Agentic AI authentication: what IAM teams need to rethink

TL;DR: Agentic AI shifts identity from passive prompt handling to runtime action, multi-step delegation, and tool use across LLMs, MCP servers, and downstream services, creating authentication and authorization gaps that current IAM patterns do not fully cover, according to Aembit. The core problem is not just stronger auth, but governance built on assumptions that no longer hold once agents decide, act, and recompose permissions dynamically.

NHIMG editorial — based on content published by Aembit: an analysis of agentic AI authentication, authorization, and MCP

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern authentication for agentic AI systems?

A: Security teams should govern agentic authentication as a chain of identities, not a single login event.

Q: Why do traditional least-privilege models struggle with AI agents?

A: Traditional least privilege assumes the system’s required permissions are known before execution begins.

Q: What breaks when MCP servers run with shared local trust?

A: Shared local trust breaks isolation because any process on the machine may be able to call the server, and the server may inherit privileges that were never intended for broad reuse.

Practitioner guidance

• Map every agentic trust boundary Document where the application, MCP client, MCP server, and downstream service each authenticate and where identity context is lost.
• Constrain runtime capability discovery Limit which tools and servers an agent can discover at runtime, and review any mechanism that lets the agent expand access after the task begins.
• Separate human intent from machine execution Do not assume a user’s permissions should automatically flow through the agent.

What's in the full article

Aembit's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanation of the app, LLM, agent, MCP client, MCP server, and service chain.
• Concrete authentication patterns across OAuth 2.0, OAuth 2.1, API keys, Kerberos, and local process trust.
• A walkthrough of delegation, dynamic permissions, and identity blending between user and agent.
• The article's current-state observations on MCP implementation maturity and where shortcuts are still common.

👉 Read Aembit's analysis of agentic AI authentication and authorization →

Agentic AI authentication: what IAM teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →