VERIK
Editorial · Agentic AI Governance
VERIK / V022 / 17 JUN 2026
Agent IdentityGovernance

The Credential That Was Modeled

On June 11, NIST released working drafts for a dual-stack post-quantum PIV. A federal identity standard for human credential holders now has a published gap analysis for the quantum transition. The equivalent gap analysis for the credential the agentic system will present has not been written.

On June 11, 2026, the National Institute of Standards and Technology released initial working drafts of proposed updates to the Personal Identity Verification standards to support post-quantum cryptography. The announcement appears in the CSRC working drafts notice for PIV PQC. The drafts identify the changes expected to be needed to use the ML-DSA digital signature algorithm and the ML-KEM key-encapsulation mechanism with PIV. The current draft set comprises SP 800-73 Part 1 on the PIV Card Application Namespace, Data Model, and Representation, SP 800-73 Part 2 on the PIV Card Application Card Command Interface, and SP 800-78 on Cryptographic Algorithms and Key Sizes for PIV. A supporting PQC Overview accompanies the drafts and presents a working gap analysis of the specification changes needed across the PIV algorithm profile, command interface, and data model.

The drafts are preliminary working materials, not formal public drafts. NIST is engaging implementers and users through the piv-standards repository on GitHub and through a public mailing list. The substance of the work is visible. Reading it produces one institutional observation that does not depend on the technical depth of the cryptography. NIST has published, for the federal human credential, the kind of artifact that does not yet exist for the federal machine credential.

What the gap analysis says about PIV

The PIV gap analysis is the substantive part of the release. It frames the transition not as a substitution of one signature algorithm for another but as a dual-stack model. The approach, as the CSRC announcement records, centers on a dual-stack model that preserves existing classical PIV keys and data objects, adds new key references, certificate containers, and data objects for PQC credentials, and supports backward compatibility and incremental deployment during the transition. The classical PIV card does not disappear on a single date. The classical key references remain in the card application. New PQC-specific key references, certificate containers, and data objects are layered into the existing data model.

This is a non-trivial institutional commitment. PIV credentials are issued under Federal Information Processing Standard 201-3 to federal employees and contractors. They drive physical access, logical access, federation, and derived credential issuance. Changing the cryptographic envelope of the credential touches issuance, validation, card readers, certificate authorities, federation relying parties, derived credential issuers, and every system that has ever made an authentication decision based on the certificate chain rooted in the federal PKI. The dual-stack model is the answer to a question that has been asked for several years across multiple agencies, and the answer is not that the migration will be fast. The answer is that the migration will be staged, that classical and PQC keys will live side by side in the card application for an extended period, and that the data model will be expanded to carry both.

The release also identifies what is not yet decided. The drafts are explicit that they are exploring the changes expected to be needed, not specifying the final set. The PIV community is being invited to file issues, open pull requests, and join the mailing list during the development process. NIST is treating PQC PIV as a long-running specification effort with public iteration on the substantive design questions.

What the gap analysis does not cover

The PIV standard governs the credential a human presents to a federal facility or system. It governs the issuance, the data model on the card, the cryptographic algorithms, the command interface, and the trust framework that ties an individual to a federally validated identity. It does not govern the credential an autonomous agent presents to a federal facility, a federal information system, or a federal partner. The credential the agent presents has no equivalent FIPS standard, no equivalent SP 800-73 family, no equivalent SP 800-78 algorithm catalog, no equivalent published dual-stack model, and no equivalent gap analysis.

The federal human credential, in other words, is being deliberately and visibly retooled for the post-quantum transition. The federal agent credential has not yet been defined to a level of specificity that would let a gap analysis be written.

This is not a critique of NIST. NIST has been working through agentic AI risk through other publications, including the AI Risk Management Framework Generative AI Profile, NIST AI 600-1 and the Cybersecurity Insights post on combating AI-enhanced threats and risks. The Cybersecurity Center of Excellence has a draft project on Generative AI Cybersecurity Profile uses. What does not yet appear, in any of those venues, is the equivalent of SP 800-73 for a non-human credential holder. There is no published namespace specification for the agent credential. There is no command interface for the agent credential. There is no algorithm catalog. There is no dual-stack model that would, by analogy with the PIV draft, preserve a classical agent credential and layer a PQC agent credential alongside it during a transition.

The PIV release makes the asymmetry visible in a way that prior work did not. A federal human, in any agency, will receive a credential whose cryptographic envelope has been deliberately designed for the next thirty years. A federal agent, in any agency, will present a credential whose specification, scope, and governance are determined by the deployment vendor, the agency mission owner, the procurement contract, and the system integrator.

What the credential gap surfaces for governance

The PIV PQC working drafts surface three institutional questions that previously sat beneath the surface.

First, the dual-stack model in PIV presumes a credential that has a stable issuer, a stable data model, a stable command interface, and a stable trust anchor. If the analogous design problem is to be solved for agent credentials, the analogous prerequisites must exist or must be specified. Who is the issuer of an agent credential. What is the data model. What is the command interface for presentation and validation. What is the trust anchor.

Second, the PIV PQC drafts identify the gap between the current standard and the post-quantum target. They name the data objects that must be added, the algorithm references that must be created, and the key reference slots that must be allocated. The analogous gap analysis for the agent credential cannot yet be written because the current state is not standardized. The transition target cannot be specified until the current target is specified.

Third, the PIV community is being convened in the open. GitHub. Mailing list. Public draft iteration. The PIV transition is being conducted as a public-institution process. The analogous process for the agent credential is being conducted, when it is being conducted at all, inside individual vendor stacks, inside individual agency pilots, and inside individual deployment contracts. The governance artifact for the federal human credential is a NIST special publication with a public comment period. The governance artifact for the federal agent credential is, in most deployments, a procurement clause.

What remains on the table:

The governance artifact retained, the governance function not. The federal human credential has its quantum-transition gap analysis. The federal agent credential does not yet have the specification that would let one be written.