NIST recently released a new AI security research making an argument rooted in one of the most fundamental theorems in mathematics: Gödel's incompleteness theorems, which prove that no finite, consistent rule system can be complete. Apply that to AI security, and the implication is striking - no absolute set of AI guardrails can defend against every AI adversarial input or unauthorized action. The problem space is mathematically larger than static rules can cover.
This is a logical proof applied to a security architecture question. And it has direct, practical consequences for how enterprises think about governing enterprise AI agents.
I think AI Security cannot stop at shifting from rules to behavior, but needs to extend from rules to identity and intent. And that distinction determines whether your AI agent governance program can keep pace with the problem it is trying to solve.
What NIST Is Actually Saying
The NIST AI Risk Management Framework has been the reference document for enterprise AI governance since its release. It is comprehensive, thoughtful, and built around a systematic approach to identifying, measuring, and managing AI risk.
You can define what an AI agent should not do, but you cannot enumerate every way it might do something you didn't anticipate. The attack surface - and the failure surface - is open-ended by nature.
This is the same insight that drove the shift from perimeter-based network security to Zero Trust. You cannot define a complete set of rules for what traffic should be allowed and what should be blocked, because the threat landscape evolves faster than the rule set. The answer was continuous verification: not trusting any traffic by default and validating every connection regardless of origin.
The AI agent governance equivalent of that shift is happening right now. And it points directly to intent-based identity as the architecture that survives what static rules cannot.
Why Rules Fail for Enterprise AI Agents Specifically
The incompleteness argument is general; it applies to any system governed by finite rules against an open-ended problem space. But enterprise AI agents make the failure modes concrete in ways that are immediately recognizable to any security leader.
Rules assume predictable behavior. A rule that says "this agent cannot access the HR system" is straightforward to enforce when the agent's actions are deterministic. When the agent reasons about a task, adapts to context, and chains tool calls in sequences that were never explicitly anticipated at provisioning time, the rule coverage problem multiplies with every degree of agent autonomy.
Rules are defined at provisioning time. An AI agent's rule set is configured when it is deployed. The environment the agent operates in - the workflows that invoke it, the systems it integrates with, the data it accesses - evolves continuously after provisioning. Rules that were complete on day one develop gaps over time, not because anyone made an error, but because the agent's operational context changes faster than any rule-maintenance process can keep up with.
Rules don't survive AI agent chains. In a multi-agent deployment, a supervisor agent delegates to a worker agent, which in turn invokes a sub-agent that accesses a sensitive system. Each agent in the chain may be operating within its individually defined rules. The chain as a whole may be producing an outcome that no single rule set was designed to prevent. Gödel's incompleteness theorem applies here with particular force; the emergent behavior of agent chains exceeds what can be captured in the rule sets of individual agents.
Rules can't detect intent drift. An AI agent that begins executing actions consistent with its rules but inconsistent with its organizational purpose - because a workflow changed, because a prompt was manipulated, because the agent's model was updated - is a governance failure that static rules cannot detect. The rules are satisfied. The intent has drifted.
Where It Needs to Go Further
Behavioral detection is more adaptive than rule enforcement because it does not depend on anticipating every failure mode in advance. It detects deviation from established patterns, regardless of whether the specific deviation was anticipated when the rules were written.
But behavioral detection alone has a limitation that matters for enterprise AI agent governance: it tells you when something looks different. It does not tell you whether what is different is wrong.
Enterprise AI agents are, by design, non-deterministic. The same agent executing legitimate tasks may exhibit meaningfully different behavioral patterns across sessions, different tool call sequences, different data access combinations, different execution paths, all within its authorized scope and all for legitimate reasons driven by the specific context of each task.
Behavioral anomaly detection applied to agents without an intent baseline produces one of two outcomes: false positives that create operational friction as legitimate agent variance triggers alerts, or tuned thresholds so loose that meaningful signals are suppressed.
The answer is not behavior alone. It is identity and intent as the reference layer against which behavior is evaluated.
Intent-Based Identity: The Architecture NIST Is Pointing Toward
If the rules are incomplete and behavior alone is insufficient, what governance architecture actually solves the problem?
Gartner's 2026 Hype Cycle for Digital Identity names it "Intent-Based Access Control." An authorization framework that replaces broad, standing permissions with access tied to the captured intent of the user and the agent, evaluated continuously against the agent's actual behavior at runtime.
This is the architecture that addresses what the NIST analysis reveals:
Organizational intent as the reference standard. Instead of a finite set of rules that cannot be complete, you capture the organizational intent for each agent - what it was built to do, what systems it should access, what data types it should handle, what actions it is authorized to take. This is not a rule set. It is a structured definition of purpose that becomes the baseline against which everything else is evaluated.
Runtime behavioral governance as continuous validation. Rather than checking rules at the gate and stepping back, intent-based governance continuously evaluates whether the agent's actual behavior - its reasoning chain, its tool call sequence, its data access pattern - is consistent with its organizational intent baseline. The evaluation is not "does this action violate a rule" but "is this action consistent with what this agent was built to do." That is a fundamentally different, and more complete, governing question.
Identity as the accountability layer. Rules tell you what is permitted. Intent-based identity tells you who authorized what, under what organizational intent, and whether the actions taken were consistent with that authorization, across every hop in a multi-agent chain. This is what makes governance auditable, accountable, and defensible when an incident occurs.
The combination is what survives the NIST incompleteness argument: not rules that try to enumerate every prohibited action, but an identity-and-intent layer that continuously validates whether every action is consistent with the organizational purpose that authorized it.
From Proof to Practice
The practical implication of the NIST analysis is not that AI governance is impossible. The architecture of AI governance has to match the nature of the problem.
Static rules are the wrong architecture for governing systems that reason, adapt, and operate in ways that were not fully anticipated at configuration time. They will always have gaps, and those gaps will be found - by attackers, by behavioral drift, by the emergent behavior of agent chains that exceed the coverage of any individual rule set.
The governance architecture that matches the problem is one built around identity and intent rather than rules and permissions. One that continuously evaluates whether agents are doing what they were built to do, rather than only checking whether their actions are technically permitted. One that maintains accountability across multi-agent chains rather than only at the individual agent level.
Gartner says Intent-Based Access Control is 5-10 years from mainstream adoption. NIST's research explains why this is the direction the industry needs to move in. The organizations that build this infrastructure now, before mainstream adoption, before the incidents that make it undeniable, will be the ones with governance programs that can actually keep pace with what enterprise AI agents are capable of.
Rules aren't enough when it comes to AI Agents. The proof is mathematical. The answer is AI Agent identity and AI Agent intent.
Amir Ofek is CEO and Co-Founder of aizome, an Enterprise AI Agent Identity Fabric Platform and a founding player in the ARISE - Agentic Runtime Identity Security Enforcement - category.
This post was inspired by Darktrace's analysis "NIST Just Proved It: AI Security Can't Be Solved With Rules," published July 2026.