Enterprise-managed authorization for AI agents and MCP access

At a glance

What this is: This is a product announcement about enterprise-managed authorization for AI agents, with a centralised control plane for scoped token issuance, session policy, and tool access governance.

Why it matters: It matters because IAM teams now have to decide whether agent access should sit inside existing identity governance, or be treated as a separate control problem spanning NHI, autonomous, and human workflows.

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• Only 5.7% of organisations have full visibility into their service accounts.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read ConductorOne's announcement on enterprise-managed authorization for AI agents

Context

Enterprise-managed authorization is an identity control pattern for AI agents and MCP-connected tools. Instead of letting each tool invent its own login, scope, and session logic, the control plane becomes the policy point that governs what an agent can reach, for how long, and under what re-authentication conditions.

That matters because AI agent identity is not just another service account problem. Once agents can initiate tool use across multiple systems, governance has to decide whether access is still a static entitlement issue or a runtime authorization issue that needs tighter lifecycle control, clearer audit trails, and explicit limits on delegated access.

For practitioners already managing service accounts and secrets, this looks familiar but is not the same. The control objective is to reduce credential sprawl while keeping agent sessions governable across MCP servers, legacy systems, and on-premises data paths, a pattern that aligns closely with the broader NHI governance challenge described in the [Ultimate Guide to NHIs](https://nhimg.org/the-ultimate-guide-to-non-human-identities).

Key questions

Q: How should security teams govern AI agent access to MCP-connected tools?

A: Security teams should centralise policy in a control plane that issues scoped, short-lived tokens and records every decision in one audit trail. The key is to govern the agent session, not just the tool login. If legacy systems sit outside that model, they need gateway enforcement or they become unmanaged exceptions.

Q: When does short-lived access still create too much risk for AI agents?

A: Short-lived access still creates too much risk when the scope is broader than the task, when downstream tools are not isolated, or when revocation does not cover every access path. Token lifetime is only one control. Scope precision and path coverage determine the real blast radius.

Q: What do teams get wrong about unified authorization for agents and people?

A: Teams often assume a shared policy layer automatically means shared governance. In practice, the same audit trail only helps if every app path, legacy exception, and gateway route is actually included. Otherwise, the organisation has a single view of only part of the problem.

Q: How do access reviews change when AI agents use enterprise-managed authorization?

A: Access reviews must cover the agent, the policy that issued the token, and the downstream systems the token can reach. Reviewing only the app entitlement misses the control plane decision that created it. For managed AI access, certification has to include runtime scope, ownership, and revocation coverage.

How it works in practice

How enterprise-managed authorization scopes MCP tool access

Enterprise-managed authorization inserts a policy layer between the AI agent and the tool provider. The agent authenticates once, then receives short-lived scoped tokens that define which MCP servers or apps it may reach and what actions are allowed. That changes the access model from repeated per-tool login to central entitlement issuance with a shared audit trail. Because the token is issued by the control plane, revocation and session length can be enforced independently of the downstream app, which is the key difference from simple SSO integration.

Practical implication: treat MCP-connected tools as governed resources, not standalone logins, and require central scope and revocation controls before rollout.

Why short-lived tokens reduce, but do not remove, authorization risk

Short-lived tokens limit how long a compromised session can be used, but they do not solve over-scoping, weak entitlement design, or poor downstream tool segregation. If the control plane grants broad scopes, the blast radius remains broad even when the token expires quickly. In practice, the risk shifts from long-lived secret theft to runtime misuse of correctly issued access. That means the security question becomes whether scope is precise enough to survive an agent that can chain tool calls across multiple systems.

Practical implication: validate scope granularity and downstream tool boundaries before relying on token lifetime as your main control.

How one control plane changes auditability across agents and people

The strongest architectural claim here is not token format, but unified governance. If people and agents share the same entitlement model, approval workflow, and audit trail, security teams can review access in one place instead of stitching together agent logs, app logs, and secret stores. That is especially important for mixed environments where some apps support EMA and others still require gateway enforcement. The architectural challenge is consistency: one control plane only helps if every path into a sensitive system is actually covered.

Practical implication: map every agent path into a single audit model and identify any uncatalogued routes that bypass it.

NHI Mgmt Group analysis

Enterprise-managed authorization is a control-plane answer to a control-plane problem. AI agents do not fail only at the tool layer. They fail when every downstream app invents its own authorisation boundary, which leaves identity teams with fragmented scope, inconsistent revocation, and no durable audit trail. The discipline here is not just better login flow. It is whether agent access can be made governable across every path that matters. Practitioners should treat this as an identity architecture decision, not a UI convenience.

Scoped tokens help with secret sprawl, but they do not fix entitlement sprawl. A short-lived credential is still dangerous if the scope is too broad or the policy model cannot distinguish one task from the next. That matters because agentic systems can move faster than human review cycles, which means the old assumption that access will be visible long enough to be certified starts to weaken. Practitioners should re-evaluate whether their current entitlement model can survive runtime tool chaining.

Enterprise-managed authorization makes MCP governance feel like NHI governance, but the operational failure modes are closer to delegated execution than static workload identity. The access path is dynamic, task-driven, and often multi-system, so the real control question is whether policy can follow the session rather than sit only at provisioning time. This aligns with the [OWASP Agentic AI Top 10](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026) and with zero-trust assumptions that require continuous verification. Practitioners should separate token issuance from true session governance.

One audit trail for humans and agents only works if the same entitlement model applies everywhere. C1's model points to a broader market direction where identity governance is expected to span people, workloads, and agents from a single policy layer. That consolidates reporting, but it also exposes every ungoverned app path and every legacy exception. Practitioners should assume the hardest part is not issuance, but coverage.

Missing tool scoping is the named concept that should anchor this discussion: runtime authorisation gap. The gap appears when an agent can reach tools at runtime without a policy model that precisely matches its task and delegation context. That is where enterprise-managed authorization has value as a category, because it surfaces the mismatch between static entitlement thinking and dynamic execution. Practitioners should measure whether authorisation is still being decided at provisioning time when execution has already become runtime-driven.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Another finding from our research shows that 97% of NHIs carry excessive privileges, which broadens blast radius when access is not tightly scoped.
• For the broader governance model behind this problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle, rotation, and offboarding controls.

What this signals

Runtime authorisation gap: AI agent governance will increasingly hinge on whether the organisation can decide at execution time, not provisioning time, what the actor may do. That shifts IAM teams toward policy continuity across agent sessions, tool calls, and legacy exceptions, with the [OWASP Agentic AI Top 10](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026) providing a useful threat lens for scope drift and tool misuse.

As enterprises extend agent access into more systems, the operational question becomes whether review cycles can keep pace with access that appears, acts, and disappears inside the same workflow. Our research shows that NHIs outnumber human identities by 25x to 50x in modern enterprises, so the control problem is already scale-bound before agents are added.

The practical signal for programmes is coverage, not novelty. If agents, service accounts, and humans do not share one entitlement inventory and one revocation path, then the organisation is managing policy by exception, not by design.

For practitioners

• Map every AI agent to a governance owner Require a named owner for each agent, its control plane policy, and the downstream tools it can reach. Without a clear owner, revocation, review, and exception handling will fail as soon as the first exception path appears.
• Separate scope design from token lifetime Review whether the scopes issued to MCP-connected agents are task-specific or merely short-lived. Short TTLs reduce exposure, but broad scopes still create unacceptable blast radius when an agent chains tool calls.
• Inventory non-EMA access paths List every app, legacy system, and on-premises data path that does not support enterprise-managed authorization and require gateway enforcement for those routes. The goal is one entitlement model, not two competing access systems.
• Put agent access into the same certification cycle as people Include agent entitlements in access reviews, recertification, and revocation workflows so the governance cadence does not diverge by identity type. If a control cannot be reviewed, it is not truly governed.

Key takeaways

• Enterprise-managed authorization shifts AI agent governance toward a central policy plane, which is the right architectural direction for MCP-connected access.
• Short-lived tokens reduce exposure, but they do not compensate for overly broad scopes or uncatalogued legacy paths.
• IAM teams should treat agent access as lifecycle-governed identity work, with ownership, certification, and revocation enforced across every path.

Key terms

• Enterprise-managed authorization: Enterprise-managed authorization is a centralised policy model for AI agent access. It issues scoped access from one control point rather than letting each tool manage independent logins and permissions. For identity teams, the value is consistent governance across agent sessions, tools, and revocation workflows.
• Runtime authorisation gap: A runtime authorisation gap exists when access decisions are still made as if the actor were static, even though the actor changes scope during execution. In agentic environments, that gap appears when policy cannot follow the session, the tool chain, or the task context in real time.
• Scoped token: A scoped token is a temporary credential that carries only the permissions needed for a defined action or session. In agentic and non-human identity settings, its security depends less on duration alone and more on how precisely the scope limits tool reach, data access, and downstream action.
• Entitlement model: An entitlement model is the structured view of what an identity is allowed to access and do. In modern identity governance, it must cover people, workloads, and agents with enough consistency to support review, certification, and revocation without creating parallel control systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by ConductorOne: Enterprise-managed authorization support for secure AI transformation. Read the original.