NIST-2025-0035

Security Dashboard

Interactive companion to Nicholls (2026) — NIST/CAISI Request for Information response. Explore Intrinsic Access Control, the Enforcement Location Principle, governance maturity, and the 47-vector threat taxonomy.

What is InAC?

Intrinsic Access Control is the unnamed sixth access control model present in every AI agent system. The agent is simultaneously the subject and the enforcement mechanism. It is probabilistic, intrinsically enforced, and fails open — not closed.

The ELP Framework

The Enforcement Location Principle specifies where each enforcement type belongs: E_d (deterministic) at trust boundaries, E_n (normative) in the interior, E_o (observational) spanning all domains. All nine surveyed platforms violate at least one placement requirement.

Governance Maturity

Seven major platforms scored across six governance dimensions using an L0–L5 maturity model. Industry ceiling: L2. No system achieves L3 enforcement. Weakest dimension across all platforms: audit and accountability.