            China Mobile
Expires: 10 July 2026                                     6 January 2026


 New requirements for Authentication and Authorization in the AI Agents
                                  era
              draft-chen-ai-agent-auth-new-requirements-00

Abstract

   AI Agents are rapidly evolving from academic concepts into the core
   engines driving next-generation applications.  However, their
   autonomy, dynamic nature, and complex delegation relationships pose a
   fundamental challenge to our existing authentication and
   authorization frameworks, which were designed for human users and
   traditional software.  This document dissects the novel
   characteristics of AI Agents and outlines the new requirements for
   authentication and authorization which can manage dynamic behavior
   rather than verifying static identity.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 10 July 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights



Chen & Su                 Expires 10 July 2026                  [Page 1]

Internet-Draft  AI Agent Authentication and Authorizatio    January 2026


   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  New Authentication Requirements:From "Who Are You?" to "Are You
           Still Trustworthy?" . . . . . . . . . . . . . . . . . . .   3
     3.1.  New Requirement 1: Traceable Identity and Provenance  . .   3
     3.2.  New Requirement 2: Continuous Behavioral Attestation  . .   4
     3.3.  New Requirement 3: Ultra-Low-Overhead Identity
           Management  . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  New Authorization Requirements: From "What Permissions Do You
           Have?" to "What Are You Allowed to Do, Right Here, Right
           Now?" . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  New Requirement 1: Intent-Driven, Just-in-Time (JIT)
           Permissions . . . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  New Requirement 2: Rich Context and Risk-Awareness  . . .   4
     4.3.  New Requirement 3: Explainable and Auditable
           Authorization . . . . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   Traditional security models are built on a core assumption: the
   behavior of a protected entity, be it a human or a service, is
   relatively predictable.  We authenticate an "identity" and then grant
   it a set of fixed "permissions."  AI Agents shatter this foundation.

   An AI Agent is not a simple instruction executor; it is a goal
   achiever.  We provide it with a high-level objective (e.g., "optimize
   supply chain costs"), and it autonomously deconstructs the task,
   learns from its environment, invokes tools, and may discover
   innovative operational paths we never anticipated.  This shift
   introduces four disruptive characteristics:

   High Autonomy and Emergent Behavior: An Agent's actions are not pre-
   coded but are dynamically generated to achieve a goal.  Static
   permission rules can neither foresee nor cover all its possible
   operations.






Chen & Su                 Expires 10 July 2026                  [Page 2]

Internet-Draft  AI Agent Authentication and Authorizatio    January 2026


   Dynamic, Ephemeral, and Replicable Nature: For efficiency, a primary
   Agent may spawn thousands of ephemeral sub-agents in an instant to
   handle parallel tasks.  Their identities are transient, massive in
   scale, and may exist for only milliseconds.

   Complex Delegation and Chains of Responsibility: Agents can form
   deep, networked call chains.  A travel Agent might call a flight
   Agent, which in turn calls a payment Agent.  When an unauthorized
   action occurs, attributing responsibility and tracing the flow of
   permissions becomes incredibly complex.

   Continuous Learning and Adaptation: An Agent's decision-making model
   evolves over time.  This means an Agent's "normal behavior" today may
   differ from yesterday's, making it vulnerable to model drift or
   malicious manipulation that traditional static credentials cannot
   detect.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174].

3.  New Authentication Requirements:From "Who Are You?" to "Are You
    Still Trustworthy?"

   In the face of these characteristics, one-time authentication becomes
   woefully inadequate.  We need a new authentication framework capable
   of continuously assessing an Agent's trustworthiness.

3.1.  New Requirement 1: Traceable Identity and Provenance

   Authentication protocols must support a new identity format that is
   more than just an ID; it's a cryptographic "provenance record."  This
   certificate must contain:

   Genesis Information: The root user or task that initiated the Agent's
   creation.  Delegation Chain: A cryptographically signed, non-
   forgeable call path that clearly records every delegation from the
   genesis to the current instance.










Chen & Su                 Expires 10 July 2026                  [Page 3]

Internet-Draft  AI Agent Authentication and Authorizatio    January 2026


3.2.  New Requirement 2: Continuous Behavioral Attestation

   Authentication cannot be a single event.  Protocols must support a
   lightweight "behavioral heartbeat" mechanism, allowing an Agent to
   periodically submit a cryptographic digest of its recent actions to a
   monitoring system.  By comparing this digest against an expected
   behavioral baseline, the system can continuously verify that the
   Agent is "acting normally," thus detecting hijacking or unexpected
   drift even if its identity credential remains valid.

3.3.  New Requirement 3: Ultra-Low-Overhead Identity Management

   To support massive-scale, ephemeral Agents, protocols must enable
   near-zero overhead for identity creation and verification.  Expensive
   public-key operations and complex handshakes should be replaced with
   efficient symmetric-key mechanisms to meet the demands of high-
   frequency creation, destruction, and continuous attestation.

4.  New Authorization Requirements: From "What Permissions Do You Have?"
    to "What Are You Allowed to Do, Right Here, Right Now?"

   Static, Role-Based Access Control (RBAC) is obsolete in the face of
   autonomous Agents.  Authorization decisions must become dynamic,
   precise, and risk-aware.

4.1.  New Requirement 1: Intent-Driven, Just-in-Time (JIT) Permissions

   Authorization is no longer about pre-assigning a broad role.
   Instead, it must be about granting the principle of least privilege
   required to complete a specific task, at the moment of execution.
   For example, the system should grant an Agent permission to "execute
   a payment of amount <= $100 for the purpose of booking a flight"
   rather than a generic "payment" permission.  This permission must
   expire immediately upon task completion.

4.2.  New Requirement 2: Rich Context and Risk-Awareness

   Authorization decisions must be based on a rich set of contextual
   factors, including but not limited to:

   *  The Agent's intent and objective.

   *  A risk assessment of the requested operation.

   *  Whether its current behavioral patterns are normal.

   *  The sensitivity and provenance of the data being accessed.




Chen & Su                 Expires 10 July 2026                  [Page 4]

Internet-Draft  AI Agent Authentication and Authorizatio    January 2026


   Protocols must be able to efficiently carry this structured context
   to the policy engine for real-time evaluation.

4.3.  New Requirement 3: Explainable and Auditable Authorization

   Given the autonomy of Agents, when something goes wrong, we must be
   able to answer, "Why was the system authorized to do that?"
   Therefore, the response from an authorization protocol must be
   explainable.  It should return not just an "Allow" or "Deny" verdict
   but also the rationale behind the decision, such as the policy IDs
   that were matched and a snapshot of the critical context evaluated.
   This is essential for post-mortem audits, accountability, and the
   iterative refinement of security guardrails.

5.  IANA Considerations

6.  Security Considerations

Authors' Addresses

   Meiling Chen
   China Mobile
   BeiJing
   China
   Email: chenmeiling@chinamobile.com


   Li Su
   China Mobile
   BeiJing
   China
   Email: suli@chinamobile.com



















Chen & Su                 Expires 10 July 2026                  [Page 5]
