OAuth can show that a token was issued and exchanged correctly, but it cannot prove that downstream actions still matched the original authorization intent. In multi-hop workflows, that leaves policy, accountability, and semantic enforcement outside the token itself.
Why OAuth Alone Breaks the Delegation Chain
For autonomous agents, the failure is not token issuance but control loss after issuance. OAuth proves that an access token exists and that a handoff occurred, yet it does not preserve the original task intent through every downstream call, tool invocation, or sub-agent handoff. That is why agent-to-agent delegation needs more than authentication and consent. It needs runtime authorisation, workload identity, and policy checks that can follow the action, not just the token. The OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point toward governance that evaluates behaviour in context, which OAuth alone was never designed to do.
This gap matters because NHI risk is already widespread. NHI Mgmt Group research shows that only 5.7% of organisations have full visibility into their service accounts, so delegation chains often run through identities that are poorly observed and weakly governed. In practice, many security teams encounter misuse only after an agent has already chained permissions across systems, rather than through intentional policy enforcement.
How to Replace Static Delegation with Runtime Control
The practical fix is to treat the agent as a workload with constrained, ephemeral authority. That means issuing JIT credentials for a single task, binding them to a workload identity, and revoking them automatically when the task completes. Current guidance suggests that static RBAC is a poor fit for goal-driven software, because an agent’s next action is not always predictable at design time. Instead, authorisation should be intent-based and evaluated at request time using policy-as-code, such as OPA or Cedar, so the decision can account for the task, resource, time, and trust context.
In mature designs, OAuth may still play a role as a transport or federation layer, but it should not be the only control. A stronger pattern is:
- prove the agent’s identity with cryptographic workload identity, not just a bearer token;
- issue short-lived secrets per task rather than long-lived static credentials;
- check whether the requested action matches the declared intent;
- limit each hop to the minimum privileges required for that hop;
- log the delegation chain so accountability survives multi-agent handoffs.
This is consistent with the CSA MAESTRO agentic AI threat modeling framework, which emphasises mapping agent behaviour, tool access, and control boundaries, and with NHIMG analysis in the OWASP NHI Top 10. These controls tend to break down when agents can spawn sub-agents, chain tools across domains, or operate inside loosely monitored SaaS integrations because the original OAuth grant no longer reflects the real security decision.
Where the Edge Cases Create Real Operational Risk
Tighter delegation control often increases latency, integration complexity, and policy maintenance overhead, so organisations must balance automation speed against containment. There is no universal standard for this yet, but the direction of travel is clear: autonomous systems need zero standing privilege, short TTLs, and continuous policy evaluation instead of broad standing grants. The tradeoff becomes more acute in high-throughput environments, where teams are tempted to keep OAuth scopes broad so agents do not “break” workflows.
That convenience is where abuse begins. The same pattern shows up in token-theft and third-party visibility failures, including the Salesloft OAuth token breach and NHIMG’s AI LLM hijack breach coverage, where the issue was not token presence but what the actor could do once inside. If an agent must act across tenants, delegate to other agents, or touch regulated data, current best practice is to combine intent checks, JIT provisioning, and Zero Trust Architecture rather than rely on OAuth scopes as a proxy for authorisation. The model is strongest when every hop is separately justified; it is weakest in long-lived integrations where the same token can outlive the task it was meant to authorise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic workflows need runtime controls beyond static OAuth scopes. |
| CSA MAESTRO | MAESTRO models tool use, delegation paths, and control boundaries for agents. | |
| NIST AI RMF | AI RMF covers governance and accountability for autonomous agent behaviour. |
Evaluate each agent action at request time against declared task intent and current context.
