Aethyr Research

We Submitted a Comment to NIST on AI Agent Identity. Here's Why You're Reading It First.

by R. Demetri Vallejos
nistagent-identitypost-quantumpqcstandardsopen-letter

Last week, NIST's National Cybersecurity Center of Excellence published a concept paper titled "Accelerating the Adoption of Software and AI Agent Identity and Authorization." They invited public comment. We submitted ours.

But before it went to NIST, we decided to publish it here — in full — because the problems it addresses are too important to leave inside a comment portal.

The Problem, Plainly Stated

AI agents are operating across enterprise systems right now. They're scheduling jobs, managing CRM pipelines, sending emails, modifying records, and executing transactions. They do this using shared API keys and OAuth bearer tokens that prove possession, not identity.

That means when an agent creates a record in your CRM, the audit log shows a service account — not which agent, operating under whose authority, with what scope of permissions. When something goes wrong, the forensic trail ends at a shared credential.

This is not a theoretical concern. This is the state of production agent infrastructure today.

What's Missing from the Conversation

The NCCoE concept paper references several important standards. But we identified three critical gaps:

No post-quantum cryptography. Every agent identity system deployed today uses RSA or ECDSA signatures. CNSA 2.0 mandates post-quantum cryptography for all new national security systems by January 2027. Agent credentials issued on classical crypto today will require complete re-issuance when those mandates take effect. The standards conversation needs to account for this now, not after the deadline.

No decentralized identifiers. The paper does not reference W3C Decentralized Identifiers (DIDs) or Verifiable Credentials (VCs) as agent identity mechanisms. These are mature, ratified standards that solve the exact problem the paper describes: globally unique, cryptographically verifiable identifiers that do not depend on a central registry and that work offline.

No architecture for denied or degraded connectivity. Defense and critical infrastructure environments operate under DDIL conditions — Denied, Degraded, Intermittent, Limited bandwidth. Agent identity that requires a network call to a central authority for every authentication event is not viable in these environments. The conversation must include offline verification from the start.

What We Built

At Aethyr Research, we didn't wait for the standards conversation to conclude. We built a production implementation.

Our agents receive W3C Decentralized Identifiers derived from ML-DSA-65 post-quantum signing keys (NIST FIPS 204). Each identifier is cryptographically bound to the agent's key material — not to a username, not to a service account, not to the hardware it runs on.

The key hierarchy uses a BIP32-inspired derivation scheme from a single master seed: identity keys, signing keys, DID keys, backup keys, and per-session ephemeral keys — all domain-separated via BLAKE3-KDF. Key rotation uses KERI-style pre-rotation, where a commitment to the next public key is made at creation time. When rotation occurs, the DID remains stable. No mass re-issuance of credentials.

Authorization is capability-based. Each agent holds a Verifiable Credential that enumerates exactly which tools it may invoke. Every invocation is checked at runtime against the credential. No implicit permissions. No inheritance. High-risk actions require human-in-the-loop approval through an explicit delegation consent flow, not a policy checkbox.

Every action can be signed with the agent's post-quantum key, creating a non-repudiable audit record that links action to agent to issuing organization. The chain is complete and cryptographically verifiable — even decades from now, even against a quantum adversary.

We benchmark ML-DSA-65 at 9,700 verifications per second and ML-KEM-768 at 36,940 key generations per second on commodity hardware (full benchmark report). This is not a research prototype. It runs in production across 440+ MCP tools spanning 14 enterprise integrations.

Why We're Publishing This Openly

Three reasons.

Transparency is a design principle, not a marketing strategy. If you're building identity infrastructure — the layer that determines who gets to do what in an AI-mediated world — you should be willing to describe your architecture in public. If your security depends on obscurity, it isn't security.

The timeline is compressed. CNSA 2.0 compliance deadlines are real. MCP adoption is accelerating. Enterprises are deploying agents now, not in three years. The standards bodies need input from teams that have already shipped production systems, not just teams that plan to. We want that input to be visible so others can build on it, challenge it, or improve it.

This is a public interest problem. Agent identity will determine the trust architecture of autonomous systems for the next decade. The decisions being made now — in NIST working groups, in protocol specifications, in early implementations — will have compounding consequences. That conversation should happen in the open.

What We Asked NIST to Consider

Our comment makes several specific recommendations:

  • Add W3C DIDs v1.0 and Verifiable Credentials Data Model 2.0 to the referenced standards
  • Add NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) to the cryptographic considerations
  • Address how MCP authorization can be extended with verifiable agent credentials bound to specific agent identities
  • Include DDIL/offline verification requirements in the architecture
  • Consider capability-based authorization with explicit delegation consent rather than role-based inheritance

We also offered to participate as a technology collaborator in the NCCoE demonstration project, bringing our production implementation, open-source verification libraries, and published benchmarks.

The Full Comment

The complete text of our submission is published here. We encourage other teams working on agent identity to submit their own comments and to engage with this problem publicly.

The comment period is open. The architecture decisions being made now will persist.

R. Demetri Vallejos is CEO and Chief AI Officer of Aethyr Research, a sovereign AI infrastructure company building distributed agent operating systems with post-quantum cryptographic identity. Based in Salt Lake City, Utah.

The full NIST NCCoE concept paper is available at nccoe.nist.gov. Comments can be submitted to AI-Identity@nist.gov.