Blog home KYC for AI Agents Integration guide EU AI Act checklist Compare

What the NCCoE's Non-Human Identity Work Means for Fintech

For a decade, identity in financial services meant human identity — KYC, sanctions screening, customer due diligence. The control frameworks, the audit expectations, the examiner's questions all assumed a person on the other end.

Autonomous AI agents break that assumption. An agent now opens the position, sends the payment, or answers the regulated customer — often with no human in the per-action loop. The identity question doesn't go away; it moves to the machine. And the US standards bodies have noticed.

What the NCCoE is actually doing

The National Cybersecurity Center of Excellence (NCCoE), the applied arm of NIST, runs practical projects that turn standards into reference implementations. Its work on machine and non-human identity is formalizing the same set of expectations that govern human access — identification, authorization, auditing, non-repudiation — for software identities, including AI agents.

This matters because the NCCoE's outputs become the vocabulary auditors and examiners adopt. When a framework is published and a reference build exists, "how do you manage non-human identity?" stops being a research question and starts being a control an examiner expects you to evidence.

For fintech, the timing is not abstract. Agents are already in production. The frameworks are arriving to meet them.

Why US fintech can't wait for "an AI law"

There is no single federal AI statute as of 2026, and that fact is often misread as "no obligation." It isn't. The obligations that already bind a US financial institution apply to its agents the moment those agents touch regulated activity:

GLBA — safeguarding customer financial data, including data an agent reads or writes.
SOX — controls and auditability over financially material systems, which now includes automated ones.
SEC recordkeeping (e.g. 17a-4) — accurate, tamper-resistant records of activity, regardless of whether a human or an agent produced it.
PCI DSS — where agents handle cardholder data.

None of these mention "AI." All of them require that you can identify the actor, constrain it, audit it, and prove what it did. That is exactly the NCCoE four-pillar model — which is why building to the pillars satisfies the examiner whether or not a dedicated AI rule has landed.

The four pillars, in fintech terms

Pillar	The examiner's version of the question
Identification	"Which agent executed this trade — provably, not by inference?"
Authorization	"What was this agent permitted to do, and who delegated that authority?"
Auditing	"Reconstruct this incident. Show me what the agent did and said."
Non-repudiation	"Give me a record I can verify without trusting your word for it."

A certificate answers the first. Scope and delegation chains answer the second. Behavioral monitoring plus content-risk scoring answer the third. A WORM log and signed forensic exports answer the fourth.

What to do before the question arrives

You don't get to choose when the security questionnaire or the exam lands. You do get to choose whether the answer already exists. Three concrete steps:

Give each agent a real identity — a per-instance X.509 certificate, not a shared key.
Bind and enforce scope, and make delegation explicit when agents spawn agents.
Audit what the agent does and says, and keep the record in a form you can hand over and a third party can verify.

Do that, and the NCCoE's work stops being a thing you read about and becomes a box you've already checked — in the US today, and in every other market that maps to the same four pillars.

Map your agents to NIST AI RMF, CSF 2.0, and the NCCoE pillars in one engine. See how compliance works or start free.