TL;DR: AI agents, MCP servers, and short-lived delegated access are now central to enterprise identity design, according to Descope’s FY25 review, alongside 300% growth in monthly active users and 1655% growth in total identities under management. The governance problem is no longer theoretical: identity controls built for stable users do not fit actors that acquire, use, and revoke access on demand.
At a glance
What this is: Descope’s FY25 review argues that AI agent identity, customer SSO, and developer flexibility are now converging into a single control plane problem for modern identity teams.
Why it matters: IAM, NHI, and human identity programmes all have to account for ephemeral delegated access, shared admin workflows, and auditability when AI agents and MCP servers enter production.
By the numbers:
- A 300% increase in monthly active users logging in to customer apps using Descope.
- A 1655% increase in total identities under management.
👉 Read Descope’s FY25 year in review for identity, SSO, and AI agent governance
Context
AI agent identity is no longer a niche extension of IAM. The problem now spans customer SSO, delegated access, MCP server connectivity, and the governance of non-human identities that can act with their own runtime choices. That shift matters because the controls most organisations use were built for human users or static machine accounts, not for agents that operate in short-lived, policy-bound sessions.
Descope’s FY25 review is best read as a snapshot of where identity platforms are moving under pressure from AI adoption. The central issue is not only whether an agent can authenticate, but whether its access can be scoped, audited, and revoked in ways that preserve enterprise accountability across the human, NHI, and agentic layers.
For practitioners, this is a lifecycle problem as much as an access problem. Provisioning, federation, token scope, and revocation now have to work across people, workloads, and AI agents without relying on assumptions that every identity behaves on a predictable human cadence.
Key questions
Q: How should security teams govern AI agents that use delegated access?
A: They should define agent access as task-scoped, time-bounded, and policy-enforced at every boundary where the agent can reach data or tools. The key is to prevent inherited privilege from expanding during execution. Governance should include explicit ownership, auditable scope, and revocation paths that work even when the agent session is short-lived.
Q: Why do AI agents complicate existing IAM and NHI models?
A: AI agents complicate IAM and NHI models because they sit between human intent and machine execution. They are not stable like a service account, and they are not reviewable like a person on a fixed lifecycle. That makes access scope, auditability, and revocation harder to reason about unless the identity model treats the agent as its own governed class.
Q: What breaks when MCP connections are granted too much trust?
A: What breaks is the policy boundary between the agent and the services it can reach. If an MCP connection can move from one tool to another without a fresh authorisation decision, the platform has effectively widened the original grant. That increases blast radius and makes it much harder to prove what access was actually intended.
Q: Who should own lifecycle controls for agent identity and federation?
A: Ownership should sit with the identity team, but it must include the platform and application teams that expose or consume agent access. The practical rule is that every agent identity needs an owner, a revocation route, and an audit trail. If those three things are unclear, accountability will fail when the agent’s access changes.
Technical breakdown
Ephemeral delegated access for AI agents
AI agents need access patterns that differ from human login flows and from long-lived service accounts. In practice, that means short-lived tokens, scoped delegation, and session-level enforcement rather than persistent credentials that can be reused outside the original task. The technical challenge is not just authentication. It is ensuring that the agent’s downstream calls remain bounded by the original grant while still supporting machine-to-machine interoperability through protocols such as MCP.
Practical implication: define agent access as task-scoped and time-bounded, then verify that token scope cannot expand silently during execution.
MCP server identity and trust boundaries
MCP changes the way agents connect to tools and data, but it also creates a new identity boundary that has to be governed. The server, the client, and the downstream service all need explicit trust relationships, and those relationships must survive multi-tenant, partner, and internal use cases. If the identity layer is not designed for this, teams end up with brittle allowlists, confused delegation paths, or overbroad credentials that bypass the intended access model.
Practical implication: treat MCP endpoints as privileged integration surfaces and require explicit policy enforcement at each trust boundary.
Customer SSO, SCIM, and admin lifecycle control
The review’s SSO and SCIM details show that identity work is still dominated by onboarding, migration, and tenant administration. Multi-IdP support, self-service setup, and zero-downtime migration reduce friction, but they also increase the number of lifecycle states that must be tracked cleanly. Every extra admin path is a governance path, because a broken migration or unclear ownership model can leave orphaned connections and unmanaged access behind.
Practical implication: map every SSO and SCIM flow to an owner, a revocation path, and a recertification point before scaling adoption.
Threat narrative
Attacker objective: The attacker’s objective is to abuse delegated machine access to reach tools, data, or actions that should have remained outside the original agent session.
- Entry occurs when an AI agent or connected workload receives delegated access to an MCP server, downstream API, or integrated service through short-lived credentials.
- Escalation occurs if the granted scope is broader than the immediate task or if the trust boundary between client, server, and service is not enforced consistently across calls.
- Impact follows when the agent can access sensitive resources, perform unauthorised actions, or trigger audit gaps that make it difficult to reconstruct what was touched and why.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent identity is becoming a control plane problem, not a point solution problem. The review shows identity, SSO, SCIM, MCP, and agent governance converging in the same operational layer. That means teams can no longer evaluate human IAM, workload identity, and agentic access separately if the same platform is mediating all three. Practitioners should treat agent identity as part of the broader identity architecture, not as a sidecar feature.
Ephemeral delegated access is the right model for AI agents, but it also exposes where classic lifecycle thinking breaks down. Provisioning and revocation were designed for identities that persist long enough to be reviewed, recertified, and offboarded. That assumption weakens when agents are granted short-lived access in repeated bursts and can re-enter the system on demand. The implication is that lifecycle governance must be rethought around session logic, not just account records.
MCP trust boundaries are now a governance issue, not just an integration issue. The vendor’s framing around secure connections to MCP servers reflects a broader market shift: tool connectivity has become an access-control surface. Once an agent can cross from one service to another through a protocol layer, policy enforcement has to follow the chain rather than stop at the initial authentication event. Practitioners should audit where policy ends and delegation begins.
Customer SSO complexity and agent identity complexity are starting to look like the same operational problem. Multi-IdP tenants, self-service admin setup, and migration of existing connections all increase the number of identities and relationships that must remain coherent under change. The field should expect more pressure on identity platforms to unify tenant admin, federation, and agent governance in one model instead of treating them as separate products. Practitioners should plan for consolidation in their own control design.
Short-lived credentials only work when revocation, scope, and audit are first-class, not implied. The post’s emphasis on short-lived, scoped tokens is a reminder that credential expiry alone does not equal governance. If the surrounding policy layer cannot describe what the token may do, where it may go, and how its activity will be reconstructed later, the organisation has simply moved risk into a narrower window. Practitioners should measure controls by enforceability, not by token duration.
From our research:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- In the same research, 80% of organisations say their AI agents have already performed actions beyond their intended scope, including access to unauthorised systems, inappropriate data sharing, and revealed credentials.
- For a broader view of how those blind spots map to governance, see OWASP Agentic AI Top 10 for the current risk model practitioners should apply.
What this signals
Ephemeral identity is now the practical test of programme maturity. With 98% of companies planning to deploy even more AI agents within the next 12 months, governance teams need to assume agent populations will expand faster than policy coverage. The question is no longer whether agents will enter the environment, but whether the identity layer can classify, scope, and audit them before they become invisible operational debt.
Delegation chains are becoming the new source of hidden privilege. A human user, tenant admin, workload, and agent can all sit inside one access path, but the failure often appears only when the chain is reconstructed after an incident. That is why practitioners should align their control model with the chain itself and use resources such as the Ultimate Guide to NHIs to compare lifecycle, visibility, and revocation expectations across actor types.
Short-lived tokens do not remove governance pressure. They move it into the policy engine, the audit log, and the revocation path. The teams that will cope best are the ones that treat agent identity as part of zero trust architecture, using the NIST AI Risk Management Framework and the OWASP Top 10 for Agentic Applications 2026 as the baseline for control design.
For practitioners
- Map AI agent access as a distinct identity class Document which agent flows use short-lived tokens, which systems they may call, and which approvals or policy checks must exist before delegated execution begins. Do not let agent access inherit human or workload assumptions by default.
- Audit MCP trust boundaries end to end Review the full chain from agent client to MCP server to downstream service, and identify where policy enforcement actually occurs. If the same entitlement can cross multiple systems without a new decision point, the boundary is too loose.
- Tie every SSO and SCIM flow to lifecycle ownership Assign an owner, a revocation path, and a recertification checkpoint for each tenant admin and federation path. This reduces the chance that migration convenience creates orphaned access or hidden dependencies.
- Separate audit evidence for people, workloads, and agents Make sure logs can distinguish human authentication, service-account activity, and agent actions. Without that separation, incident response will struggle to reconstruct which identity class performed a given action.
Key takeaways
- Descope’s review confirms that AI agent identity, MCP connectivity, and delegated access are now part of the same governance surface.
- The scale signal is clear: identity growth is accelerating faster than most organisations can keep audit and revocation controls aligned.
- Practitioners should redesign lifecycle and policy controls so agent access remains bounded, attributable, and revocable across the full delegation chain.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic identity and MCP risk map directly to agent tool-use and delegation exposure. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived tokens and revocation are central to the post’s identity governance theme. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust access decisions fit the post’s emphasis on scoped, policy-enforced delegation. |
Apply continuous verification to agent and workload access before allowing downstream calls.
Key terms
- Agentic Identity: An identity model for AI agents that can request and use access on behalf of a task rather than a person. It requires explicit scope, short-lived credentials, and auditable delegation so the organisation can control what the agent may do and reconstruct its actions later.
- Delegated Access: A permission pattern where one identity acts with authority derived from another identity or approved workflow. For AI agents, delegated access needs tighter scoping than human delegation because the actor can execute quickly, chain actions, and interact with multiple systems in one session.
- MCP: Model Context Protocol, an open protocol that connects AI agents to tools and data sources. In identity terms, it creates a new trust boundary because the protocol can carry authority across services, which means authentication alone is not enough without policy enforcement and logging.
- Session-Level Governance: A control approach that evaluates access during the active execution window rather than only at provisioning time. It matters for AI agents because their risk is often expressed in what they can do within a single session, making static review cycles too slow to catch misuse.
What's in the full article
Descope's full review covers the operational detail this post intentionally leaves for the source:
- The complete FY25 product timeline, including which identity capabilities shipped in each phase of the year.
- Customer examples showing how different teams used customer SSO, SCIM, and agentic identity in production.
- The analyst recognition details behind the Frost Radar placement and the criteria used for the NHI category.
- The specific 2026 product directions the vendor says it is prioritising next.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org