InAC Security (NIST RFI)
Nicholls, B. (2026). Intrinsic Access Control: The Unnamed Sixth Model. Response to NIST-2025-0035 / CAISI RFI on AI Agent Security.
Abstract
Section titled “Abstract”Intrinsic Access Control (InAC) is the unnamed sixth access control model present in every AI agent system. The agent is simultaneously the subject and the enforcement mechanism. InAC is probabilistic, intrinsically enforced, and fails open — not closed.
Key Contributions
Section titled “Key Contributions”- InAC taxonomy — Identifies the sixth access control model alongside MAC, DAC, RBAC, ABAC, and ReBAC
- Enforcement Location Principle (ELP) — Specifies where each enforcement type belongs
- 47-vector threat taxonomy — Comprehensive threat model for AI agent platforms
- Governance maturity model — L0–L5 scoring across six dimensions; industry ceiling at L2
Interactive Dashboard
Section titled “Interactive Dashboard”See the Security Dashboard for interactive exploration.