Your agent can send an email, place an order, or merge a PR. If an auditor asks "prove it," what artifact do you hand them? Plaintext logs aren't an answer. They're editable, deletable, and reorderable by anyone who controls the runtime. NIST has been quiet about this gap until recently — but in early 2026 they started lining up the answer. On February 5, 2026 , NIST NCCoE published a concept paper on AI agent identity and authorization surfacing four control areas any production agent deployment must address. Twelve days later, February 17, 2026 , NIST CAISI launched the AI Agent Standards Initiative — more deliverables coming, exact timelines still emerging. The concept paper is scoping work, not a prescriptive standard yet. But the four control areas are settled, and if you're building AI agents today, they tell you what you'll need to have working before NIST's normative output lands. This post walks through each area, what it actually requires, and where the implementation gaps are today.…