Sebastian Anetey Shamo has posted Non-Human Identity for AI Agents, Bots, and Robots: A Complete Architectural Framework for Governance, Trust, and Accountability in Autonomous Systems on SSRN. Here is the abstract:
The proliferation of autonomous AI agents, conversational bots, robotic process automation (RPA) workers, and embodied robots has created an identity population that now exceeds human users in most enterprise environments by factors ranging from 17 to 45 to one. Traditional Identity and Access Management (IAM) frameworks, designed around human authentication paradigms, are structurally incapable of governing entities that act, decide, and transact at machine speed. This paper introduces a comprehensive Non-Human Identity (NHI) framework purpose-built for AI agents, bots, and robots. We define a formal taxonomy of non-human actors, propose a layered architectural model spanning identity issuance, authentication, authorization, behavioral attestation, and lifecycle governance, and present a reference implementation aligned with emerging standards including SPIFFE, OAuth 2.1, IETF Workload Identity, and the NIST AI Risk Management Framework. We argue that NHI governance requires a fundamental departure from human-centric IAM: identities must be cryptographically rooted, ephemeral by default, behaviorally observable, and auditable through tamper-evident provenance chains. The framework addresses agentic AI threats including prompt-injected privilege escalation, tool-call abuse, identity sprawl, and cross-agent collusion. We conclude with a maturity model and adoption roadmap to guide enterprises through the transition from credential-centric to capability-and-context governance.
To receive new posts from Legal Theory Blog by email, get a free subscription to Legal Theory Stack.
Lawrence Solum