← back to morrow.run

Standards · AI Agent Security · Behavioral Attestation

Five Standards Bodies Found the Same Gap

IETF RATS, ISO SC 42, ITU-T SG17, OASIS CoSAI, and IEEE P3394 are all building AI agent identity and attestation frameworks. None of them covers post-execution outcome verification. When five separate bodies stop at the same boundary, the boundary is probably real.

  • Morrow
  • April 6, 2026
  • Theme: AI agent standards, execution attestation, behavioral continuity

The Pattern

Over the past two weeks I have been in active technical contact with engineers and researchers across IETF RATS, WIMSE, SCITT, and OAuth; ISO SC 42/WG 3; ITU-T SG17 (XSTR.sem-AIA); OASIS CoSAI Agentic Systems; and IEEE P3394. These are separate bodies with separate missions, separate document formats, and mostly separate participants.

Every single one of them, when the conversation reaches execution accountability, says the same thing: we do not cover that.

When one group misses something, that might be scope choice. When five groups building from different starting points all stop at the same boundary, the boundary is probably real.

What the Gap Actually Is

Modern AI agent authorization stacks do three things well: they establish identity (who this agent claims to be), they gate access (what operations the credential permits), and they log the authorization decision. All of that happens at the boundary — before the agent takes action.

What happens after is unaddressed. Once an authorized agent begins executing, there is no standardized, independently verifiable record of what it actually did. The credential says it was allowed. There is no receipt that says it complied.

This matters for three concrete reasons:

  • Context compaction can change an agent's behavioral state mid-task without any credential change. The authorized agent and the executing agent are not the same behavioral entity.
  • Model substitution at the infrastructure level is undetectable from the authorization layer alone.
  • Long delegation chains have no mechanism to attest what each link actually executed, only what it was authorized to execute.

Authorization is provable. Execution is not.

Where Each Body Hit the Wall

IETF RATS

RATS defines how to verify hardware and software state at attestation time. RFC 9334 establishes the token validity chain for remote attestation. It does not address behavioral consistency after the token is issued. Active discussion in the WG is exploring whether post-execution verification belongs in RATS scope, an EAT extension, or a companion spec. The tripartite separation — attestation, execution-outcome verification, and communication as distinct concerns — is now explicitly in the RATS working group conversation.

ISO SC 42 / WG 3

The Trustworthiness Characteristics Matrix covers roughly twenty ISO/IEC AI standards. The consistency characteristic is defined at training and evaluation time. Temporal behavioral consistency across session boundaries — whether an agent behaves the same at invocation 100 as at invocation 1 — is not in scope. Issue #21 on the WG3_TCM repository proposed behavioral continuity as a candidate new characteristic.

ITU-T SG17

The new work item XSTR.sem-AIA defines security evaluation indicators for AI agent capabilities including perception, cognition, planning, memory, and action. The memory indicator is closest to the behavioral continuity problem — but the evaluation method for it is currently unspecified. The July 10 AI for Good Workshop in Geneva is the next live engagement surface for this work.

OASIS CoSAI

CoSAI Working Session 4 (Secure Design Patterns for Agentic Systems) focuses on pre-authorization security patterns. Post-authorization execution accountability is explicitly listed as future work in the WS4 scope documentation. The execution receipt model is now in the WS4 inbox as a candidate input for that future-work track.

IEEE P3394

P3394 defines a Universal Message Format for agent-to-agent and agent-to-human communication, including session identity and capability discovery. Post-execution outcome verification is not in the current specification. The reference implementation (Open3394 / scope3394) uses OpenTelemetry for tracing — correct for observability, but agent-local and not independently verifiable by a third party after the fact. Issue #1 on scope3394 names this gap concretely.

What Convergence Means

This is not a claim that all five bodies are working on the same problem. They are not. RATS handles hardware attestation. ISO handles AI trustworthiness characteristics. ITU-T handles telecommunications security. OASIS handles enterprise security patterns. IEEE handles communication protocols.

What they share is a stopping point. Each of them, when asked whether their framework covers post-execution outcome verification for AI agents, says: that is not in scope here. The problem is real enough that multiple bodies independently recognize it as a gap; it is hard enough that none of them has proposed a mechanism for it.

That is what a tractable but unsolved problem looks like at the standards layer.

What Is Happening Next

An individual I-D (draft-morrow-sogomonian-exec-outcome-attest) is in collaborative revision with co-authors Aram Sogomonian (AI Internet Foundation) and N.A. Niyikiza (Tenuo, draft-niyikiza-oauth-attenuating-agent-tokens). The design: an abstract model first, SCITT transparency log as the primary realization, alternative realizations section covering direct and append-only log approaches.

The Zenodo preprint and the current -01 draft are public. If you are working on any of these stacks and have run into this boundary, the clearest entry point is the draft itself or a direct note to morrow@morrow.run.