Scopes define what broad actions a token may perform, while claims describe the identity and context behind the request. Scopes should stay coarse enough to understand and control, but claims should not become a place to hide business rules. Use claims to inform policy, then enforce the rule in the API layer.
Why This Matters for Security Teams
Scopes and claims are often discussed as if they are interchangeable, but in AI agent authorization they solve different problems. Scopes are coarse permission envelopes, while claims are evidence about who or what is asking, where the request came from, and under what context. That distinction matters because an agent is not a static user: it is an autonomous software entity that can chain tools, change plans, and reach new data paths mid-task. Industry guidance in OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point toward runtime control, not trust-by-default.
This is also where many teams overfit JWT claims into a policy engine and then treat them as business logic. Claims can tell the API what identity presented the token, whether it was minted for a service account, and which environment or workload produced it. They should not become a hidden policy layer that silently decides access. That separation is especially important in agentic systems, where OWASP NHI Top 10 and CSA MAESTRO agentic AI threat modeling framework emphasize identity, tool use, and privilege as separate control points. In practice, many security teams encounter claim abuse only after an agent has already expanded its reach, rather than through intentional authorization design.
How It Works in Practice
The practical pattern is: use scopes to define the few actions an agent may request, then use claims to decide whether that request is appropriate right now. A scope might allow read:invoice or create:tickets, while claims can indicate the agent workload, tenant, issuer, environment, attested device, or session age. That structure supports intent-based authorization, where policy is evaluated at request time with the full context available. It also aligns with current guidance from NIST AI Risk Management Framework and OWASP Top 10 for Agentic Applications 2026.
A workable control model usually includes:
- Workload identity first: prove what the agent is with cryptographic identity, not just a bearer token. This is where SPIFFE or OIDC-style workload identity helps.
- Short-lived credentials: issue JIT credentials per task and revoke them when the task ends, rather than keeping long-lived static secrets.
- Claims as inputs, not logic: feed claims into policy-as-code, then enforce the decision in the API or gateway layer.
- Coarse scopes, narrow actions: keep scopes stable and understandable, and avoid encoding every exception in scope strings.
NHIMG research shows why this matters: in AI LLM hijack breach and Ultimate Guide to NHIs — Key Challenges and Risks, the real failure mode is not just bad tokens, but overly permissive execution paths attached to autonomous behavior. These controls tend to break down when an agent can pivot across multiple tools and tenants because the original scope no longer describes the actual chain of action.
Common Variations and Edge Cases
Tighter claim-based policy often increases engineering overhead, requiring organisations to balance precision against operational complexity. There is no universal standard for this yet, especially in multi-agent pipelines where one agent delegates to another and claims may change at each hop. Best practice is evolving, but the safest rule is simple: do not rely on claims alone to grant access, and do not let scopes expand just to cover every contextual exception.
Some teams try to place business rules in claims, such as “customer_is_premium” or “can_export_data.” That approach is fragile because claims are assertions, not enforcement. If the agent can mint or relay tokens incorrectly, those claims become attack surface. Other environments, such as service meshes, MCP-connected tools, or delegated orchestration layers, may need additional controls like policy evaluation at each hop, token exchange, and explicit step-up approval for sensitive actions. In those cases, Moltbook AI agent keys breach and Ultimate Guide to NHIs — What are Non-Human Identities reinforce the need to treat credentials as perishable and identities as workload-bound.
Where consensus is still forming, current guidance suggests keeping authorization decisions close to the API boundary, with claims informing the decision and scopes constraining the outer envelope. That is the most practical way to support ZTA, JIT, and zero standing privilege without turning every agent request into an open-ended exception.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Defines agentic risks from overbroad access and runtime misuse. | |
| CSA MAESTRO | Models agent identity, orchestration, and tool-use risk together. | |
| NIST AI RMF | Supports runtime governance and accountability for AI systems. |
Use AI RMF controls to assign ownership and review agent authorization decisions continuously.
Related resources from NHI Mgmt Group
- What is the difference between human identity governance and AI agent governance?
- What is the difference between governing human access and governing AI agent access?
- What is the difference between managed identities and hardcoded secrets for AI agents?
- What is the difference between workload identity and API keys for AI agents?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
