The Identity Problem Hiding in AI Agent Deployments
The rapid deployment of AI agents in enterprises creates an identity problem: OAuth access tokens (RFC 9068) lack standardized fields to represent agent instance identity, the user on whose behalf an agent acts, and the delegation relationship between them. This gap can lead to coarse-grained authorization, over-privileged access, and the confused deputy problem in transitive agent call chains. The article calls for industry standardization of this identity context within or adjacent to OAuth tokens.
Detection / Hunteropenrouter
What Happened
As companies deploy AI agents to handle tasks like HR cases, code execution, and customer interactions, these agents need access to sensitive systems. However, current authentication standards (specifically OAuth tokens) were designed for single users or applications and cannot properly represent the complex relationship between an AI agent and the human user it acts on behalf of. This means systems cannot enforce fine-grained access controls or produce meaningful audit trails for AI agent activity. Organizations deploying AI agents should evaluate their authorization architecture, limit agent permissions to the minimum necessary, and monitor for industry standardization efforts that address multi-principal identity context.
Key Takeaways
- AI agents acting on behalf of users create a multi-principal identity problem that current OAuth access token standards (RFC 9068) cannot adequately represent.
- OAuth JWT tokens lack standardized fields for agent instance identity, the user on whose behalf the agent acts, and the delegation relationship between them.
- Without standardization, organizations risk coarse-grained authorization decisions, over-privileged access, and the confused deputy problem in agentic call chains.
- Four agentic AI identity patterns — interactive, offline, automated, and transitive — each have different identity context requirements that grow more critical as agent autonomy increases.
- Industry consensus from IIW April 2026 calls for standardizing agent instance identity, user identity, and their relationship either within OAuth tokens or via adjacent mechanisms.
Affected Systems
- OAuth 2.1 token issuance systems
- AI agent platforms using OAuth access tokens (e.g., MCP-compliant systems)
- API gateways and resource servers enforcing authorization based on JWT-formatted OAuth access tokens (RFC 9068)
- Systems implementing token exchange per RFC 8693
Attack Chain
N/A — This article describes an architectural identity gap rather than a specific attack chain. However, the confused deputy problem is highlighted as a key risk: an AI agent with broad permissions could be tricked or misconfigured into using its elevated access on behalf of a user who should only have limited access, because downstream systems cannot distinguish between the agent's own permissions and the user's delegated context. In transitive scenarios where one agent invokes another, this privilege escalation risk compounds at each hop without standardized identity propagation.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules or queries are provided in this article. It is a conceptual/architectural analysis of identity gaps in OAuth tokens for AI agent deployments.
Detection Engineering Assessment
EDR Visibility: None — This is an application-layer identity and authorization problem; EDR telemetry would not capture OAuth token claims or authorization decision context. Network Visibility: Low — Network tools may observe OAuth bearer token exchanges but typically do not inspect JWT claims for agent instance identity or user-agent relationship context. Custom API gateway logging would be needed. Detection Difficulty: Hard — The core problem is that the identity context (agent instance, user, relationship) is not standardized in OAuth tokens, so there is no consistent field to alert on. Detection requires custom instrumentation at the application and authorization layers, and the necessary claims may not even be present in current tokens.
Required Log Sources
- OAuth authorization server token issuance logs
- API gateway / resource server access logs with token claims
- Application-level audit logs capturing agent-to-user delegation context
- Identity provider (IdP) logs for token exchange events (RFC 8693)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for OAuth access tokens issued to AI agent client IDs that access resources without any user delegation context, which could indicate over-broad authorization. | OAuth token issuance logs, API gateway access logs with client_id and subject claims | Defense Evasion / Privilege Escalation | High — legitimate automated agent workflows may operate without user delegation context by design. |
| Consider hunting for transitive agent-to-agent API calls where the downstream resource receives a token with no indication of the original user principal, which could indicate confused deputy risk. | API gateway logs, application audit logs tracing agent call chains | Execution / Lateral Movement | Medium — some automated workflows may legitimately chain agents without user context. |
| Consider hunting for AI agent instances accessing resources or data outside the scope of the user case they are handling, which could indicate coarse-grained authorization enforcement. | Application-level audit logs correlating agent actions to specific user cases or tasks | Collection / Exfiltration | Medium — agents with broad roles may legitimately access shared resources. |
Control Gaps
- Standard OAuth token validation cannot distinguish between agent-initiated and user-initiated access
- No standardized mechanism to enforce fine-grained authorization based on agent-user relationship context
- Audit trails cannot reliably attribute AI agent actions to specific user principals or task instances
- Token exchange (RFC 8693) does not propagate the richer relationship context needed for agentic workflows
Key Behavioral Indicators
- OAuth access tokens with client_id values corresponding to AI agent applications but no user subject claim
- API calls from agent client IDs accessing sensitive resources (e.g., salary data, code repositories) without correlatable user delegation context
- Rapid instantiation and termination patterns of agent client IDs making access requests across multiple user contexts
- Transitive API call chains where tokens are exchanged between agents without preserving original principal identity
False Positive Assessment
- High — Many legitimate AI agent workflows operate without standardized identity context today, and the absence of agent-user relationship fields in OAuth tokens is the industry norm rather than an anomaly.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider auditing all AI agent deployments and their OAuth token scopes to identify agents with overly broad permissions.
- Consider implementing least-privilege scoping for AI agent OAuth tokens, ensuring agents receive only the minimum scopes needed for their specific task.
- Evaluate whether your API gateways and resource servers can log and alert on agent client_id values accessing sensitive resources, even if full identity context is not yet available in tokens.
Infrastructure Hardening
- Consider implementing application-level authorization checks that validate the relationship between an AI agent and the user it represents, beyond what OAuth token claims currently provide.
- Evaluate whether your authorization servers can issue short-lived, narrowly-scoped tokens to AI agents on a per-task basis rather than long-lived broad tokens.
- If your organization uses token exchange (RFC 8693), consider auditing whether downstream resources can trace the original user principal through the exchange chain.
- Consider implementing rate limiting and anomaly detection on API endpoints frequently accessed by AI agent client IDs.
User Protection
- Consider requiring explicit user consent for each sensitive resource an AI agent accesses on their behalf, where the agent framework supports interactive consent.
- Evaluate whether users can view and revoke AI agent access delegations through a self-service portal.
- Consider implementing session-level isolation for AI agents handling different users' cases to prevent cross-user data access.
Security Awareness
- Consider briefing development teams on the confused deputy risk when designing AI agent workflows that chain multiple agents or services.
- Consider incorporating AI agent identity and authorization review into existing secure development lifecycle practices.
- If applicable, consider tracking industry standardization efforts (e.g., IIW, OAuth working groups) for agent identity context in access tokens and evaluate adoption when standards emerge.
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1134 - Access Token Manipulation
- T1550 - Use Alternate Authentication Material