AI agent identity and auth still depend on enterprise IAM

By NHI Mgmt Group Editorial TeamPublished 2025-10-27Domain: Agentic AI & NHIsSource: WorkOS

TL;DR: AI applications can already inherit enterprise authentication, authorization, token management, and audit logging patterns today, according to WorkOS, but the real challenge remains governance around identity context, scoped permissions, and accountability across agent-driven actions. Identity for AI is not a model problem, it is an IAM control problem that now shows up in production workflows.

At a glance

What this is: This is a demo-led analysis of enterprise identity for AI agents, showing that authentication, authorization, token handling, and audit logging are the real control points.

Why it matters: It matters because IAM teams now have to govern AI-powered workflows with the same discipline they apply to human and non-human identities, while accounting for agent-driven action and attribution.

By the numbers:

80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read WorkOS's MCP.shop demo on AI agent identity and enterprise auth

Context

AI agent identity is not a novelty layer on top of application design. Once a conversational interface can place orders, call tools, or move between systems, the enterprise still needs to know who the actor is, what it may do, and how to attribute every action back to an authorised principal.

The governance gap is that many AI programmes treat identity as plumbing instead of policy. That works for prototypes, but enterprise deployment depends on authentication, scoped authorization, token lifecycle control, and auditability that can survive multi-turn agent interactions and delegated actions.

Key questions

Q: How should security teams govern AI agents that act on behalf of users?

A: Security teams should govern AI agents as delegated application identities. That means every action must be tied to a verified user, limited by scoped authorization, tracked through durable audit logs, and constrained by token controls that can be revoked across connected systems. If any one of those pieces is missing, the agent becomes hard to attribute and harder to contain.

Q: Why do AI agents still need traditional IAM controls?

A: AI agents still need traditional IAM controls because the enterprise security problem has not changed, only the interface has. Authentication proves who is acting, authorization limits what they can do, and audit logging preserves evidence. Conversational systems add speed and complexity, but they do not remove the need for identity, session, and permission governance.

Q: What breaks when AI agent identity context is not preserved across sessions?

A: When identity context is not preserved across sessions, the enterprise loses attribution, policy enforcement becomes inconsistent, and investigations become incomplete. The user may have started the action, but without durable context the organisation cannot prove which principal authorised the tool call or whether later actions remained within scope.

Q: How do access reviews change for AI-powered workflows?

A: Access reviews need to shift from static entitlement lists to actual action evidence. For AI-powered workflows, the important question is not just who has access on paper, but whether the agent used that access within policy, across which tools, and with what logged outcome. Review processes should be able to reconstruct the full delegated action chain.

Technical breakdown

Authentication, authorization, and audit trail for AI agents

Enterprise AI applications still rely on the same identity primitives as conventional software. Authentication establishes the principal, authorization limits which actions the principal can take, and audit logging records what the system did on the principal’s behalf. The hard part in conversational systems is that these controls must persist across multiple turns, tool calls, and context changes without losing attribution. If the identity layer is weak, the model may appear to be the actor while the enterprise loses the ability to prove who approved what. That is an IAM design issue, not an LLM issue.

Practical implication: tie every agent action to an authenticated user session and a durable audit record before expanding conversational workflows.

Token lifecycle and scoped permissions in agent workflows

Agentic applications depend on short-lived credentials, refreshed tokens, and fine-grained permission boundaries because the agent may act repeatedly within a session. Token management is not just about preventing theft. It is also about limiting what the agent can do once authorised and ensuring revocation actually removes access from downstream tools and data sources. Scoped permissions matter because enterprise users rarely need full access for every conversational task. The identity layer therefore has to translate user intent into bounded privilege, not broad session trust.

Practical implication: review token issuance and revocation paths across all connected tools before allowing agents to transact or mutate data.

Why conversational AI still inherits traditional IAM patterns

The demo shows a useful truth: chat interfaces do not eliminate established IAM requirements. OAuth, SAML federation, RBAC, session tokens, and compliance logging remain the backbone of enterprise access control, even when the user experience changes from forms to prompts. The interface may be new, but the security obligations are not. What changes is the speed and opacity of action, which makes it easier for controls to be assumed rather than verified. That is why identity must be designed into the workflow, not bolted onto the model.

Practical implication: validate that existing IAM controls work inside conversational flows instead of assuming your current web app patterns will carry over unchanged.

Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI agent identity should be treated as application identity with delegated authority, not as a separate security exception. The demo reinforces that conversational interfaces still depend on authentication, authorization, token lifecycle management, and audit logging. What changes is the execution path, not the identity discipline. Practitioners should therefore govern agent behaviour through the same access lifecycle thinking used for other non-human identities, with tighter scrutiny on delegated actions and attribution.

Identity context, not model capability, is the real control plane for enterprise AI. The article makes clear that the model can be impressive while the surrounding security model remains fragile. If identity context is lost across exchanges, the enterprise can no longer prove who authorised the action, which tools were in scope, or whether the action stayed within policy. That is a governance failure, not a UX issue. Practitioners should evaluate AI deployments through the lens of durable identity context.

Scoped permissioning becomes the boundary between safe assistance and unsafe autonomy-like behaviour. The most consequential question is not whether the system can talk, but whether it can only do what the principal is entitled to do. Fine-grained authorization turns conversational intent into bounded capability, which is essential when agents can place orders, update records, or invoke connected services. Teams should treat permission boundaries as the primary containment layer for agent-driven workflows.

Named concept: identity context persistence. This post highlights the need for identity context to survive across multi-turn sessions, tool handoffs, and delayed actions without losing attribution. When context persistence is weak, auditability fragments and policy enforcement becomes inconsistent. Practitioners should define where identity state lives, how it is refreshed, and how it is proven at each step of the agent workflow.

AI application teams will be judged on governance quality, not demo quality. Enterprise buyers care less about whether an agent can complete a purchase and more about whether the organisation can control, log, and revoke that capability safely. That pushes identity engineering into the product core. Practitioners should expect security review to focus on session integrity, authorization granularity, and evidence quality.

From our research:
80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same SailPoint research.
For a broader control baseline, review Ultimate Guide to NHIs for governance, visibility, rotation, and offboarding patterns that still apply when AI workflows inherit non-human identity risk.

What this signals

Identity context persistence: if your AI workflow cannot preserve principal context across multiple turns, the control environment is already behind the behaviour. That gap will show up first in auditability, then in policy enforcement, and finally in incident response.

The practical signal for IAM teams is whether existing session, token, and authorization models can survive conversational latency and delegated tool use. If they cannot, the programme needs to treat AI workflows as a separate governance path, not a cosmetic interface change.

With 92% of organisations saying governing AI agents is critical to enterprise security, yet only 44% having implemented policies to do so, the market signal is clear: governance is lagging deployment, not leading it. Teams should use that gap to prioritise controls before agent use expands further.

For practitioners

Bind every agent action to a verified principal Require authentication before any tool use, persist the session identity across the full conversation, and ensure downstream systems receive the same principal context for attribution and audit.
Limit agent permissions to the smallest useful scope Map each conversational workflow to explicit RBAC or FGA rules so the agent can only browse, read, or transact within the exact boundaries the user is entitled to use.
Review token issuance and revocation paths end to end Check that access tokens, refresh tokens, and delegated credentials can be revoked across all connected systems, not just the primary application session.
Make audit logging usable for investigations Log who initiated the request, which tool the agent called, what data it touched, and what policy permitted the action so compliance teams can reconstruct the sequence later.

Key takeaways

AI agent identity is an IAM problem first, because the enterprise still needs authentication, authorization, auditability, and revocation even when actions happen through conversation.
When identity context is not preserved across turns and tools, enterprises lose attribution and policy enforcement, which turns agent behaviour into an accountability problem.
Practitioners should tighten scope, token lifecycle control, and audit evidence before expanding agent-driven workflows beyond pilot use.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework	Control / Reference	Relevance
OWASP Agentic AI Top 10	A1	Agentic workflows rely on bounded tool use and identity context.
OWASP Non-Human Identity Top 10	NHI-04	Token lifecycle and delegated access are central to this article.
NIST Zero Trust (SP 800-207)	PR.AC-4	Zero Trust requires continuous authorization for delegated AI actions.

Map AI agent actions to explicit tool and permission boundaries before allowing production access.

Key terms

Identity Context Persistence: Identity context persistence is the ability to carry a verified principal, its permissions, and its audit trail across a multi-step interaction. For AI agents, that context must survive tool calls, session pauses, and delegated actions so the enterprise can still prove who authorised what and when.
Scoped Permissioning: Scoped permissioning limits an identity to only the actions and data required for a specific task. In AI workflows, it prevents a conversational agent from inheriting broad application access simply because a user authenticated once, and it is most effective when tied to explicit policy and revocation.
Delegated Application Identity: A delegated application identity is an application or agent that acts on behalf of a user while inheriting a bounded set of permissions. The identity is not autonomous by default; it is authorised to perform specific actions, and every action must remain attributable to the original principal.

Deepen your knowledge

AI agent identity, authorization, and audit logging are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending IAM into conversational workflows, it is a practical place to pressure-test your governance model.

This post draws on content published by WorkOS: MCP.shop Demo on AI agent identity and enterprise auth. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org