RBAC and ABAC — role-based and attribute-based access control for agents

Supports: The canonical NIST definition of ABAC as the four-attribute model (subject, object, action, environment) on which this control is built. The per-request policy-evaluation mechanic described here is precisely what the MDX page recommends.

Does not prove: Does not address agentic AI, LLMs, or non-human principals. The standard was authored for enterprise user-access scenarios; the extension to agent identities is Helmwart's application, not NIST's.

Supports: Verbatim establishment of "least privilege per-request access decisions" as the foundation of ZTA — the design principle that RBAC + ABAC together operationalise for agent calls. The MDX cites §3.4 as the relevant section; the per-request least-privilege principle is in fact stated definitionally in §1 and carried through the document.

Does not prove: Section 3.4 of SP 800-207 covers network and environment components, not ABAC specifically. The MDX reference to "SP 800-207 §3.4 makes per-request attribute-based decisions the foundation of the ZTA control plane" misattributes the specific claim to §3.4. The principle is real and verbatim, but it appears in §1 (the ZT definition) and §2 (tenets), not §3.4 (Network/Environment Components). Helmwart should cite §1–2 instead.

Supports: Names the exact threat that RBAC/ABAC is cited in the MDX to mitigate. The "mismanaged roles" and "dynamic permission inheritance" framing maps directly to what RBAC bounds and what ABAC narrows per-request.

Does not prove: T3's mitigation guidance says "implement granular permission controls, dynamic access validation" but does not name RBAC or ABAC by their NIST labels in the threat description. The RBAC/ABAC name-drop appears in Playbook 4, not the threat body itself.

Supports: The only verbatim RBAC+ABAC name-drop in the OWASP Threats & Mitigations document. Establishes that both models together — not either alone — are the recommended proactive control for agent privilege management.

Does not prove: Appears as a single bullet in a checklist; no elaboration on implementation mechanics, attribute sourcing, or the RBAC-for-coarse-scoping / ABAC-for-per-request-constraints layering the MDX recommends.

Supports: Establishes the "attribution gap" that RBAC/ABAC directly closes: agents without governed identities and role bindings cannot have least privilege enforced. The MDX maps T3/ASI03 as the primary threat this control addresses.

Does not prove: ASI03's prevention guidelines name "task-scoped, time-bound permissions" and "centralized policy engine" rather than RBAC/ABAC by name. The RBAC/ABAC label comes from SP 800-162 and Playbook 4, not from the ASI03 body.

Supports: Names least model privilege as a normative runtime control and lists permission/authorisation configuration as the primary mechanism, aligning with RBAC/ABAC as the implementation vehicle. Also explicitly warns against implementing authorisation inside GenAI instructions (prompt-level grants), reinforcing that policy-engine decisions — the RBAC/ABAC pattern — are required.

Does not prove: Does not name RBAC or ABAC by label. The AI Exchange control is a principle statement; NIST SP 800-162/178 provide the standards that operationalise it.

Supports: Provides the delegated-token-exchange mechanism (RFC 8693 on-behalf-of semantics) that the MDX recommends alongside RBAC/ABAC to preserve user authority into agent-initiated calls. The "scoped to the new audience and purpose" language directly supports the ABAC contextual constraint pattern.

Does not prove: The article does not use RBAC or ABAC terminology explicitly. The contextual enforcement it describes is delivered through token scoping and delegated exchange rather than traditional RBAC/ABAC labels — the MDX's framing of the article as describing "scoped identity + contextual authorisation" (i.e. the RBAC/ABAC pillars) is an interpretive mapping, not a verbatim claim.