By NHI Mgmt Group Editorial TeamDomain: AnnouncementsSource: PlainIDPublished July 14, 2026

TL;DR: Authorization is moving into the SSO token-issuance moment, so claims can reflect live policy rather than stale configuration, while also supporting OIDC, OAuth, SAML, and MCP tool access flows according to PlainID. Static tokens assume authorization remains stable between login and use, but runtime policy evaluation breaks that assumption and shifts audit evidence to issuance time.


At a glance

What this is: This is an analysis of how inline authorization at SSO sign-in changes token issuance, making access claims reflect live policy instead of static configuration.

Why it matters: It matters because IAM, PAM, NHI, and agentic AI teams increasingly need authorization decisions that track session state, not just authentication events.

👉 Read PlainID's analysis of real-time authorization at Duo sign-in


Context

Token claims are only useful if they reflect the access state that downstream systems actually enforce. In most environments, the problem is not authentication itself, but the lag between a sign-in event and the authorization state that should govern what the user or agent can do next.

For IAM programmes, that lag becomes more visible as access decisions move beyond humans into agentic workflows and machine-to-machine calls. Real-time authorization at token issuance changes where policy is evaluated, but it also raises the bar for policy design, auditability, and lifecycle governance across human identity, NHI, and emerging agent flows.


Key questions

Q: How should security teams use real-time authorization at sign-in?

A: Use real-time authorization when token claims need to reflect current policy, context, or data sensitivity at the moment of issuance. Keep the policy engine separate from the application, and use the token as the signed handoff between authentication and enforcement. That approach improves consistency, but only if teams govern policy quality, fallback behaviour, and audit logging carefully.

Q: Why do static token claims create risk in modern IAM programmes?

A: Static token claims create risk because they can outlive the access state they were meant to represent. A user may change role, context may change, or data sensitivity may change after login, yet downstream applications still trust the original claims. The result is authorization drift, where the token says one thing and current policy says another.

Q: What breaks when authorization ignores the calling application?

A: When authorization ignores the calling application, the API cannot tell whether a request came from the right actor, in the right workflow, with the right purpose. That leads to over-permissioned integrations, unsafe delegated access, and policy decisions that look correct on paper but fail at runtime. Application identity must be part of the trust decision.

Q: How do teams govern delegated agent access differently from human access?

A: Delegated agent access needs the same policy source of truth as human access, but with tighter attention to session context and per-action decisions. A human may authenticate once, while an agent can invoke multiple tools and alter its path within the same session. Teams should require explicit authorization boundaries for each sensitive action the agent can initiate.


How it works in practice

Why static token claims create authorization drift

OAuth and OIDC tokens often carry claims that applications trust for the life of the session. If those claims are mapped at configuration time, they can drift away from the user’s current role, data sensitivity, or contextual risk. The same problem appears in SAML assertions when attributes are fixed before sign-in completes. The architectural issue is not token format, but when policy is consulted and how long the result remains trusted.

Practical implication: move high-risk authorization decisions closer to issuance time and treat stale claims as a governance defect, not a convenience.

How inline hooks change the token issuance pipeline

Inline hooks are synchronous callouts in the identity provider’s token pipeline. Before the token or assertion is signed, the IdP can query an external policy engine, receive decision output, and embed dynamic claims in the issued artifact. That preserves application simplicity because the app consumes an already-authorised token rather than calling policy logic itself. The trade-off is tighter coupling to policy evaluation availability and latency, which makes resilience part of authorization design.

Practical implication: validate failure modes, timeouts, and fallback behaviour before moving production authorization into the sign-in path.

Why runtime authorization matters for agentic AI and MCP tool use

Agentic workflows do not stop at login. A single session may invoke multiple tools, retrieve different datasets, and change direction based on intermediate results. That makes token time a weak proxy for permission time. When an AI agent or delegated workflow needs a decision at each tool invocation, the control point has to follow the runtime event, not just the original authentication. This is where authorization becomes a session-level control plane rather than a static claim generator.

Practical implication: define which agent actions need per-call decisions, not just one-time token enrichment, especially where MCP tool access is involved.


NHI Mgmt Group analysis

Static token claims are a governance approximation, not an authorization control. They assume the access state at sign-in will remain valid for the life of the token, even when role, context, and data sensitivity change immediately after issuance. That assumption breaks as soon as runtime policy matters more than initial authentication. Practitioners should treat token claims as an audit artifact, not a substitute for living authorization.

Runtime authorization makes the token issuance moment the new control boundary. The policy decision is no longer deferred to the application, which reduces integration sprawl and makes enforcement more consistent across systems. It also means the policy engine, not the app, becomes the place where access logic is proven and logged. The practical consequence is that identity teams must own policy quality with the same discipline they apply to authentication assurance.

Real-time authorization exposes the gap between identity proof and permission proof. Authentication tells you who signed in, but it does not prove that the resulting access should still be valid at the moment the token is minted. That gap is especially visible for regulated environments and delegated machine actions, where evidence must show why access was allowed under current conditions. Enterprises should expect authorization to move from an application concern to an identity governance concern.

Authentication and authorization remain different disciplines even when they are joined in the same flow. The integration pattern works because the IdP authenticates and the policy engine authorizes, with the token acting as the handoff. That separation matters for scale, portability, and auditability. Teams that collapse the two into one opaque control risk losing both policy clarity and lifecycle accountability.

Real-time policy at sign-in is a stronger model for human and non-human identity, but only if entitlement ownership is explicit. The same policy boundary that enriches a user token can also govern delegated agent behaviour, service access, and context-aware decisions. That expands the value of centralized authorization, but it also expands the blast radius of bad policy. Practitioners need a single source of truth for who or what may act, under which conditions, and for how long.

From our research:

What this signals

Static-claim drift: once authorization is moved into token issuance, the governance problem shifts from app-side enforcement to policy quality at the identity layer. That means teams need explicit ownership for entitlement logic, evidence capture, and exception handling across sign-in, session, and delegated access.

The programme signal is clear: identity teams should expect stronger pressure to make authorization portable across SSO, SaaS, APIs, and agentic tools. That is where central policy models like the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 become useful reference points for governance and control mapping.


For practitioners

  • Define which access decisions must be runtime decisions Classify tokens, claims, and entitlements by risk level, then require live policy checks for data-sensitive or privilege-bearing actions. Keep low-risk access static only where the business impact of stale claims is negligible.
  • Test token issuance failure and latency paths Validate what happens when the policy engine is slow, unavailable, or returns an indeterminate result before putting inline authorization into production. Document whether the IdP fails closed, fails open, or blocks sign-in.
  • Separate authentication evidence from authorization evidence Make sure audit logs can show who authenticated, what policy was evaluated, and why the final decision was issued. That distinction is critical for regulated access reviews and for defending decisions after the session ends.
  • Extend the policy model to agent and tool access Use the same authorization source of truth for delegated agent actions, especially where MCP tools, APIs, and downstream datasets are involved. Per-call decisions should be explicit when the agent can change tasks mid-session.

Key takeaways

  • Static token claims are increasingly a governance liability because they can lag behind the actual authorization state that should govern access.
  • Real-time policy at issuance improves consistency, but it also makes policy engine resilience and auditability part of the control design.
  • IAM teams should treat authorization as a first-class governance layer across human sessions, NHI flows, and delegated agent actions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Token drift and exposed claims sit squarely in NHI lifecycle and credential governance.
NIST CSF 2.0PR.AC-4Access permissions management fits the article's token-issuance authorization model.
NIST SP 800-53 Rev 5IA-5Authenticator and token management is central to issuance-time authorization.
NIST Zero Trust (SP 800-207)Zero Trust supports continuous evaluation of access decisions beyond login.

Use the architecture to push authorization decisions to runtime instead of trusting static session claims.


Key terms

  • Runtime Authorisation: Runtime authorisation is the practice of deciding access while a task is in progress, rather than only at provisioning time. It matters for NHIs because credentials and entitlements can change risk mid-session, especially when automation or AI agents interact with sensitive systems.
  • Token Issuance Pipeline: The token issuance pipeline is the sequence an identity provider uses to authenticate a subject, evaluate claims, sign the token, and hand it to an application. When policy hooks are inserted into that pipeline, authorization can be embedded before the token ever reaches the app.
  • Permission Drift: Permission drift is the gradual expansion of access beyond what was originally intended. It happens when roles, tokens, and service accounts accumulate unused rights over time, making cloud identities harder to review and more dangerous to compromise.
  • Dynamic Claims: Dynamic claims are token attributes calculated at issuance time from current identity, session, or policy inputs. They are more accurate than static mappings for sensitive access, but they still depend on the quality of the source policy and the reliability of the evaluation point.

What's in the full announcement

PlainID's full article covers the operational detail this post intentionally leaves for the source:

  • Inline Hook flow specifics for Duo token issuance and SAML assertion enrichment
  • Alpha-stage scope for Token Inline Hooks, SAML Assertion Inline Hooks, and External Authorization Hooks
  • How the policy engine evaluates live session context before the token is signed
  • Why external authorization hooks matter for MCP tool access and delegated agent flows

👉 The full PlainID article covers inline hook mechanics, policy flow, and the planned extension to external authorization hooks.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org