Notifications
Clear all
Topic starter
02/06/2026 6:58 pm
TL;DR: Enterprises need short-lived, least-privilege OAuth 2.0 access tokens for AI agents because natural language commands can otherwise trigger unauthorized backend actions, according to Curity’s analysis of an Azure Developer CLI template. The practical shift is from permanent agent access to token-driven authorization, with human approval and token exchange as the control points.
NHIMG editorial — based on content published by Curity: authorization for AI agents in Azure and MCP workflows
Questions worth separating out
Q: How should security teams implement authorization for AI agents in enterprise workflows?
A: Start by treating the agent as a non-human identity with task-scoped access, not as a trusted application component.
Q: Why do AI agents complicate existing IAM and authorization models?
A: AI agents complicate IAM because they turn natural language into execution, which can cross systems faster than human review can intervene.
Q: What breaks when AI agents are given permanent API credentials?
A: Permanent credentials create standing privilege, which expands the blast radius of a compromised prompt, misrouted tool call, or malicious workflow.
Practitioner guidance
- Map agent trust boundaries end to end Document every hop from user intent to agent execution to MCP server call, then identify where authentication, authorization, and approval must be enforced separately.
- Replace permanent agent credentials with short-lived tokens Use OAuth 2.0 access tokens with the smallest practical scope and lifetime for each agent task.
- Define token claims for customer, region, and purpose Require APIs to enforce contextual claims such as customer_id, region, scope, and purpose so an agent cannot cross tenants or expand its own rights.
Align the rollout of agent workflows with policy design, revocation automation, and token telemetry?
👉 Read Curity's analysis of authorization for AI agents in Azure and MCP workflows →
Explore further
02/06/2026 7:13 pm
AI agent security now sits inside the IAM control plane, not beside it. Natural language is only the trigger. The real security question is whether identity systems can bind intent to a narrowly scoped token, enforce claims at each hop, and revoke access fast enough to prevent agent drift. Practitioners should stop treating agent security as an application feature and treat it as an authorization design problem.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: How do organisations safely let AI agents perform higher-risk actions?
A: Use human approval and just-in-time privilege before issuing a higher-privilege token. The agent can prepare the request, but the final action should only occur after a person or policy gate authorizes the escalation. That keeps accountability intact and prevents autonomous overreach.
👉 Read our full editorial: Authorization for AI agents: why token-based controls matter
