TL;DR: AI agents, MCP servers, and short-lived delegated access are now central to enterprise identity design, according to Descope’s FY25 review, alongside 300% growth in monthly active users and 1655% growth in total identities under management. The governance problem is no longer theoretical: identity controls built for stable users do not fit actors that acquire, use, and revoke access on demand.
NHIMG editorial — based on content published by Descope: FY25 year in review covering identity, AI agents, and platform growth
By the numbers:
- A 300% increase in monthly active users logging in to customer apps using Descope.
- A 1655% increase in total identities under management.
Questions worth separating out
Q: How should security teams govern AI agents that use delegated access?
A: They should define agent access as task-scoped, time-bounded, and policy-enforced at every boundary where the agent can reach data or tools.
Q: Why do AI agents complicate existing IAM and NHI models?
A: AI agents complicate IAM and NHI models because they sit between human intent and machine execution.
Q: What breaks when MCP connections are granted too much trust?
A: What breaks is the policy boundary between the agent and the services it can reach.
Practitioner guidance
- Map AI agent access as a distinct identity class Document which agent flows use short-lived tokens, which systems they may call, and which approvals or policy checks must exist before delegated execution begins.
- Audit MCP trust boundaries end to end Review the full chain from agent client to MCP server to downstream service, and identify where policy enforcement actually occurs.
- Tie every SSO and SCIM flow to lifecycle ownership Assign an owner, a revocation path, and a recertification checkpoint for each tenant admin and federation path.
What's in the full article
Descope's full review covers the operational detail this post intentionally leaves for the source:
- The complete FY25 product timeline, including which identity capabilities shipped in each phase of the year.
- Customer examples showing how different teams used customer SSO, SCIM, and agentic identity in production.
- The analyst recognition details behind the Frost Radar placement and the criteria used for the NHI category.
- The specific 2026 product directions the vendor says it is prioritising next.
👉 Read Descope’s FY25 year in review for identity, SSO, and AI agent governance →
AI agent identity is becoming a control plane problem for IAM teams?
Explore further