OAuth 2.0 as the foundation for agentic identity at machine speed

At a glance

What this is: This is an analysis of how OAuth 2.0 can be adapted for AI agent identity, with the key finding that existing delegation and token controls can support agentic use cases if they are enforced as Zero Trust at machine speed.

Why it matters: It matters because IAM teams now have to govern AI agents as non-human identities, which means rethinking delegation, token binding, revocation, and policy enforcement alongside human and workload access.

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

👉 Read Strata Identity's analysis of OAuth for AI agent identity and Zero Trust

Context

AI agent identity is the problem of proving who or what is acting, what it is allowed to do, and how that authority changes at runtime. In agentic systems, that question extends beyond authentication into delegation, token binding, and continuous authorisation, because the actor can decide and act at machine speed across multiple trust domains.

OAuth 2.0 is attractive here because it already supports delegated access patterns that identity teams understand. The issue is that AI agents stress those patterns in ways they were not originally designed for, especially when tokens move between clouds, tasks, and sub-agents faster than human review cycles can react.

For IAM and NHI programmes, the practical shift is to treat agent identity as a governance problem, not just an application integration problem. That means tracing delegation chains, binding tokens to possession, revoking access dynamically, and aligning policy with the actual runtime behaviour of the agent.

Key questions

Q: How should security teams govern AI agent access that moves across clouds and APIs?

A: Treat each agent as a delegated non-human identity, not as an application shortcut. Require inspectable delegation chains, bind tokens to the client or key, and make revocation depend on runtime signals rather than expiry alone. If you cannot trace who authorised the action and why, the access path is not governable.

Q: Why do AI agents complicate traditional OAuth and IAM controls?

A: Because the actor can decide, delegate, and act faster than human review cycles can respond. That creates a gap between token validity and actual trust, especially when credentials move across systems and clouds. Traditional controls assume access is relatively stable and reviewable, while agentic access can be short-lived and highly dynamic.

Q: What breaks when agent tokens are not proof-of-possession bound?

A: A stolen token becomes reusable anywhere the protocol accepts it, which turns interception into immediate downstream access. In agentic systems that can trigger API calls automatically, replayable tokens make lateral misuse far easier and much harder to contain. Proof-of-possession reduces that replay value by tying the token to the original holder.

Q: How do organisations know whether their agent identity controls are actually working?

A: Look for three signals: every delegation chain is traceable, runtime risk can change access mid-session, and revoked tokens stop working immediately across downstream APIs. If audits show gaps in any of those areas, the programme still relies on static trust assumptions rather than Zero Trust identity for agents.

Technical breakdown

Delegation chains in OAuth for AI agents

On-behalf-of delegation lets an agent act under authority inherited from a human or another machine identity. In agentic environments, that chain can extend across multiple hops and trust domains, so the security issue is not simply whether a token is valid but whether each hop preserves traceability and policy context. OAuth token exchange extends that model by allowing identity to be reissued across domains without exposing the original credential. The architectural challenge is keeping the delegation chain inspectable enough for governance while avoiding opaque token sprawl that hides who initiated the action and why.

Practical implication: enforce inspectable delegation chains so every agent action can be traced back to a specific authorising identity and policy.

Token binding, PKCE, and proof of possession

AI agents often run in environments where a long-lived client secret is either impractical or too risky to store. PKCE reduces reliance on shared secrets during the OAuth exchange, while DPoP binds a token to a cryptographic key held by the client, making intercepted tokens harder to reuse. Together, they change token theft from a pure replay problem into a possession problem. That matters in distributed agentic systems, where exposed tokens can be copied quickly and used across APIs before traditional revocation or detection catches up.

Practical implication: prefer proof-of-possession controls for agent tokens so interception alone does not create reusable access.

Continuous authorisation and runtime revocation

Static token lifetimes assume that risk stays constant for the duration of a session. CAEP breaks that assumption by letting access be reevaluated when conditions change, such as unusual agent behaviour, a new location, or a task boundary being crossed. For agentic identity, that matters because the security state can change mid-execution, not only at login. The architecture therefore needs runtime signals feeding policy decisions, rather than relying on a token issued once and trusted until expiry.

Practical implication: connect runtime risk signals to revocation so agent access can be withdrawn or narrowed immediately when behaviour drifts.

Threat narrative

Attacker objective: The attacker objective is to turn delegated agent authority into fast, cross-domain API access that can be reused before governance or revocation catches up.

1. Entry occurs when an AI agent receives delegated OAuth access through a human, service, or upstream agent identity.
2. Escalation happens when that delegated access is exchanged across clouds or APIs without sufficient inspection of purpose, scope, or token binding.
3. Impact follows when a compromised or over-scoped agent can call downstream systems, move data, or trigger transactions at machine speed before human review can intervene.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OAuth survives the move to agentic identity because delegation is already native to the protocol, but only if governance is updated around it. AI agents do not need a brand-new identity model to begin operating, but they do expose the limits of static trust and loose token handling. The field should stop asking whether OAuth is sufficient in the abstract and start asking whether existing controls can survive machine-speed delegation across trust domains.

Token theft is not the only problem in agentic identity. Uninspectable delegation is the bigger governance failure. A token can be valid, bound, and still too permissive if the organisation cannot see which actor initiated the chain, what purpose is attached, and which downstream systems are implicated. That makes delegated authority, not just credential compromise, the core NHI governance concern for agents.

Runtime authorisation becomes the control plane for agentic AI, not a nice-to-have enhancement. CAEP-like evaluation matters because agent behaviour can shift during the same session in ways human-centric IAM review cycles cannot observe. In practice, this pushes identity governance toward continuous decisioning, where access is narrowed or revoked based on live context rather than issued once and assumed safe.

Task-purpose metadata is the named concept that agentic OAuth needs next. Tokens were designed to prove authorisation, not intent, and that gap becomes visible when agents can chain actions autonomously across systems. The implication is that identity teams must treat purpose and provenance as first-class governance inputs, because scope alone no longer describes enough of the risk to evaluate delegated machine action.

AI agents extend the standing privilege problem into a faster, harder-to-review form. Human programmes often assume there is enough time to certify, recertify, or investigate access after it is granted. With agents, the access path can be created, used, and abandoned within the same operational window, which means existing review cadences are structurally outpaced.

From our research:

• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, which shows the control gap is already established.
• For a broader threat framing, see OWASP Agentic AI Top 10 for the control patterns that map most directly to agentic misuse.

What this signals

Task-purpose metadata is likely to become one of the most important design questions in agentic IAM, because scope alone no longer explains why a machine identity is acting. Once agents can chain requests across clouds, the programme needs traceability that survives delegation, not just authentication that starts it.

The broader signal for identity teams is that OAuth-based delegation is now doing double duty as both an access mechanism and a governance substrate. That makes agent identity a shared concern across IAM, NHI, and security architecture, especially where policy, telemetry, and revocation must work in the same control loop.

With only 52% of organisations able to track and audit the data their AI agents access, according to AI Agents: The New Attack Surface report, the operational gap is already visible. Teams should prepare for continuous authorisation patterns and stronger provenance controls rather than assume review-based governance will catch up later.

For practitioners

• Map every agent delegation chain Document the upstream identity, downstream API, and policy decision for every AI agent that can act on behalf of another actor, including cross-cloud hops and sub-agent handoffs.
• Bind tokens to proof of possession Prefer DPoP or equivalent cryptographic binding so captured access tokens cannot be replayed from a different device, runtime, or automation context.
• Enforce runtime revocation signals Wire location, behaviour, task boundary, and risk changes into continuous evaluation so access can be narrowed or removed before the delegation chain completes.
• Add purpose and provenance to claims Extend token and policy design so the system can evaluate who delegated the action, for what task, and under which constraints the agent was authorised.
• Review machine-speed access governance Test whether your review cadence, logging, and offboarding processes can still work when an agent creates and consumes access in a single session.

Key takeaways

• AI agents can use OAuth patterns effectively, but only when delegation, token binding, and revocation are treated as live governance controls rather than static protocol features.
• The main risk is not just stolen tokens, but uninspectable delegated authority that moves faster than human review and crosses trust domains without clear provenance.
• Practitioners should design for machine-speed authorisation now, because the control gap is already measurable and the governance assumptions are already under pressure.

Key terms

• Agentic Identity: Agentic identity is the set of controls used to prove, constrain, and audit what an AI agent may do at runtime. It extends identity governance beyond login and token issuance into delegation, intent, continuous authorisation, and traceable action across systems.
• On-Behalf-Of Delegation: On-behalf-of delegation is an OAuth pattern that lets one identity act using authority derived from another identity. In agentic systems, it is the mechanism that preserves accountability across chained actions, but it must be paired with traceability and policy context to remain governable.
• Proof of Possession: Proof of possession is a token protection approach that requires the caller to prove it holds the private key associated with the token. For AI agents, it reduces replay risk by making a captured token useless without the original cryptographic holder.
• Continuous Access Evaluation: Continuous access evaluation is a runtime authorisation model where access can change after issuance based on current risk, behaviour, or context. For autonomous or semi-autonomous agents, it matters because trust can shift during a session, not only at authentication time.

Deepen your knowledge

OAuth delegation, token binding, and runtime revocation for AI agents are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for machine-speed identity in a similar environment, it is worth exploring.

This post draws on content published by Strata Identity: OAuth 2.0 as the foundation for agentic identity at machine speed. Read the original.