Chained workflows multiply trust boundaries because each MCP server may forward the request to another server. If the originating identity is not preserved, downstream authorization loses context and may overgrant access or reject valid work. Identity propagation is essential so every hop can evaluate origin and scope.
Why Chained MCP Workflows Increase Identity Risk
Chained MCP workflows are risky because they turn one trust decision into several. Each server hop can change the execution context, obscure the original requester, or replace the identity used for authorization. In agentic systems, that matters more than in static app flows because an Agent can keep acting, branching, and delegating without a human in the loop. Static RBAC often cannot express that nuance, which is why current guidance increasingly points toward intent-based authorization and runtime policy evaluation instead of fixed role assignment. The OWASP NHI Top 10 and OWASP Agentic AI Top 10 both highlight that tool-chaining and unclear authority boundaries are core failure modes for autonomous workflows. NHI governance also matters here because non-human access is already widely overprivileged; NHI Mgmt Group research shows 97% of NHIs carry excessive privileges in the Ultimate Guide to NHIs. In practice, many security teams only discover the problem after a downstream server has already acted on borrowed authority.
How Identity Propagation Should Work Across MCP Hops
Identity propagation should preserve both who started the workflow and what each hop is allowed to do. The practical goal is not to give every MCP server the same token forever, but to pass verifiable identity context forward in a way that downstream services can evaluate at request time. That usually means short-lived credentials, explicit delegation metadata, and workload identity rather than blind token forwarding. Where possible, the Agent should authenticate as a workload and receive JIT credentials for the exact task, then revoke them when the task ends. This is closer to Zero Standing Privilege than to classic service-account sprawl.
Operationally, teams should treat each hop as a new authorization decision:
- Preserve the originating principal so downstream policy can evaluate origin, scope, and intent.
- Use ephemeral secrets and short TTLs so a stolen token cannot outlive the task.
- Bind actions to workload identity such as SPIFFE or OIDC-backed proof of execution context, not just a shared API key.
- Evaluate policy at runtime with context, rather than assuming the first server's authorization should carry through the chain.
That approach is consistent with the NIST Cybersecurity Framework 2.0 emphasis on access control and with the NIST Cybersecurity Framework 2.0 treatment of protected access paths. It also fits the operational lessons in 52 NHI Breaches Analysis, where misuse of machine identities and leaked secrets repeatedly turned a small trust gap into a full compromise. These controls tend to break down when teams reuse long-lived service tokens across multiple servers because the chain then loses task-level intent and revocation becomes ineffective.
Where the Edge Cases Create the Most Exposure
Tighter identity propagation often increases implementation overhead, requiring organisations to balance traceability against latency, token complexity, and operational maturity. That tradeoff becomes sharp in fast-moving agentic environments, where every extra hop can add policy checks, token exchange, and logging requirements. There is no universal standard for this yet, so guidance is still evolving on how much delegation detail should travel with a request and how much should stay in the local policy engine.
Edge cases usually appear when chained workflows cross organisational boundaries, call third-party tools, or allow autonomous branching. In those situations, a downstream MCP server may not be able to validate the original context unless the chain carries signed delegation data and clear expiry. This is where long-lived secrets are especially dangerous: a copied credential may look valid even when the originating agent has changed state or lost scope. The safest pattern is to issue per-task access, keep the credential surface minimal, and use policy decisions that can reject a request if the agent’s current intent no longer matches the approved scope. For broader agent governance, the AI Agents: The New Attack Surface report is useful because it shows how often agents act beyond intended scope. The same concern is reflected in the OWASP Top 10 for Agentic Applications 2026, which treats tool abuse and overreach as design-level risks rather than rare exceptions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Chained agent workflows raise tool abuse and overreach risk. |
| CSA MAESTRO | D3 | MAESTRO addresses autonomous orchestration and delegated action risk. |
| NIST AI RMF | GOVERN-1 | AI RMF governance supports accountability for autonomous decision chains. |
Require explicit delegation and runtime checks before an agent can pass work downstream.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
