ICACC
Identity-Centric Adaptive Control Core (ICACC) is a three-layer architecture that operationalizes NIST AI RMF through Agile DSRM cycles and Identity and Access Management (IAM) mediation. The architecture ensures that policy intent translates to technically bounded agent behavior in critical infrastructure environments.
IEEE Transactions on Dependable and Secure Computing
Impact Factor: 7.3 • Timeline: 4-6 months
DSRM Lifecycle Coverage
Artifact Overview
The NIST AI Risk Management Framework (AI RMF) establishes essential governance principles but lacks technical enforcement mechanisms for adversarial, agentic AI systems in critical infrastructure. Policy intent does not automatically translate to bounded agent behavior.
Cybersecurity researchers, AI safety engineers, critical infrastructure operators, and organizations deploying AI agents in high-consequence environments.
AdversarialTesting4 metrics
Key Contributions
First technical enforcement architecture for NIST AI RMF
Formal agent autonomy bounding theorems with IAM proofs
Large-scale cyber-physical validation with adaptive adversaries
Paper Structure
Section 1
Governance-to-Enforcement Gap
Section 2
Three-Layer Architecture
Section 3
Formal Model & Theorems
Section 4
ICACC Prototype
Section 5
Experimental Evaluation
Section 6
Policy Implications
1. Problem Statement & Operational Motivation
The NIST AI Risk Management Framework (AI RMF) establishes essential governance principles but lacks technical enforcement mechanisms for adversarial, agentic AI systems in critical infrastructure. Policy intent does not automatically translate to bounded agent behavior.
This problem arises in the context of cybersecurity researchers, ai safety engineers, critical infrastructure operators, and organizations deploying ai agents in high-consequence environments. and reflects constraints commonly encountered in production systems, including scale, adversarial behavior, regulatory requirements, and operational continuity.
2. Artifact Description
Identity-Centric Adaptive Control Core (ICACC) is a three-layer architecture that operationalizes NIST AI RMF through Agile DSRM cycles and Identity and Access Management (IAM) mediation. The architecture ensures that policy intent translates to technically bounded agent behavior in critical infrastructure environments.
The artifact is designed to be identity-first, treating authentication, authorization, federation, and policy enforcement as the primary control plane. It is intended to function under real operational conditions rather than idealized assumptions.
3. Design Science Research Methodology (DSRM) Mapping
ICACC follows DSRM with research contributions expressed as an operational artifact.
• Problem Identification & Motivation
The operational problem was defined based on observed risks and limitations in existing systems.
• Design & Development
ICACC is built on the following design principles:
- Three-layer model: Governance (NIST), Execution (A-DSRM), Enforcement (IAM)
- All AI agent actions mediated through ABAC policies
- Policy evolution via A-DSRM iterations
- Formal bounded autonomy guarantees
• Build
ICACC defines formal mapping between NIST AI RMF functions and A-DSRM phases with IAM policy transformations. The architecture includes theorem proving for bounded agentic autonomy under adversarial drift and integration patterns for cyber-physical systems.
• Demonstration
Experimental validation on a cyber-physical testbed simulating 5,000 agent-hours across power grid and transportation scenarios with adaptive adversaries.
• Evaluation
Results show 94.7% policy compliance under adaptive attacks compared to 62.3% for static governance baselines, with zero unauthorized privilege escalations across 5,000 agent-hours of testing.
• Communication
The artifact is documented as a citable protocol object and connected to research notes, simulation plans, and deployment guidance.
4. Evaluation & Evidence
Evaluation Method: AdversarialTesting
Evaluation Metrics:
- Policy compliance rate (94.7% vs 62.3% baseline)
- Unauthorized privilege escalation count (zero)
- Adaptive attack resilience
- Governance-to-enforcement latency
Evaluation Contexts:
- Cyber-physical testbed simulating 5,000 agent-hours
- Power grid scenario validation
- Transportation system adversarial testing
- Adaptive attack resilience evaluation
The evaluation approach treats the environment as adversarial and constrained. ICACC is not assessed on theoretical correctness alone; it is assessed on whether it can deliver trustworthy behavior under realistic deployment assumptions.
5. Key Citations & Foundations
- •NIST AI RMF (2023) - Core framework
- •Sandhu et al. (1996) - RBAC/ABAC foundations
- •Howard & Lipner (2006) - Security Development Lifecycle
6. Applicability & Use Cases
ICACC applies to:
Use cases include:
- Architecture design and review
- Security control implementation
- Research extension and replication
- Teaching and laboratory exercises
- Policy and governance analysis
7. Limitations & Scope
Requires mature IAM infrastructure. Theorem proofs assume specific adversary models. Production deployment requires environment-specific policy tuning.
8. Iteration & Evolution
Architecture evolves as NIST AI RMF updates and new adversarial patterns emerge. Integration with additional IAM frameworks (SPIFFE, OPA) in progress.
9. How to Cite This Artifact
J. Nsoh, "Identity-Centric AI Governance: A-DSRM Operationalization of NIST AI RMF for Critical Infrastructure," IEEE Transactions on Dependable and Secure Computing, 2026. Available: https://jovita.io/artifacts/icacc-governance
10. Related Research & Teaching
11. License & Availability
License: CC BY 4.0
Last Updated: 2026-01-20
Where applicable, reference implementations and simulation configurations will be published as linked materials under this artifact record.
ICACC represents an applied research contribution produced through Design Science Research Methodology. Its value lies not only in correctness, but in whether it can be implemented, evaluated, and trusted in real operational environments.