Dynamic client registration is a protocol pattern that allows a software client to register itself with an authorization system automatically. For AI agents, it can reduce manual setup, but it also creates new identities at speed, which makes ownership, policy checks, and revocation essential.
Expanded Definition
Dynamic client registration is a protocol pattern where a software client can register itself with an authorization server at runtime instead of relying on a manual onboarding step. In NHI environments, that means an AI agent, service, or MCP-connected tool can obtain identity metadata quickly, but only if ownership, trust policy, and revocation are defined first.
Definitions vary across vendors because the term is used both for standards-based OAuth onboarding and for broader automation around identity creation. In practice, the important distinction is whether registration merely creates a record or also assigns authentication method, scopes, expiry, and lifecycle controls. The IETF’s OAuth ecosystem treats client registration as part of the protocol surface, while NHI governance treats it as an identity lifecycle event that should be governed like any other non-human identity. That is why practitioners often pair it with the control discipline described in the NIST Cybersecurity Framework 2.0 and with NHI lifecycle guidance from the Ultimate Guide to NHIs.
The most common misapplication is treating self-registration as a permission model, which occurs when teams allow clients to onboard without preapproved policy, ownership, or revocation rules.
Examples and Use Cases
Implementing dynamic client registration rigorously often introduces policy overhead, requiring organisations to balance onboarding speed against identity sprawl and post-registration review burden.
- An AI agent requests a client ID during deployment, then receives short-lived credentials only after the platform verifies its owner, purpose, and allowed scopes.
- A partner integration registers through an API gateway, but the registration workflow enforces tenant-specific RBAC and JIT approval before any Secrets are issued.
- A CI/CD tool spins up ephemeral clients for each pipeline run, which reduces manual setup but creates a need for automatic offboarding when the job ends.
- An enterprise that adopts OAuth-based onboarding references the registration workflow alongside NIST Cybersecurity Framework 2.0 to align access, logging, and recovery expectations.
- A security team reviews Ultimate Guide to NHIs guidance to decide whether each registered client should be treated as a durable identity or a disposable runtime artifact.
In standards discussions, the surrounding controls may differ depending on whether the client is human-operated, agentic, or machine-to-machine, so implementation details should not be assumed to be universal.
Why It Matters in NHI Security
Dynamic client registration matters because it turns identity creation into a scalable process, and any scalable identity process can also scale risk. If registration is not tied to ownership, expiry, and revocation, organisations can accumulate orphaned clients, excessive scopes, and forgotten integrations that are difficult to audit. That problem is especially acute for AI agents and other autonomous software entities, where a single deployment pipeline can produce many identities across environments.
NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. That gap becomes more dangerous when registration is automated, because newly created clients can remain valid long after the system or business process that created them has changed. This is why governance practices described in the Ultimate Guide to NHIs are so important when organisations expand agentic workflows, and why identity assurance and access control must stay aligned with NIST Cybersecurity Framework 2.0 principles.
Organisations typically encounter revoked access failures, unexpected privilege accumulation, or untracked service exposure only after an incident review or integration outage, at which point dynamic client registration becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers lifecycle and ownership risks for machine identities created without governance. |
| NIST CSF 2.0 | PR.AC-1 | Access management applies to automated client onboarding and entitlement issuance. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust requires each client identity to be individually authorized after registration. |
Require ownership, expiry, and revocation for every dynamically registered client.
