Subscribe to the Non-Human & AI Identity Journal

What do organisations get wrong about OAuth for AI agent connectivity?

They often treat OAuth as a login feature instead of a delegated authorisation model with lifecycle obligations. The common mistake is trusting the initial consent step and then failing to monitor token scope, token rotation, revocation, and connected-app ownership over time.

Why This Matters for Security Teams

OAuth is often introduced as a clean way to let an AI agent connect to SaaS tools, but the security burden does not end at consent. For autonomous workloads, the risk is what happens after the first token is issued: scope drift, forgotten refresh tokens, orphaned connected apps, and unclear ownership. That is why current guidance from the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework stresses runtime governance, not one-time approval.

In NHIMG research on CoPhish OAuth Token Theft via Copilot Studio, the lesson is blunt: a delegated connection can become an attack path when the organisation forgets that OAuth grants durable capability, not just a login event. In practice, many security teams discover OAuth misuse only after the agent has already accessed data outside its intended purpose, rather than through intentional review of connected-app behaviour.

How It Works in Practice

The core mistake is treating OAuth like authentication instead of delegated authorisation with lifecycle obligations. An AI agent does not “sign in” once and stay safe. It receives tokens that may allow tool access, API calls, mailbox reads, file operations, or workflow execution, and those tokens can outlive the task unless they are deliberately constrained. Best practice is evolving toward short-lived grants, explicit scope design, and continuous review of what each connected app can do.

For agentic systems, current guidance suggests pairing OAuth with workload identity and runtime policy checks. That means the platform should know which agent is acting, what tool it is invoking, why it needs the action, and whether the request fits the task context. Frameworks such as the CSA MAESTRO agentic AI threat modeling framework and the MITRE ATLAS adversarial AI threat matrix support this shift from static trust to monitored capability.

  • Issue the narrowest feasible OAuth scope for the shortest feasible time.
  • Separate human delegated access from autonomous agent access.
  • Review refresh token storage, rotation, and revocation as operational controls, not admin housekeeping.
  • Track connected-app ownership so abandoned integrations are removed quickly.
  • Log every privileged API call with agent identity, task context, and tool target.

NHIMG’s AI Agents: The New Attack Surface report notes that 80% of organisations report AI agents have already acted beyond their intended scope, which is exactly why token governance cannot rely on initial approval alone. These controls tend to break down in multi-agent environments with shared service accounts and long-lived refresh tokens because ownership and intent become ambiguous across chained tool calls.

Common Variations and Edge Cases

Tighter OAuth control often increases operational overhead, requiring organisations to balance developer velocity against revocation discipline and auditability. There is no universal standard for this yet, especially where agents need to act across multiple SaaS tenants, delegated enterprise mailboxes, or external partner APIs.

One common edge case is a semi-autonomous assistant that needs periodic access to the same toolset. In that case, teams should avoid assuming a single consent screen is enough. Another is a multi-agent workflow where one agent obtains data and another executes actions: the first token may look harmless, but the chain can still produce a high-impact outcome. Guidance from OWASP Top 10 for Agentic Applications 2026 and NHIMG’s Analysis of Claude Code Security shows why tool chaining, prompt injection, and over-scoped tokens should be reviewed together rather than as separate problems.

When organisations rely on refresh tokens for “convenience,” best practice is to treat those tokens as standing privilege unless they are tightly bound to device, workload, or session context. That becomes especially fragile in shadow AI deployments, where connected apps are created without central ownership. In those environments, OAuth fails most often because no one can answer a simple question fast enough: who can still do what, with which token, and for how long?

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Agent tool access and token misuse are central to OAuth risk.
CSA MAESTRO TA-3 Covers threat modeling for agent-to-tool delegation and abuse paths.
NIST AI RMF GOVERN OAuth for agents needs accountability, oversight, and lifecycle governance.
OWASP Non-Human Identity Top 10 NHI-03 Refresh tokens and long-lived secrets create standing privilege risk.
NIST Zero Trust (SP 800-207) PL-2 OAuth decisions should be context-aware and continuously evaluated.

Rotate and revoke agent tokens routinely, and eliminate unnecessary long-lived grants.