AI agent authorization is lagging behind protocol standardization

TL;DR: AI agent communication protocols such as MCP and A2A standardise how agents exchange requests, but leave authorization, revocation, and consent largely to implementers, creating broad-token and stale-permission risks, according to Authzed. That gap means agentic systems can scale faster than their governance model, with least privilege and lifecycle control becoming the limiting factors.

NHIMG editorial — based on content published by Authzed: LLMjacking: How Attackers Hijack AI Using Compromised NHIs

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agent access when protocols leave authorization open-ended?

A: Treat authorization as a separate governance control rather than a protocol feature.

Q: Why do AI agents make least privilege harder to enforce than service accounts?

A: AI agents can change actions, tools, and delegation paths during execution, so a privilege set chosen at provisioning time may no longer match the task in progress.

Q: What breaks when revocation does not propagate across distributed agents?

A: Stale permissions continue to exist in caches, peers, or spawned sub-agents, so access that should have been removed remains usable.

Practitioner guidance

• Separate transport from authorization control. Define policy outside MCP, A2A, or ACP messages, then enforce it at a central decision point that can evaluate task, resource, and context before every sensitive action.
• Replace broad scopes with task-bound permissions. Issue tokens that map to a single task or object set, and reject delegated access that covers unrelated endpoints, resources, or write paths the agent does not need.
• Design revocation to propagate across the full agent graph. Test whether permission removal reaches cached agents, remote peers, and spawned sub-agents before the original task can continue, and treat failed propagation as a control defect.

What's in the full article

Authzed's full analysis covers the operational detail this post intentionally leaves for the source:

• Implementation patterns for granular token scoping across agent-to-tool and agent-to-agent flows.
• Comparative discussion of MCP, A2A, and ACP authorization gaps in distributed deployments.
• Examples of where revocation propagation breaks in asynchronous systems and cached peer state.
• Security design requirements for centralized authorization layers in agent infrastructure.

👉 Read Authzed's analysis of authorization gaps in AI agent communication protocols →

AI agent authorization is lagging behind protocol standardization?

Explore further

View Full Forum →  |  NHI Foundation Course →