Cyber Security

Granular Authorization for AI Agents: Why the Identity Stack Needs a First-Principles Rewrite

By Prakash Wagle, Senior Software Engineer at Meta

A single AI agent in production can fire ten thousand API calls per hour, spawn sub-agents, and finish its work in seconds. The OAuth token it is using was designed in 2012 for a human clicking “Allow” on a permission screen. That mismatch is not a tooling gap. It is a foundational one, and enterprises racing to deploy AI agents are inheriting an authorization model that was never built for non-human, high-velocity, autonomous principals. The security debt is compounding faster than most CIOs realize. 

The identity and authorization stack that runs modern enterprises was built on three assumptions that no longer hold: that principals are human, that identities are durable, and that permissions can be assigned in advance. AI agents violate all three. Until enterprises rebuild authorization for non-human, ephemeral, dynamically-scoped actors, every AI deployment is shipping with a structural vulnerability that will not surface in pilots and will not be fixable after the first regulated-industry incident. 

The scale of the gap is already hard to ignore. CyberArk’s 2025 Identity Security Landscape found there are now 82 machine identities for every human identity in the average enterprise, and that 42% of them carry privileged or sensitive access. Driven by cloud and AI, that ratio is climbing fast and agentic AI in production will accelerate it further. 

Why current authorization breaks down for agents 

Three structural mismatches define the problem. 

Velocity. Machine-speed decisions are running on human-grade tokens, so a compromised or confused agent does damage at machine speed. The credentials in play, whether OAuth tokens, API keys, or service-account credentials, were standardized for a world where a human pressed a button every few minutes. OAuth 2.0 itself was published as RFC 6749 in October 2012, well before any of this was on the horizon. Bind one of those tokens to an agent making thousands of decisions per second, and the blast radius is no longer human-scale. 

Ephemerality. Agents spin up, execute, and dissolve in seconds, while enterprise IAM systems assume durable identities that an admin provisioned through a ticket. The joiner-mover-leaver model that governs human identity has no equivalent for an agent that lived for four seconds and was instantiated by another agent. 

Composition. A single user intent fans out into dozens of sub-agent calls and tool invocations, none of which the original consent screen anticipated. There is no clean lineage between what the user authorized and what the system actually did on the user’s behalf. 

Each of these breaks a different assumption baked into the OAuth and SAML era. None of them are solved by shorter token expirations or more aggressive secret rotation. The problem is in the model, not the parameters. 

None of this is to say the industry is standing still. Workload-identity frameworks like SPIFFE and delegation mechanisms like OAuth token exchange (RFC 8693) already give machines short-lived, verifiable credentials and a way to narrow scope as calls move downstream. But they were designed to identify and constrain workloads, not to reason about the intent behind a chain of autonomous agent decisions — they can tell you which service is calling, not whether a human ever authorized the destructive action at the end of the chain. 

Why RBAC fails and ABAC is the real answer 

Role-based access control was built for the org chart. A new employee joins, a ticket gets raised, an admin assigns them permissions based on their role. That entire workflow collapses when the “employee” lives for four seconds and was instantiated by another agent. 

Attribute-based access control, where decisions are made on real-time context like the current task, data sensitivity, calling chain, and time of day, is the only model that scales to agent velocity. The framework has been standardized for over a decade. NIST published its guidance on ABAC in Special Publication 800-162. Enterprise adoption has been slow because ticket-based provisioning was “good enough” for human users. It is not good enough for agents. 

In concrete terms, the shift looks like this: instead of issuing an agent a token that carries a static set of scopes for its lifetime, the authorization layer evaluates each individual action against the current context. The agent attempting to read patient records is the same code as the agent attempting to delete them, but the second action gets denied because the policy engine sees no human intent in the calling chain that justifies a destructive operation. Ticket-based provisioning is now a bottleneck rather than a control. 

The audit trail problem 

When something goes wrong, enterprises need to answer four questions: which agent did this, on whose authority was it acting, what was the full chain of actions it took, and what spawned it in the first place. Current logging captures API calls. It does not capture intent, parent-child agent relationships, or the authorization context at the moment of each decision. 

For regulated industries like healthcare, financial services, and customer operations, this gap is not an inconvenience. It is a compliance failure waiting to be discovered during the first audit or breachinvestigation. The OWASP Foundation has already named excessive agency one of the top ten security risks for LLM applications, specifically calling out systems that perform high-impact actions without verifiable authorization checks. Regulators are paying attention. Most enterprise audit trails are not yet equipped to give the answers regulators are about to start asking. 

What CIOs and CAIOs should ask now 

Five concrete questions to put to AI vendors and internal teams. 

What is the shortest-lived token your agents can operate with? Hours and days are not answers. Minutes is the floor; seconds is better. 

Can authorization be scoped per task rather than per session? A token good for “this one read of this one record” is structurally different from a token good for “everything this user can do for the next eight hours.” 

When an agent spawns a sub-agent, does authorization narrow or inherit? If it inherits, the system is one prompt injection away from handing an attacker the full authority of the parent context. 

What is logged at the intent layer rather than just the API-call layer? You should be able to reconstruct, after the fact, what the user asked for and how that intent translated into every downstream action. 

Who is accountable when an agent acts, the user, the model provider, or the deploying enterprise? If your contracts and your logging architecture do not answer this consistently, you are uninsurable. 

Why this piece, why now 

Most AI security coverage is fixated on prompt injection and model alignment. Authorization, the layer that actually determines what an agent can do once it is compromised, confused, or misaligned, is barely discussed in mainstream coverage. Meanwhile, agent frameworks are shipping to production weekly, and enterprises are pointing them at customer data, financial systems, and clinical workflows. There is a narrow window for decision-makers to get this right before the first major regulated-industry incident forces the conversation on terms set by regulators rather than by practitioners. Enterprises that treat agent authorization as an infrastructure problem now will deploy AI faster and more safely than those who treat it as a model-tuning problem later. 

Author

Related Articles

Back to top button