Subscribe to the Non-Human & AI Identity Journal

How should security teams govern token exchange in federated identity flows?

Security teams should treat token exchange as a trust decision, not a protocol convenience. They need explicit validation of issuer, audience, and delegation lineage before minting a new token. Without those checks, a valid inbound token can become an overbroad local credential with weaker provenance than the original assertion.

Why This Matters for Security Teams

Token exchange sits at the seam between identity systems, so it deserves the same scrutiny as a privileged access decision. In federated environments, a token is often accepted as proof of trust and then transformed into a new local credential with a different audience, scope, and lifetime. That makes issuer validation, audience restriction, and delegation lineage essential, not optional. NIST Cybersecurity Framework 2.0 frames this as an access governance problem, not a transport detail.

The practical risk is credential inflation. A narrowly scoped upstream assertion can become a broader downstream token if the exchange service does not enforce context. That pattern appears repeatedly in real incidents, especially when teams rely on “it came from the IdP” as the only check. NHIMG’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is exactly the condition token exchange can amplify if governance is weak. In practice, many security teams discover token misuse only after a federated credential has already been replayed or exchanged into a more powerful local identity.

How It Works in Practice

Security teams should govern token exchange as a runtime trust check. The exchange service needs to confirm three things before minting a new token: the inbound issuer is trusted, the requested audience is legitimate, and the delegation path matches policy. That means verifying the original token, the actor requesting exchange, and the target resource together, rather than validating a signature in isolation.

Current best practice is to combine policy-as-code with short-lived credentials. An exchange should produce the smallest viable token for the shortest viable time, ideally tied to a single workload or transaction. This is especially important for federated NHI and agent workflows, where a token may be passed across services, tools, and clouds. The Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 both support this shift toward explicit governance, least privilege, and continuous validation.

  • Validate issuer, audience, and token type at exchange time, not just at initial authentication.
  • Require delegation lineage or actor claims so the downstream token reflects who or what requested the exchange.
  • Limit the exchanged token to a single audience and narrow scope, with a short TTL.
  • Log exchange decisions with enough context to reconstruct the trust chain during incident response.
  • Revoke or deny exchanges when upstream trust signals change, such as offboarding, compromise, or policy drift.

This becomes even more important when tokens are exposed in tickets, code, or chat systems. NHIMG’s 2025 State of NHIs and Secrets in Cybersecurity reports that 44% of NHI tokens are exposed in the wild, which means exchange controls must assume inbound material may already be at risk. These controls tend to break down when legacy applications require broad audiences and cannot support per-request policy evaluation.

Common Variations and Edge Cases

Tighter token exchange controls often increase integration overhead, requiring organisations to balance interoperability against assurance. That tradeoff matters most in hybrid estates, partner federations, and older applications that were never designed for audience-bound or context-aware tokens.

There is no universal standard for every exchange pattern yet, so teams should treat vendor defaults cautiously. Some environments use RFC 8693-style token exchange for service delegation, while others implement custom broker logic. The governance requirement is the same: the exchange point must enforce policy, not simply relay trust. For high-risk paths, it is reasonable to require step-up conditions, stronger attestation, or additional approval before minting a new credential.

Edge cases also include machine-to-machine hops, third-party SaaS connectors, and agentic workflows where one workload acts on behalf of another. In those cases, the exchanged token should remain traceable to the originating workload and should not outlive the specific task. The Salesloft OAuth token breach is a reminder that trust boundaries collapse quickly when token provenance is unclear. Best practice is evolving, but the operational rule is stable: if a downstream service cannot explain why a token was minted, it should not accept it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-04 Token exchange can widen privilege if provenance and scope are not enforced.
OWASP Agentic AI Top 10 AGENT-05 Autonomous workloads need runtime authorization for delegated token use.
NIST AI RMF AI risk governance applies when agents use exchanged tokens across tools.

Govern agent token exchange with documented accountability, monitoring, and escalation paths.