AI agent identity and auth: what IAM teams should actually govern

TL;DR: AI applications can already inherit enterprise authentication, authorization, token management, and audit logging patterns today, according to WorkOS, but the real challenge remains governance around identity context, scoped permissions, and accountability across agent-driven actions. Identity for AI is not a model problem, it is an IAM control problem that now shows up in production workflows.

NHIMG editorial — based on content published by WorkOS: MCP.shop Demo on AI agent identity and enterprise auth

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern AI agents that act on behalf of users?

A: Security teams should govern AI agents as delegated application identities.

Q: Why do AI agents still need traditional IAM controls?

A: AI agents still need traditional IAM controls because the enterprise security problem has not changed, only the interface has.

Q: What breaks when AI agent identity context is not preserved across sessions?

A: When identity context is not preserved across sessions, the enterprise loses attribution, policy enforcement becomes inconsistent, and investigations become incomplete.

Practitioner guidance

• Bind every agent action to a verified principal Require authentication before any tool use, persist the session identity across the full conversation, and ensure downstream systems receive the same principal context for attribution and audit.
• Limit agent permissions to the smallest useful scope Map each conversational workflow to explicit RBAC or FGA rules so the agent can only browse, read, or transact within the exact boundaries the user is entitled to use.
• Review token issuance and revocation paths end to end Check that access tokens, refresh tokens, and delegated credentials can be revoked across all connected systems, not just the primary application session.

What's in the full article

WorkOS's full post covers the operational detail this analysis intentionally leaves for the source:

• The MCP.shop demo flow showing how ChatGPT Apps SDK and AuthKit connect in a working agentic application.
• The specific identity features exposed through AuthKit, including SSO, directory sync, audit logs, and fine-grained authorization.
• The developer path for adding enterprise authentication to an AI application without rebuilding OAuth and session handling from scratch.
• The conference context around how WorkOS framed enterprise identity for AI agents across the broader event series.

👉 Read WorkOS's MCP.shop demo on AI agent identity and enterprise auth →

AI agent identity and auth: what IAM teams should actually govern?

Explore further

View Full Forum →  |  NHI Foundation Course →