TL;DR: Multi-agent systems can distribute work across specialized agents, but once those agents call external APIs, identity, consent, and token scope become the real control plane, according to Descope. The practical shift is that least privilege must be enforced at token exchange and connection level, not just in application code.
NHIMG editorial — based on content published by Descope: Build Secure Multi-Agent Systems With CrewAI and Descope
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 17 minutes., edentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams govern multi-agent workflows that call external APIs?
A: Security teams should govern multi-agent workflows by treating each agent as a separately scoped identity with its own token boundary, consent path, and revocation path.
Q: Why do multi-agent systems increase NHI governance risk?
A: Multi-agent systems increase NHI governance risk because each additional agent expands the number of runtime identities, tokens, scopes, and consent decisions that must be controlled.
Q: What breaks when OAuth scopes are too broad for agent workflows?
A: When OAuth scopes are too broad, an agent can reach data or actions beyond its intended role, and the crew becomes a privilege amplifier rather than a control boundary.
Practitioner guidance
- Map every agent to a distinct connection scope Separate agent responsibilities into narrowly defined API connections so one agent cannot inherit another agent's access path.
- Move token custody out of the application Delegate refresh-token storage and vending to the identity layer rather than keeping long-lived secrets in server code.
- Treat consent and client registration as governance controls Review MCP client registration, user consent flow, and protected-resource metadata as formal access controls.
What's in the full article
Descope's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step setup of Google OAuth credentials for separate Calendar and Contacts connections.
- Exact MCP server configuration, including protected-resource metadata, DCR, and scope mapping.
- Python server code for token validation, bearer handling, and outbound token exchange.
- MCP Inspector validation steps that show the full OAuth flow end to end.
👉 Read Descope's tutorial on securing CrewAI multi-agent systems with MCP →
Multi-agent identity boundaries: what IAM teams need to know?
Explore further
Token-scoped agent access is the real control boundary, not the crew itself. The article correctly shifts attention from orchestration logic to OAuth 2.1, connection scopes, and delegated token exchange. That is the point where multi-agent systems become an NHI governance problem, because each agent is only as constrained as the token it receives. The practitioner conclusion is that agent security starts with runtime scope design, not with the number of agents in the crew.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to SailPoint research.
A question worth separating out:
Q: How do teams know whether agent tokens are truly least privilege?
A: Teams know agent tokens are truly least privilege when each token maps to one narrow workload, one data domain, and one clear revocation decision. If the same token can service several tasks, or if a human cannot explain why a scope is needed, the model is not least privilege in practice.
👉 Read our full editorial: Secure multi-agent systems need token-scoped identity at runtime