Cross App Access for MCP apps: what changes for IAM teams?

TL;DR: Cross App Access inserts the enterprise IdP into app-to-app OAuth so AI apps and MCP servers can be governed centrally, with short-lived identity assertions, policy gates, and auditable delegation, according to WorkOS. That shifts AI app access from invisible shadow IT into a controllable identity plane, but it also assumes IdP mediation can keep pace with dynamic integration growth.

NHIMG editorial — based on content published by WorkOS: Cross App Access (XAA) and MCP enterprise authorization

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.

Questions worth separating out

Q: How should security teams govern AI app connections in MCP environments?

A: Security teams should treat each AI app connection as a governed identity relationship, not a private integration inside the downstream tool.

Q: Why do app-to-app OAuth grants create governance risk for AI integrations?

A: App-to-app OAuth grants create governance risk because the enterprise can lose sight of who approved the delegation, what the app can do, and how to revoke it.

Q: What breaks when AI app access is managed only inside downstream tools?

A: What breaks is visibility, consistency, and revocation.

Practitioner guidance

• Map AI app connections as identity relationships Inventory every MCP client and server pair, then record who approved the relationship, what scopes were granted, and where revocation is enforced.
• Enforce allowlists before token issuance Require policy checks in the enterprise IdP before any identity assertion is minted, including client-to-server allowlists, group membership checks, and step-up authentication for sensitive tools.
• Replace durable credentials with short-lived assertions Eliminate long-lived API keys and unmanaged refresh tokens from MCP integrations where possible, and prefer short-lived, re-issuable assertions that expire under policy.

What's in the full article

WorkOS's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step identity assertion and token exchange flow across the IdP, MCP client, and MCP server
• Implementation notes for confidential clients, audience binding, and JWKS validation
• How WorkOS positions AuthKit, Connect, RBAC, and Audit Logs within the XAA flow
• The spec-level distinctions between ID-JAG and the XAA ecosystem label

👉 Read WorkOS's analysis of Cross App Access for MCP governance →

Cross App Access for MCP apps: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →