By NHI Mgmt Group Editorial TeamPublished 2026-07-08Domain: Agentic AI & NHIsSource: Hush Security

TL;DR: Identity Assertion JWT Authorization Grant, or ID-JAG, removes repeated per-app OAuth approvals by letting an identity provider vouch for an already authenticated user across MCP-connected tools, according to Hush Security. That solves connection friction, but it does not govern what an AI agent does after access is granted, so action-level controls still matter.


At a glance

What this is: This analysis explains how ID-JAG changes authorization for MCP-connected AI agents by shifting approval from repeated user prompts to IdP-issued, short-lived assertions.

Why it matters: It matters because IAM teams now have to separate connection trust from action governance when agents move across multiple enterprise apps during a single task.

👉 Read Hush Security's analysis of ID-JAG and MCP authorization for AI agents


Context

MCP-connected AI agents create a familiar IAM problem in a new form: one task can touch several applications, each expecting proof of identity and consent before it will release data. The friction is not the login itself, but the repeated reauthorization pattern that breaks once an agent has to move across many downstream tools in a single session.

ID-JAG addresses that narrow gap by letting the identity provider that already authenticated the user issue a short-lived assertion for a specific app relationship. That reduces repeated consent prompts inside an existing enterprise trust fabric, but it does not change the broader governance question of what the agent is allowed to do once access exists.


Key questions

Q: How should security teams govern AI agent access without repeated OAuth approvals?

A: Use a delegated authorization pattern that lets the identity provider vouch for an already authenticated user, but keep the downstream service responsible for enforcing scope and policy. That reduces prompt fatigue without turning the grant into a blank check. The key control is separation between connection authorization and action authorization.

Q: Why do MCP-connected agents create new IAM governance pressure?

A: Because one task can traverse multiple apps in a single session, each expecting proof that the caller is legitimate and bounded. Repeated human consent breaks down at scale, so teams need a way to broker identity across applications without losing least-privilege intent. The governance pressure is around delegation, not login experience.

Q: What breaks when delegated access is treated as full agent trust?

A: Teams lose the ability to distinguish between permission to reach a service and permission to execute a sensitive action inside it. That creates a control gap where the agent may still perform harmful or irreversible operations even though the initial grant was valid. The failure is assuming grant issuance equals safe execution.

Q: Who should own policy when an AI agent acts across multiple tools?

A: The identity provider should own the initial assertion of user context, while each application should own its own authorization decision and the organization should own the policy for sensitive actions. This distributed model only works if audit trails preserve the delegation chain end to end. Accountability has to follow the request across systems.


Technical breakdown

How ID-JAG brokers trust across MCP-connected applications

Identity Assertion JWT Authorization Grant is a way for an identity provider to assert that a user has already authenticated and that an app may accept a limited delegation for a specific purpose. The flow combines existing OAuth building blocks, notably token exchange and the JWT bearer grant, rather than creating a new trust architecture. In the enterprise pattern described by the source, the agent does not ask the user to approve every tool. Instead, it asks the IdP to mint a scoped, short-lived statement that the downstream app can evaluate under its own policy. This preserves existing SSO trust while reducing repeated human prompts.

Practical implication: Model ID-JAG as an authorization brokerage layer, not as a substitute for downstream app policy.

Why MCP and SSO make repeated consent a scaling problem

MCP makes tool access modular, which is useful for AI agents but creates a fan-out problem for authorization. A single task may need the wiki, chat, ticketing, calendar, and file systems, and each app normally expects its own OAuth consent step. That model scales poorly when there is no human present to click allow every time the agent reaches for a new tool. ID-JAG works only when those apps already trust the same identity provider for login, which is why it fits common enterprise SSO estates. The protocol is therefore a federation convenience mechanism, not a universal agent identity standard.

Practical implication: Use this pattern where app ecosystems already share a central IdP and avoid treating it as a cross-domain access cure-all.

Why action-level governance is still separate from authorization

The source draws a hard line between being allowed to reach an app and being trusted to perform a specific action inside that app. ID-JAG governs the first problem only. It tells the target service that a delegated request is tied to an authenticated user and a bounded scope, but it does not inspect the next five minutes of tool use, chained actions, or prompt-influenced behaviour. That means action-level controls, auditability, per-action approval for sensitive operations, and credential confinement remain separate requirements. Without them, authorization is clean but execution is still unconstrained.

Practical implication: Pair delegated access with action controls, because connection trust alone does not limit harmful agent behaviour.


NHI Mgmt Group analysis

ID-JAG solves consent friction, not delegated-action governance. The protocol makes enterprise SSO usable across multiple app calls in a single task, but it stops at grant issuance. That leaves a governance boundary many teams blur in practice: approval to connect is not approval for everything the agent may later do. Practitioners should treat the distinction as structural, not semantic.

The real change is that identity context now travels with the request instead of the human clicking each time. That improves traceability because the downstream app can receive a user-bound assertion rather than a shared service credential. It also means the enterprise is moving away from static secrets and toward short-lived, identity-backed delegation, which is the direction NHI governance has been pushing for years.

Connection-layer trust and action-layer trust are different control planes. ID-JAG belongs in the first plane, where identity providers broker limited access between trusted apps. Sensitive business logic, irreversible side effects, and privileged operations belong in the second plane, where the organization decides whether a specific action should proceed at all. The practitioner implication is simple: do not let a clean delegation flow create the illusion of complete agent control.

Runtime delegation gap: This pattern highlights the gap between granting a short-lived delegated token and governing what the agent does after it receives one. The protocol is precise about who vouches for whom, but it does not define action constraints, escalation thresholds, or post-grant monitoring. Teams should expect this gap to widen as agents chain more tools together inside the same enterprise trust boundary.

From our research:

  • 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
  • For the broader control gap behind delegated access, see Top 10 NHI Issues for the lifecycle and privilege patterns that keep showing up in enterprise programmes.

What this signals

Identity provenance will become more valuable than consent count. Once agents can reuse a trusted IdP relationship across multiple MCP-connected tools, the real governance question shifts to whether the enterprise can reconstruct who vouched for the request, which scope was granted, and where the action boundary sat. That is a lifecycle and audit problem as much as an authorization problem.

Runtime delegation gap: As enterprises move from repeated OAuth prompts to delegated assertions, the weakest programmes will mistake reduced friction for reduced risk. The control gap will sit in post-grant behaviour, especially where agents combine tools in ways no human reviewer anticipated. The operational test is whether your logs can explain the chain after the task completes.

This is a strong fit for the broader shift toward short-lived, identity-backed access in machine environments, but it also exposes how much NHI governance still depends on static assumptions about user-paced approval loops. Where an agent can chain tools quickly, governance has to move from one-time consent to continuous accountability.


For practitioners

  • Separate delegated access from action approval Map which app interactions can use an IdP-issued delegation grant and which require per-action review, especially for data export, admin changes, and irreversible workflow steps.
  • Constrain agent privileges to app-specific scopes Limit each delegated token to the smallest app-scoped permission set possible, then verify that the receiving application enforces its own policy before exchanging the assertion for access.
  • Preserve identity provenance in audit logs Ensure logs retain the original authenticated user, the asserting identity provider, the target application, and the delegated scope so reviewers can reconstruct who authorised what path.
  • Review where MCP tooling still depends on static credentials Identify any agent connectors, service integrations, or background jobs that still rely on shared secrets rather than short-lived identity assertions, then prioritise those for redesign.

Key takeaways

  • ID-JAG makes delegated authorization more workable for MCP-connected agents, but it only covers the trust step, not the action step.
  • The strongest programmes will treat IdP-issued assertions as a way to reduce repeated consent, while still requiring separate controls for sensitive actions and post-grant monitoring.
  • If audit trails cannot preserve the delegation chain end to end, the enterprise has improved usability faster than it has improved governance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article centers on agent tool access and delegated authorization across MCP-connected systems.
OWASP Non-Human Identity Top 10NHI-01Delegated token handling and scope control are central NHI governance concerns.
NIST CSF 2.0PR.AC-4The article is about access permissions, delegation, and trust boundaries.
NIST Zero Trust (SP 800-207)The flow reflects continuous trust decisions across app boundaries in a zero-trust style architecture.
NIST AI RMFGOVERNAgent delegation introduces governance and accountability requirements for AI-enabled workflows.

Review agent authorization paths against agentic application risks and separate access grants from tool-use controls.


Key terms

  • Identity Assertion JWT Authorization Grant: A delegation pattern that lets an identity provider issue a signed statement that a user has already authenticated and that a receiving app may trust within a limited scope. It reduces repeated login prompts while keeping the app responsible for its own authorization decision.
  • Delegated Authorization: A model where one system acts on behalf of a user after receiving a bounded grant of authority. In identity programmes, it is only safe when scope, duration, and downstream enforcement are all explicit, because the grant itself is not the same as permission for every future action.
  • MCP Connector: An integration layer that allows an AI agent to reach external tools and data sources through a standardised interface. It expands agent utility, but it also expands the number of applications that must evaluate identity, scope, and policy before releasing data or accepting actions.

What's in the full article

Hush Security's full article covers the operational detail this post intentionally leaves for the source:

  • The exact ID-JAG claim set and token exchange sequence used to broker delegated access between the identity provider and the target app
  • The specific trust boundary conditions for enterprise SSO estates that make the flow viable across MCP-connected tools
  • The protocol-building blocks, including JWT bearer and token exchange, that explain why the mechanism is interoperable
  • The concrete examples of how the grant behaves when an agent needs access to multiple apps in one task

👉 The full Hush Security article explains the ID-JAG flow, the trust boundary it depends on, and the limits of delegated access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org