Identity-aware agents need cloud-neutral governance beyond AWS

At a glance

What this is: The article argues that AgentCore’s native identity model works inside AWS, but breaks down for agent fleets that span multiple clouds and require stronger issuance-time policy, unified credential storage, and richer authorization flows.

Why it matters: IAM, NHI, and emerging agentic AI programmes all need the same answer to the same question: where does identity governance sit when runtime, tool access, and approval flows no longer stay inside one cloud boundary?

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.

👉 Read Descope's analysis of identity-aware agents on Amazon AgentCore

Context

Identity-aware agents need a governance layer that can separate where an agent runs from what it is allowed to do. In this case, the issue is not whether AWS can host an agent runtime. The issue is whether identity, credentialing, and approval controls still hold when the agent fleet extends beyond one cloud and one authorization server.

Descope frames the gap around cloud-neutral agent identity, issuance-time policy, and credential vaulting across runtimes. That is the right lens for agentic AI governance because the operational problem is not just access provisioning. It is preserving observability and control when multiple runtimes, user contexts, and third-party tools all participate in the same execution path.

Key questions

Q: What breaks when agent identity is scoped only to one cloud?

A: Governance breaks when runtime identity, policy, and credential handling all depend on one cloud boundary. Non-native agents may still participate, but they do so through extra credential paths and weaker visibility. The result is fragmented accountability, harder offboarding, and a fleet that cannot be governed as one identity system.

Q: Why do agentic AI programmes need issuance-time policy?

A: Because by the time a token is already live, the risky decision has been made. Issuance-time policy lets teams evaluate user context, tenant, and requested scope before access exists. That reduces privilege creep, prevents accidental delegation, and aligns agent control with Zero Trust principles.

Q: How should teams handle secrets used by AI agents and MCP tools?

A: Teams should keep secrets out of the agent environment and retrieve them only at call time from a managed vault. That approach reduces secret persistence, narrows exposure if a tool is abused, and gives security teams a clearer place to enforce rotation, revocation, and audit.

Q: Who is accountable when a headless agent needs sensitive approval?

A: Accountability stays with the organisation that defines the approval boundary, not with the model that requests the action. For sensitive workflows, out-of-band approval gives human reviewers a separate consent path, which is essential when the agent initiates the operation but a person must still authorise it.

Technical breakdown

Why runtime-scoped agent identity breaks outside one cloud

AgentCore Identity is designed to authenticate workloads inside AWS, inject tokens at startup, and validate inbound JWTs against a configured issuer. That works when the agent, the runtime, and the downstream services all live in the same trust domain. Once non-AWS agents join the fleet, the model becomes harder to sustain because identity operations still route through AWS APIs, and the directory view remains bound to the runtime’s own ecosystem. The result is a fragmented control plane rather than a fleet-wide identity layer.

Practical implication: separate runtime attestation from fleet governance, and do not let one cloud’s identity boundary define your whole agent programme.

How issuance-time policy changes agent authorisation

The article describes policy evaluation at token issuance, not after the fact. That matters because agentic authorisation is decided by the directory entry, the invoking user’s roles and tenant, and the requested scopes before a token exists. This is different from simply checking whether a token is valid. It means an agent cannot expand privilege by asking for more later, and a user cannot delegate access they do not already hold. In practice, the control point is the decision to mint the token, not the action taken with it.

Practical implication: move scope decisions into the issuance path so that policy failure prevents token creation, not just downstream API denial.

Why credential vaulting matters for MCP and third-party tools

The Descope model vaults OAuth tokens and static API keys, then exchanges them at call time so the raw secret never sits in the agent environment. That is especially relevant for MCP servers and backend APIs, where tool invocation often becomes the hidden credential distribution layer. The article also adds CIBA for async approval and DCR for off-the-shelf client registration, which closes gaps that default authorization servers often leave open for headless or federated agents. The architecture is about reducing secret persistence and widening approval options.

Practical implication: treat tool access as a credential lifecycle problem, not just a prompt or runtime problem.

NHI Mgmt Group analysis

Cloud-neutral agent identity is becoming a governance requirement, not an integration nice-to-have. The article shows that agent identity tied too tightly to one cloud leaves non-native agents dependent on that cloud’s credential path and authorization assumptions. That creates a fleet design problem for NHI and agentic AI programmes because identity governance no longer aligns with runtime diversity. Practitioners should treat cloud neutrality as an identity boundary decision, not a deployment preference.

Policy at token issuance is the right control point for agentic authorisation. The real governance shift is moving from validating what a token can do after it exists to deciding whether it should exist at all. That maps cleanly to OWASP-NHI and Zero Trust thinking, where permissions are constrained before use and not merely monitored during use. This matters because agents can chain tool calls faster than manual review cycles can respond. The implication is that authorisation must be designed as a minting decision, not a post-hoc enforcement step.

Credential vaulting across runtimes reduces secret persistence, but only if the vault becomes the system of record. Static API keys and OAuth tokens are still identities, even when an agent handles them indirectly. If those credentials remain scattered across tools, contexts, and clouds, the operational picture stays incomplete. The named concept here is runtime identity fragmentation: the point where one fleet behaves like many disconnected identity systems. Practitioners should recognise that fragmented control planes create fragmented accountability.

Out-of-band approval changes the meaning of consent in headless systems. The article’s use of CIBA matters because some agent actions need human approval without making the entire workflow human-operated. That is a lifecycle and PAM issue as much as an AI issue. It shows that identity governance for agents must support asynchronous consent states, not just login events. Teams should re-evaluate where approval boundaries belong when a machine can initiate actions that were once fully human-mediated.

The strongest control models will be the ones that make agent identity observable across directory, token, and tool layers. The article implicitly argues that a useful agent directory is not just inventory. It is a policy surface, a credential boundary, and an audit anchor. That is consistent with NHI governance patterns that fail when visibility is split across too many systems. Practitioners should expect directory design to become a core part of agent security architecture.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• OWASP Agentic Applications Top 10 is a useful next reference for teams mapping agent identity, tool misuse, and runtime privilege abuse to control gaps.

What this signals

Runtime identity fragmentation: the more an agent fleet spans clouds and tools, the more likely identity, consent, and credential handling will drift apart. Teams should expect their current IAM operating model to need a dedicated agent governance layer, not just additional policy rules. For adjacent control thinking, the Ultimate Guide to NHIs remains the best baseline reference.

The practical signal is that approval boundaries will move closer to issuance and farther from execution. That means security teams should prepare for more asynchronous consent, more token exchange, and more need for auditable delegation paths across human, NHI, and agentic workloads. The OWASP Top 10 for Agentic Applications 2026 is a relevant external reference for that shift.

For practitioners

• Separate runtime identity from fleet governance Keep runtime attestation inside the cloud that hosts the agent, but manage directory, policy, and audit in a cloud-neutral layer so multi-cloud agents do not inherit fragmented controls.
• Move privilege decisions to token issuance Evaluate user, tenant, role, and requested scope before minting an access token so denied permissions never become live credentials in the first place.
• Vault every downstream credential used by agents Store OAuth tokens and static API keys in a central credential vault and retrieve them at call time instead of leaving raw secrets in agent context or runtime variables.
• Use out-of-band approval for sensitive agent actions Require asynchronous approval for high-risk operations such as account resets or payments so headless agents cannot complete those workflows without a separate consent signal.
• Map agent directories to audit outcomes Treat the agent directory as the authoritative inventory for issuance, policy, and logging, and verify that every token and tool call can be traced back to a directory entry.

Key takeaways

• Agent identity that only works inside one cloud becomes fragile as soon as the fleet extends beyond that boundary.
• Issuance-time policy, vault-based credentials, and out-of-band approval are the controls that change agent governance from reactive to enforceable.
• Identity teams should design for cloud-neutral observability now, because agent sprawl will outpace manual governance very quickly.

Key terms

• Cloud-neutral agent directory: A cloud-neutral agent directory is a shared inventory and policy surface for agents that run across multiple runtimes. It keeps identity, credential, and audit data in one place so governance does not fragment when workloads span AWS, Azure, GCP, and other platforms.
• Issuance-time policy: Issuance-time policy is the practice of evaluating who is asking, what they may request, and which scopes are allowed before a token is minted. For agents, this is the control point that prevents excess privilege from ever becoming an active credential.
• Credential vaulting: Credential vaulting is the storage and controlled retrieval of secrets, tokens, and API keys outside the agent runtime. It reduces exposure by keeping raw credentials out of prompts, tools, and environment variables, while preserving auditability and rotation control.
• Out-of-band approval: Out-of-band approval is a separate consent path for sensitive actions, often delivered through a channel outside the agent session. It is used when a headless or autonomous workflow needs human authorisation without handing the whole interaction back to a person.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Descope: Build Identity-Aware Agents With Amazon AgentCore and Descope. Read the original.