OAuth solves the wrong problem for enterprise AI agents

At a glance

What this is: This analysis argues that OAuth is necessary for enterprise AI agents but insufficient because token-based authorization cannot govern runtime behaviour, intent drift, or multi-hop delegation.

Why it matters: IAM, NHI, and agentic AI teams need controls that extend beyond authentication and scopes, because agent behaviour can diverge from the original authorization context long before a token expires.

By the numbers:

• 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

👉 Read Aizome's analysis of why OAuth falls short for enterprise AI agents

Context

Enterprise AI agent identity is not just a question of proving who something is. It is a question of whether a runtime actor can keep making safe decisions after the first authorization event has already passed. OAuth was built for delegated access with stable scopes and clear intent, which is why it works well for traditional application flows but strains under agentic behaviour.

The governance gap appears when an agent can choose tools, chain sub-agents, and continue operating across finance, HR, and operations without a human re-approval point. That creates a mismatch between the authorization model and the actual identity problem, which is now moving toward agent identity, workload identity, and lifecycle control rather than entry-point authentication alone. For teams that need a related primer on agentic risk, the OWASP Agentic AI Top 10 is a useful reference point.

Key questions

Q: How should security teams govern enterprise AI agents beyond OAuth?

A: Use OAuth for delegated access, but add runtime governance that evaluates the current action, workflow context, and delegation depth before sensitive operations proceed. The key is to connect identity, intent, and observation so the programme can detect drift while the session is active, not after the token has already enabled the action.

Q: Why do scoped tokens break down for enterprise AI agents?

A: Scoped tokens assume behaviour is predictable enough to be described at provisioning time. Enterprise AI agents are non-deterministic, can chain tools and sub-agents, and can shift intent during execution. That means a token can be valid while the action is no longer aligned to the original purpose, which is a governance failure.

Q: What breaks when identity is treated as a one-time authorization event?

A: The programme loses visibility into whether the current action still matches the original approval. With agents, the meaningful control point is often mid-session, after context has changed and before a downstream system is touched. One-time authorization cannot capture that shift, so the organisation mistakes access validity for safe behaviour.

Q: How can teams reduce risk when agents use multiple protocols in one workflow?

A: Build correlation across the full protocol chain so identity events from OAuth, API keys, managed identity, and tool-specific credentials are analysed together. That allows teams to spot behaviour that looks compliant in each individual layer but unsafe when viewed as one execution path.

Technical breakdown

Why scoped tokens fail for enterprise AI agent workflows

OAuth scopes work when behaviour is predictable and the application’s actions are known in advance. Enterprise AI agents are different because they decide at runtime which tools to call, which data to query, and whether to invoke sub-agents. That means the scope defined at provisioning time is only an approximation of future behaviour. The result is either over-scoping, which inflates blast radius, or under-scoping, which breaks legitimate work. Token validity says little about whether the next action still matches the original intent.

Practical implication: Treat scope design as a starting control, then add runtime governance for actions that emerge after provisioning.

Delegation chains, on-behalf-of flows, and the loss of intent

OAuth delegation assumes a relatively shallow chain: user to application to resource. Agentic workflows are deeper and dynamic, with supervisor agents, worker agents, sub-agents, and external tools all participating in the same task. On-behalf-of flows can pass identity forward, but they do not preserve human intent with the same fidelity as the chain expands. Each hop reduces the clarity of why the action is happening, even if the token remains technically valid. That is why a valid authorization event can still produce an invalid governance outcome.

Practical implication: Track delegation depth and preserve workflow context where decisions will later need to be justified.

Why multi-protocol identity makes agent governance harder

Enterprise AI agents often authenticate through several different mechanisms in one task, including OAuth, API keys, managed identity, and tool-specific tokens such as MCP credentials. Each layer validates only its own slice of the session. No single control plane can see the whole behavioural chain unless the programme correlates identity, action, and context across protocols. This is not simply a standards issue. It is an architectural gap between authentication and behavioural governance that becomes more visible as agent workloads spread across systems.

Practical implication: Correlate identity events across protocols before you assume a valid token equals a safe action.

Threat narrative

Attacker objective: The objective is to convert a valid delegated identity into broader, less governable execution that still appears authorised at the token layer.

1. Entry begins with a legitimate OAuth grant or other delegated credential that gives the agent access to enterprise resources within a defined scope.
2. Escalation occurs when the agent’s workflow expands through additional tools, sub-agents, or protocols that were not fully represented at provisioning time.
3. Impact follows when technically valid authorisation is used to execute actions outside the original intent, making governance fail even though authentication succeeds.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OAuth solves authentication and scoped authorization, not runtime governance. That distinction is the central issue for enterprise AI agents. When an agent can decide what to do next, the security question moves from access grant to action legitimacy, which token-based models cannot answer on their own. Practitioners should treat OAuth as one layer in a broader control stack, not the full answer.

Agent identity exposes a governance assumption that was designed for human-paced delegation. The assumption is that least privilege can be defined at provisioning time because the actor’s intent is known before execution begins. That assumption fails when the actor is autonomous enough to select tools, chain actions, and change course mid-session. The implication is that identity programmes must stop treating authorization as a one-time event and start treating it as a runtime condition.

Multi-protocol agent stacks create identity blind spots across the enterprise. A token may be valid in OAuth while the agent is simultaneously operating through API keys, managed identity, or tool-specific credentials. That breaks the idea that any single protocol can establish control over the whole action path. The practitioner takeaway is to govern the chain, not just the credential.

Behavioural drift is the missing control variable in agent governance. The article correctly points toward continuous observation, but the deeper lesson is that drift detection becomes a governance primitive when identity can persist across multiple actions without direct human review. That changes how IAM, NHI, and workflow owners think about accountability, because the question becomes whether the session still matches its original purpose. Teams should plan for review, containment, and provenance together.

Runtime action control is the real boundary for enterprise AI agents. Static policy will always lag a system that reasons, adapts, and reuses context across tools. The category is moving toward identity plus intent plus observation, and that is why governance models built only on access tokens will continue to miss the highest-risk behaviours. Security teams should align their control design to the action path, not the login path.

From our research:

• 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to The State of Secrets Sprawl 2026.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, which shows that exposure and revocation are still disconnected in many environments.
• For a broader view of how secrets, workload identity, and lifecycle controls fit together, see the Guide to the Secret Sprawl Challenge.

What this signals

Runtime governance will become the differentiator for agent programmes. Organisations that can correlate identity, intent, and action across multiple protocols will be able to operationalise AI agents with less blind trust. Those that stop at token issuance will keep discovering that valid credentials do not equal valid behaviour.

With 24,008 unique secrets exposed in MCP configuration files in 2025 alone, the control problem is already extending into agent tooling layers. That exposure pattern shows why agent governance cannot sit only inside traditional IAM or API security teams. It has to include workflow owners, platform teams, and identity teams working from a shared execution view.

Agent governance is moving toward an identity blast radius model. The important question is no longer just who the agent is, but how far one valid identity can travel across tools, protocols, and delegated actions before someone can intervene. That changes planning for NHI, workload identity, and autonomous access together.

For practitioners

• Separate access checks from action checks Keep OAuth, PKCE, and token exchange as entry controls, then add a second governance step that evaluates whether the current action still matches the workflow intent before execution proceeds.
• Map agent delegation chains end to end Document supervisor agents, worker agents, sub-agents, and downstream tools so you can see where intent is diluted across the chain and where accountability becomes ambiguous.
• Correlate identity events across protocols Join logs from OAuth, API key use, managed identity, and MCP-style tool access so behavioural drift is visible even when no single protocol shows a policy violation.
• Review scope design against runtime behaviour Compare the permissions granted at provisioning with the tools and data the agent actually uses in production, then flag cases where the scope only approximates the real task.
• Establish containment triggers for drift Define when a session should be paused, re-authored, or terminated if agent behaviour departs from the approved task sequence or begins crossing business boundaries.

Key takeaways

• OAuth remains useful, but it cannot by itself govern enterprise AI agents that change tools, context, and action timing at runtime.
• The scale of secret exposure in emerging agent tooling shows that identity risk is moving into workflow infrastructure, not just classic application access.
• Practitioners need control designs that evaluate intent and behaviour during execution, not only identity at the point of login.

Key terms

• Delegation Chain: The sequence of identities and systems that pass authority from one actor to another. In enterprise AI agents, the chain can include a human, a supervisor agent, worker agents, and external tools, which makes original intent harder to preserve as actions move downstream.
• Behavioral Drift: A change in what an identity is actually doing compared with what it was authorised to do. For AI agents, drift can happen inside a single session as context changes, tools are added, or sub-agents alter the path of execution.
• Runtime Governance: Controls that evaluate identity behaviour while work is in progress rather than only at login or provisioning. For autonomous or agentic systems, this means checking action, context, and intent before sensitive operations are allowed to continue.
• Token Scope: The set of permissions attached to a credential or access token. It describes what the holder may do, but not necessarily whether a specific action is appropriate in the current workflow, which is why scope alone is not enough for AI agent governance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Aizome: Beyond the Token: Why OAuth Solves the Wrong Problem for Enterprise AI Agents. Read the original.