They should decide authorisation when the token is issued or exchanged, not after the agent already has access. That means mapping each client, connection, and resource to a specific policy path, then narrowing scopes by task, grant type, and context. This prevents broad tokens from becoming the default access wrapper for every downstream action.
Why This Matters for Security Teams
Token boundaries are where agent access becomes either narrowly governed or silently overextended. For autonomous software, the token is not just a session artifact; it is the practical permission envelope for tool use, API calls, and downstream delegation. If teams wait to inspect behavior after issuance, they have already accepted the risk of broad reuse across connectors, tenants, and services. That is why current guidance increasingly treats token issuance and exchange as the control point, not the endpoint.
This problem is visible in real-world incidents. NHIMG’s The State of Non-Human Identity Security reports that only 1.5 out of 10 organisations are highly confident in securing NHIs, while 85% lack full visibility into third-party vendors connected via OAuth apps. That confidence gap matters because token sprawl is often the first place access turns into lateral movement. The same pattern appears in agentic systems covered by OWASP NHI Top 10 and the OWASP Agentic AI Top 10, where uncontrolled delegation and excessive token scope turn one request into many unintended actions. In practice, many security teams discover token overreach only after a connected app, agent, or vendor has already used it across systems.
How It Works in Practice
Governance at the token boundary means making authorisation decisions at issuance, exchange, or refresh time, with the full request context in view. That context should include the calling workload identity, the resource being requested, the grant type, the task purpose, and the expected lifetime. For agentic workloads, this is especially important because the agent’s behaviour is dynamic: it may chain tools, pivot between APIs, or pursue a goal in ways that cannot be pre-modeled with static RBAC alone.
A practical pattern is to bind each client and resource pair to a specific policy path, then issue short-lived, task-scoped tokens only when the policy engine approves the request. Teams increasingly pair this with workload identity primitives such as SPIFFE or OIDC-based service identities, so the system is authorising what the agent is, what it is trying to do, and where it is trying to do it. That aligns with NIST AI Risk Management Framework and the CSA MAESTRO agentic AI threat modeling framework, both of which emphasise context-aware controls and continuous risk evaluation.
- Issue ephemeral credentials per task, not reusable standing tokens.
- Evaluate policy at token minting and exchange time, not only at API request time.
- Reduce scopes to the minimum resource set required for the current goal.
- Revoke or expire tokens automatically when the task completes or context changes.
- Log token lineage so downstream use can be traced back to the original grant.
This approach is reinforced by NHIMG research such as the Salesloft OAuth token breach, which shows how delegated access can outlive the original trust decision. These controls tend to break down in environments with long-lived refresh tokens, legacy service accounts, or SaaS integrations that do not support fine-grained token exchange.
Common Variations and Edge Cases
Tighter token governance often increases integration friction, so organisations must balance security with operational continuity. That tradeoff is real in event-driven pipelines, multi-agent workflows, and vendor-managed SaaS connectors, where every exchange can introduce latency or require a redesign of existing auth flows. There is no universal standard for this yet, so best practice is evolving rather than settled.
One common edge case is delegated automation that needs to act across multiple systems in sequence. In those environments, static roles tend to become oversized because they must cover the broadest possible downstream use. A better pattern is to issue a chain of narrowly scoped, short-lived tokens, with policy re-evaluated at each step. Another edge case is legacy infrastructure that cannot express token exchange or workload identity cleanly; in those systems, compensating controls such as vault-based brokering, restrictive proxying, and tighter revoke windows become necessary.
Security teams should also distinguish between human-operated sessions and autonomous agent sessions. Humans can be prompted to pause, but agents can continue executing with cached tokens unless the control plane enforces expiry and context re-checks. That distinction is central to the guidance in OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0, which both support reducing standing privilege and improving traceability across non-human access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A-03 | Token scope and delegation are core agentic-app risk drivers. |
| CSA MAESTRO | IAM-02 | MAESTRO covers context-aware identity and access for agents. |
| NIST AI RMF | AIRMF governance supports continuous risk evaluation for AI access. |
Apply runtime governance so each token grant is reviewed against current task and risk context.
Related resources from NHI Mgmt Group
- How should security teams govern agent access when directory identity is not enough?
- How should security teams govern non-human identities that have persistent access?
- How should security teams govern API keys used for generative AI access?
- How should security teams govern software renewals so they do not become hidden access sprawl?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
