Consent-to-scope Drift

Expanded Definition

Consent-to-scope drift describes a governance gap in which the permission a person believes they approved does not match the access an application, integration, or AI Agent actually receives. It is closely related to OAuth consent screens, delegated authorization, and token scope assignment, but the risk extends beyond the initial click because tokens can persist, refresh, and expand access in ways users do not see. In practice, the problem appears when product copy, consent dialogs, and backend scope handling are not aligned. That misalignment is especially dangerous in NHI workflows where a service account or agent can act on behalf of a user across multiple systems. The OWASP Non-Human Identity Top 10 frames this as an authorization and token-governance issue, while NIST Zero Trust Architecture reinforces the need to verify access continuously rather than trusting a one-time approval. Definitions vary across vendors on whether this is a UX problem, an authorization flaw, or both, but no single standard governs this yet. The most common misapplication is treating the consent screen as proof of least privilege when the underlying token scope is broader than the stated task.

Examples and Use Cases

Implementing consent-to-scope controls rigorously often introduces friction for users and developers, requiring organisations to weigh simpler onboarding against tighter authorization boundaries.

• A SaaS integration asks for permission to "read calendar events" but the issued token also allows mailbox access, creating hidden scope expansion after consent.
• An AI Agent approved to create support tickets receives write access to customer records because the connector reuses a broad service token instead of a task-limited one.
• A sales app prompts for contact sync, yet the backend refresh token remains valid long after the campaign ends, turning a narrow approval into durable access. This pattern echoes issues described in the Salesloft OAuth token breach.
• A developer portal shows "basic profile access," but the connected app also inherits API scopes for exports and admin actions, which users rarely inspect during setup.
• In high-trust enterprise integrations, teams may think JIT access solves the issue, yet the real control point is whether the granted scope matches the declared purpose at issuance and renewal time, as discussed in the Ultimate Guide to NHIs — Key Challenges and Risks.

For architecture guidance, the OWASP Non-Human Identity Top 10 helps teams treat scope, token lifetime, and delegated trust as separate design decisions rather than one consent event.

Why It Matters in NHI Security

Consent-to-scope drift matters because it turns apparently legitimate delegation into overbroad NHI access. Once a token is accepted, downstream systems often trust it more than the original user ever intended, which can widen blast radius across APIs, SaaS tools, and automation platforms. This is one reason the Ultimate Guide to NHIs — Key Challenges and Risks notes that 97% of NHIs carry excessive privileges, a condition that can be worsened when consent language and token scope are not aligned. The control failure is not just theoretical: a consent prompt that understates access makes governance reviews, incident scoping, and revocation decisions much harder after the fact. NIST SP 800-207 and the OWASP Non-Human Identity Top 10 both support the principle that access should be continuously evaluated, explicitly bounded, and easy to revoke. Organisations typically encounter the consequences only after a token is abused, at which point consent-to-scope drift becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Scope drift
• Agent scope drift
• Runtime Scope Drift
• Why do misleading consent statements present significant risks?