By NHI Mgmt Group Editorial TeamDomain: Agentic AI & NHIsSource: StytchPublished November 10, 2025

TL;DR: AI agents moving into production are converging on OAuth because static API keys, passwords, and session cookies do not provide the consent, scoping, revocation, and auditability required for delegated access, according to Stytch. The governance issue is less about choosing an auth protocol than about preserving accountability when machine identities act on behalf of users.


At a glance

What this is: This is an analysis of why OAuth has become the standard for AI agent authentication and what it changes for delegated access, service accounts, and MCP-connected systems.

Why it matters: It matters because IAM teams now have to govern non-human identities that act with user context, which means consent, scope, revocation, and audit trails must be designed for agents as well as people.

By the numbers:

👉 Read Stytch's guide to AI agent authentication methods and OAuth


Context

AI agent authentication is moving from ad hoc secrets to delegated access models because production agents need to touch real data without inheriting broad, permanent credentials. In practice, that means the identity problem is not just how an agent logs in, but how authority is scoped, revoked, and attributed across NHI and human IAM boundaries.

OAuth fits this shift because it treats the agent as a client acting on behalf of a resource owner, which maps cleanly to delegated machine access. The important governance question is whether organisations can enforce that model consistently across SaaS integrations, MCP-connected tools, and service-account workflows without slipping back into static secrets.


Key questions

Q: How should security teams authenticate AI agents that act on behalf of users?

A: Use OAuth with explicit user consent, narrow scopes, and revocable tokens. That model preserves attribution and lets administrators disconnect access without changing the underlying user account. For production systems, the question is not whether an agent can be authenticated, but whether the chosen flow keeps authority bounded and auditable across its full lifecycle.

Q: Why do static API keys create more risk for AI agents than for ordinary services?

A: Static keys are poor for agents because they behave like long-lived shared secrets with no built-in consent, scope, or revocation semantics. When an agent handles real data, the key becomes both the access mechanism and the blast radius. OAuth-based delegation reduces that exposure by tying access to a specific user or service identity.

Q: How do organisations decide between OAuth Authorization Code flow and Client Credentials?

A: Use Authorization Code when the agent acts for a user and must inherit that user’s permissions. Use Client Credentials when the agent acts as a system identity for machine-to-machine work. The decision should follow the identity being governed, not the engineering team’s preferred integration pattern.

Q: Who is accountable when an AI agent performs an unauthorized action?

A: Accountability depends on the identity model used. If the agent acted with delegated user access, logs should attribute the action to the user and the client that obtained the token. If the agent used a service account, accountability sits with the owning system and its lifecycle controls, including revocation, scope review, and audit logging.


Technical breakdown

Why OAuth fits delegated AI agent access

OAuth is an authorization framework, not just a login method. For AI agents, its value is that it separates the user who grants access from the client that uses it, then issues scoped tokens that can be revoked without changing the underlying account secret. That matters because agents often need narrow, time-bound access to external systems the platform does not own. OAuth 2.1 strengthens this pattern by making PKCE mandatory and removing legacy flows that were easier to intercept or abuse. In identity terms, this is delegated authority with traceability, not shared credentials.

Practical implication: model agent access as delegated authority with explicit scopes, revocation paths, and auditable token use rather than as a shared secret problem.

Service accounts, client credentials, and the boundary of non-human identity

The article separates user-delegated access from service-account style machine-to-machine access, and that distinction is operationally important. Client Credentials Grant is appropriate when the agent acts as itself for system tasks, while Authorization Code + PKCE is appropriate when the agent acts on behalf of a user. The difference determines whether consent, user context, and attribution exist at all. Teams that blur the two end up overusing API keys, which behave like long-lived shared secrets and erase the governance signals IAM and PAM depend on. For NHI programmes, the issue is identity binding, not just transport security.

Practical implication: classify each agent workload as delegated access or service-account access before assigning the auth pattern, scope model, and review process.

MCP, dynamic client registration, and future agent discovery

The article notes that MCP builds OAuth 2.0 and OAuth 2.1 into its foundation, and it also points to extensions such as Dynamic Client Registration and Client ID Metadata Documents. These mechanisms matter because future agents may need to discover and connect to new services dynamically, without manual setup for every integration. That increases convenience, but it also changes the governance problem from static registration to runtime trust establishment. In other words, the control point moves from provisioning time to connection time, where identity metadata, policy, and validation have to be machine-readable and continuously trustworthy.

Practical implication: prepare for dynamic agent onboarding by inventorying which trust decisions can safely move to runtime and which still need pre-approved controls.


NHI Mgmt Group analysis

OAuth is becoming the default because static secrets do not provide a governable delegation model for agents. The article is right to treat API keys and passwords as poor fits for production agent access, but the deeper issue is that they erase the separation between consent, scope, and attribution. Once an agent acts on behalf of a user, access must be revocable without collapsing the entire identity. Practitioners should treat OAuth as the baseline control plane for delegated NHI access, not as an implementation detail.

The real governance boundary is not authentication versus authorization, but user-scoped authority versus machine-scoped authority. Authorization Code with PKCE and Client Credentials solve different identity problems, and confusing them leads to weak policy design. User-delegated access needs consent, auditability, and narrow scope, while service accounts need controlled machine identity and lifecycle oversight. IAM teams should stop asking which flow is simpler and start asking which actor is being governed.

Dynamic registration and metadata-driven discovery create a runtime trust problem, not just a setup efficiency problem. As agent ecosystems become more dynamic, connection approval shifts from human-administered onboarding to machine-validated trust establishment. That changes how organisations think about identity lifecycle, because the governance question becomes whether an agent can safely discover and bind to services on demand. Practitioners need to evaluate whether current controls assume static integrations when the next wave of agent access will not be static at all.

Identity blast radius is the decisive metric for AI agents that touch real data. OAuth’s value is not that it is fashionable or familiar, but that it constrains what an agent can do if compromised or misused. Short-lived tokens, explicit scopes, and instant revocation reduce the exposure window, while passwords and session cookies do the opposite. Identity teams should frame agent authentication decisions in terms of blast radius, not developer convenience.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • If you are mapping agent authentication to broader NHI controls, start with 52 NHI Breaches Analysis to see how lifecycle gaps turn into exposure patterns.

What this signals

Identity blast radius is becoming the right mental model for AI agent authentication. When tokens are scoped correctly, revocable, and tied to the right actor, the compromise window stays bounded; when they are not, the agent inherits the weakest properties of traditional secrets management and the programme loses control over who can act, when, and with what authority.

With only 5.7% of organisations having full visibility into their service accounts, per the Ultimate Guide to NHIs, the move to agentic integrations will expose the same blind spots unless teams unify service-account governance, OAuth lifecycle management, and connected-app revocation.

For practitioners, the next step is to treat agent onboarding, scope review, and token revocation as core IAM operations rather than integration plumbing. That is where NHI governance, human identity controls, and emerging agentic AI patterns finally meet in one operating model.


For practitioners

  • Separate delegated access from service-account access Classify every AI agent workflow before implementation. If the agent acts on behalf of a person, use an OAuth flow with user consent and scoped tokens. If the agent acts as itself, use machine-to-machine identity with client credentials and document the service-account lifecycle explicitly.
  • Eliminate shared secrets from agent onboarding Replace API keys, passwords, and session cookies with revocable token-based patterns for any production or sensitive-data workflow. Treat prompt-stored or code-embedded credentials as a policy failure, not a convenience trade-off.
  • Map scopes to real task boundaries Define the smallest useful permissions for each agent and review them against the actual actions the agent can trigger. For user-delegated access, verify that the consent screen, scope naming, and audit logs all describe the same delegated task.
  • Plan for runtime trust in MCP-connected systems Inventory integrations that may rely on dynamic client registration or metadata discovery, then decide which of those connections need pre-approval, continuous verification, or explicit administrative controls before they are allowed to bind.
  • Rework revocation and review around tokens, not accounts Ensure connected-app disconnect, token invalidation, and access review processes are tested as operational controls. If an agent can keep working after the user or administrator believes access is gone, the governance model has failed.

Key takeaways

  • OAuth is winning for AI agents because it preserves consent, scope, revocation, and attribution in a way static secrets do not.
  • The key governance decision is actor classification: user-delegated access and service-account access require different identity controls.
  • Agentic systems increase identity blast radius unless IAM teams design for token lifecycle, connected-app revocation, and runtime trust.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10The article covers agent authentication, delegated access, and tool-connected identity.
OWASP Non-Human Identity Top 10NHI-03The post centers on credential patterns and lifecycle risks for non-human identities.
NIST CSF 2.0PR.AC-4Least-privilege access management is central to the OAuth scope model described here.
NIST SP 800-53 Rev 5IA-5Authenticator management applies directly to token issuance, revocation, and rotation.
NIST Zero Trust (SP 800-207)3.2Continuous verification and explicit trust fit the article's delegation model.

Replace static secrets with revocable, scoped credentials and review lifecycle controls regularly.


Key terms

  • Delegated Access: Delegated access is when one identity acts on behalf of another identity with limited authority. For AI agents, that means the agent should only receive the scopes, duration, and auditability needed for the task, not the user’s full standing access.
  • Client Credentials Grant: Client Credentials Grant is an OAuth flow used when a system authenticates as itself rather than as a user. In AI agent programmes, it is the standard pattern for service-account style machine-to-machine access with no user consent step or personal context.
  • Authorization Code Flow With PKCE: Authorization Code Flow with PKCE is the OAuth pattern used for user-delegated access with stronger protection against code interception. For agents, it supports consent-driven access while keeping the token exchange tied to the original client and session.
  • Identity Blast Radius: Identity blast radius is the amount of damage an identity can cause if it is misused, over-privileged, or compromised. For agents, the term captures how token scope, revocation speed, and lifecycle controls determine whether an incident stays contained or spreads across systems.

What's in the full article

Stytch's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance for implementing Authorization Code with PKCE and Client Credentials in agent workflows.
  • Detailed treatment of advanced OAuth extensions such as on-behalf-of token exchange and dynamic client registration.
  • Implementation considerations for MCP-connected systems that need secure client discovery and authentication.
  • Examples of how connected-app revocation and token lifecycle management are handled in production auth designs.

👉 The full Stytch post covers OAuth flows, advanced extensions, and implementation trade-offs for agent access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org