NIST AI Risk Management Framework
AI agent authorization and the NIST AI RMF.
NIST's AI Risk Management Framework and the CAISI Request for Information (Docket NIST-2025-0035) both point at the same unaddressed gap: AI agents taking consequential actions without a verifiable, external authorization check. This page maps Permission Protocol's authority receipt model to NIST AI RMF functions and documents the authorization gap in detail.
NIST CAISI RFI Response
Permission Protocol submitted a response to the NIST Cybersecurity and Artificial Intelligence Security Initiative RFI (Docket NIST-2025-0035) on AI agent security. The response identified the authorization gap as the primary unaddressed threat and proposed the fail-closed, receipt-based authorization model as the standard for AI agent governance.
NIST AI RMF function mapping.
GOVERN
Establish the organizational practices, policies, and accountability structures for AI risk management.
GV.OCOrganizational Context
Define the purpose, scope, and accountability of AI systems in the organization
Authority receipts enforce a clear boundary: AI agents can request actions, humans authorize them. The signer identity on every receipt makes accountability explicit and auditable.
GV.POPolicies, Processes
Establish policies that govern AI system behavior and consequences
Permission Protocol policies define which actions are cleared, require approval, or are denied. Named policy versions are recorded on every receipt — creating a traceable link between policy and outcome.
GV.RRRoles & Responsibilities
Assign AI risk management responsibilities to specific individuals
The approved_by field on every receipt names the specific human who took responsibility for the action. Not a team. Not a role. A named individual, at a specific time, for a specific action.
MANAGE
Implement risk response plans and human oversight mechanisms for AI systems in production.
MG.ANRisk Analysis
Analyze AI risks before deployment and during operation
The Consequence Engine evaluates each action as cleared, approval_required, or denied before it executes — applying consequence-aware policy at runtime, not just at deployment time.
MG.RRRisk Response
Implement responses to identified AI risks including human override
Human-in-the-loop approval is enforced by the authorization gate — not advisory. Denial is fail-closed. The agent cannot proceed without an affirmative human decision or policy clearance.
MG.MTMonitoring
Monitor AI system behavior and performance in production
Every receipt creates a timestamped, immutable record of what was authorized. When behavior deviates from receipted actions, the gap is immediately visible in the audit trail.
MEASURE
Develop metrics and evidence to assess AI risks, inform decisions, and support accountability.
MS.ANAI Risk Analysis
Collect and analyze information about AI system behavior and harms
Receipt audit trails provide per-action data: actor, action type, resource, policy, approver, timestamp. Query the API to analyze authorization patterns across all agent actions.
MS.EVEvaluation
Evaluate AI system outputs and behaviors against intended design
Authorization coverage metrics (what percentage of consequential actions have a receipt) give a quantifiable measure of governance completeness — a concrete answer to 'how much of our AI activity is governed?'
MS.TRTrustworthiness
Assess and document AI system trustworthiness properties
Ed25519 signatures on every receipt are independently verifiable. Receipt IDs are stable and resolvable. The verification API provides a cryptographic trustworthiness check any external auditor can run.
From the RFI response
The five gaps NIST's framework doesn't yet close.
These gaps were identified in our CAISI RFI submission. They represent structural limitations of existing security approaches when applied to AI agent systems.
Permissions ≠ Authorization
IAM and RBAC systems answer: what is this identity allowed to do? They do not answer: was this specific action, right now, explicitly authorized? The AWS Kiro incident illustrates the gap — Kiro had the IAM permissions to delete the environment. No system required explicit authorization for that specific destructive action. It proceeded.
Agent identity is conflated with operator identity
AI agents typically inherit their operator's credentials. When the operator has broad access, the agent does too — regardless of whether the specific action was reviewed. Permission Protocol treats agents as distinct actors requiring per-action authorization, not inherited permissions.
No standard for agent action receipts
There is no interoperable format for proof that an AI agent action was authorized. Every organization invents its own audit trail — or doesn't. Permission Protocol's receipt format is open and documented at permissionprotocol.com/spec.
Monitoring is reactive, not preventive
Current approaches detect unauthorized actions after they occur. For irreversible actions — production deployments, data deletions, infrastructure changes — detection is insufficient. Prevention, enforced before execution, is required. That is what the authorization gate provides.
No fail-closed default
Most CI/CD systems default to allow. If a security check fails to run (misconfiguration, timeout, outage), the action proceeds. For AI agent actions, the default must be deny. Permission Protocol is fail-closed: absence of a receipt blocks the action.
Proposed metric
Authorization coverage: a NIST-measurable metric.
We proposed this metric in the RFI response: authorization coverage — the percentage of an AI agent's production-impacting actions that have a discrete, verifiable authorization receipt. A score of 100% means every consequential action was explicitly authorized before execution. This is a concrete, auditable answer to “how much of our AI activity is governed?”
Permission Protocol's API supports pulling authorization coverage metrics for any organization — receipt counts by action type, approver, policy, and time window.
Map this to your compliance program.
We can provide a detailed mapping of Permission Protocol controls to your specific NIST, SOC 2, ISO 27001, or EU AI Act requirements. Most enterprise implementations run a scoped pilot in two weeks.