AI Agent Identity 2026: Authentication & Authorization

Posted on: 6/6/2026 1:13:37 AM

Table of contents

1. Why does an AI agent need its own identity?
1. The Non-Human Identity explosion
2. Three core problems: Authentication, Authorization, Delegation
3. Why agents don't use passwords — two authentication models
4. OAuth 2.1 for agents: Authorization Code + PKCE
1. Four golden rules for agent tokens
5. Chained delegation: Token Exchange & On-Behalf-Of
1. Standardization in flight: the IETF agent draft
6. Identity in MCP and A2A
7. The vendor landscape: Entra Agent ID and friends
1. Entra Agent ID — the core points
8. Design principles: least privilege, just-in-time, human gates
1. Anti-patterns to avoid
9. Conclusion
1. References

In 2026, the hardest question when shipping AI agents to production is no longer "is the model smart enough?" but "when the agent hits a database, sends an email, or moves money — on whose behalf is it acting, and who is accountable?". This is the problem of identity and authorization for autonomous agents — the quiet infrastructure layer that decides whether a multi-agent system can run safely at all.

If the previous post in this series covered AI agent security from the angle of prompt injection and the Lethal Trifecta, this one goes one layer deeper: the identity of the agent itself — who it is in the eyes of your IAM, how it obtains tokens, and what it is (and isn't) allowed to do.

1. Why does an AI agent need its own identity?

In traditional architectures everything runs as the user (via a session) or as the service (via a static API key). AI agents break both models: they act on behalf of a user while also having the autonomy to call dozens of tools, spawn sub-agents, and run asynchronously long after the user has gone offline. The question "who just deleted this record?" becomes nearly unanswerable if the agent has no independent, traceable identity.

45:1Non-human to human identity ratio in the enterprise

250K+Non-human identities per average cloud enterprise

97%NHIs carrying excessive privileges

68%Security incidents involving machine identities

The Non-Human Identity explosion

Non-Human Identities (NHIs: service accounts, workloads, bots, and now AI agents) now outnumber human identities in most enterprises, with a typical ratio of 45:1 and up to 144:1 in cloud-native environments. The catch: 97% of them carry more privileges than they need, and 71% have never been rotated on schedule. A single AI workflow can mint dozens of new NHIs in one afternoon — a brand-new attack surface that legacy IAM tooling was never designed to handle.

2. Three core problems: Authentication, Authorization, Delegation

Agent identity is not one problem but three tightly-coupled ones. Separating them from the start is the key to a correct design:

Problem	Question it answers	Standard mechanism
Authentication	"Who is this agent, really?"	Federated credential, OAuth client, mTLS, workload identity
Authorization	"What is the agent allowed to do?"	Scoped token, RBAC/ReBAC, policy engine, consent
Delegation	"On whose behalf, through which chain?"	Token Exchange (RFC 8693), on-behalf-of, act claim

The most common mistake is collapsing all three into a single static, all-powerful API key: the agent simultaneously "is" that service account, "may do anything", and "has no idea on whose behalf". When the key leaks — and for agents processing untrusted content, leakage is a matter of time — the attacker inherits that full power.

3. Why agents don't use passwords — two authentication models

AI agents don't type passwords, receive SMS OTPs, or tap passkeys. They authenticate with a federated identity credential or a workload certificate — things a machine can prove, not a human memorizes. There are two access models, and picking the right one per operation is the single most important architectural decision:

graph TD
    U["User"] -->|"delegates"| AG["AI Agent
(own identity)"]
    AG -->|"Model 1:
Delegated / On-Behalf-Of"| R1["Resource with
the USER's permissions"]
    AG -->|"Model 2:
App-only / Workload"| R2["Resource with
the AGENT's own permissions"]
    R1 --> NOTE1["e.g. read the user's email,
create a file in user's drive"]
    R2 --> NOTE2["e.g. write system logs,
call an internal service"]
    style U fill:#e94560,stroke:#fff,color:#fff
    style AG fill:#16213e,stroke:#fff,color:#fff
    style R1 fill:#4CAF50,stroke:#fff,color:#fff
    style R2 fill:#2c3e50,stroke:#fff,color:#fff
    style NOTE1 fill:#f8f9fa,stroke:#e0e0e0,color:#2c3e50
    style NOTE2 fill:#f8f9fa,stroke:#e0e0e0,color:#2c3e50

Figure 1: An agent's two access models — Delegated (borrowing the user's rights) and App-only (the agent's own rights)

Delegated access applies when the agent works for a specific user: permissions are bounded by the intersection of the user's rights and the agent's rights. App-only / workload access is for background work tied to no user. The golden rule: any operation touching a user's data must go through delegated access — never let the agent use "god-mode" system rights to bypass that user's own access controls.

4. OAuth 2.1 for agents: Authorization Code + PKCE

The de-facto standard for an agent to obtain a token on a user's behalf is the OAuth 2.1 Authorization Code Flow with PKCE. Because an agent is a public client — it cannot securely store a client secret — PKCE (Proof Key for Code Exchange) is mandatory, not optional as it was under OAuth 2.0.

sequenceDiagram
    participant U as User
    participant A as AI Agent (client)
    participant AS as Authorization Server
    participant RS as Resource Server (MCP/API)
    A->>AS: 1. Authorize + code_challenge (PKCE)
resource=https://mcp.example.com
    AS->>U: 2. Consent screen
(shows agent identity)
    U->>AS: 3. Approve minimal scopes
    AS->>A: 4. Authorization code
    A->>AS: 5. Exchange code + code_verifier
    AS->>A: 6. Access token (short-lived)
+ refresh token
    A->>RS: 7. Call API with Bearer token
    RS->>RS: 8. Validate aud == self
(RFC 8707 resource binding)
    RS->>A: 9. Result

Figure 2: OAuth 2.1 Authorization Code + PKCE flow for an AI agent

A typical agent token request (step 5) looks like this — note the resource parameter (RFC 8707 Resource Indicators) binding the token to exactly one server, and the PKCE code_verifier:

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
&redirect_uri=https://agent.example.com/callback
&resource=https://mcp.example.com
&client_id=agent-orchestrator

Four golden rules for agent tokens

1. Keep tokens short-lived. The MCP 2025-06-18 spec recommends short-lived access tokens to limit blast radius on leak. 2. Resource binding (RFC 8707). Tokens must declare aud/resource as the target server's URI; the server rejects tokens not bound to itself — blocking cross-server replay. 3. Step-up authorization. The Nov 2025 spec lets clients request extra scopes only when an operation actually needs them, rather than over-permissioning up front. 4. PKCE is mandatory because agents are public clients.

5. Chained delegation: Token Exchange & On-Behalf-Of

Multi-agent systems are rarely flat: an orchestrator calls a sub-agent, which calls a tool-agent... Each hop must answer: "who does this token ultimately represent, and through whose hands?". The answer is OAuth 2.0 Token Exchange (RFC 8693).

Token Exchange lets one party swap an existing token for a new, narrower-scoped one, carrying information about the actor (the party wishing to act on behalf of the subject) via the actor_token parameter. The delegation chain is expressed by nesting the act claim: the outermost claim is the current actor, nested claims are prior actors.

graph LR
    U["User
(subject)"] -->|"delegate"| O["Orchestrator
Agent"]
    O -->|"token exchange"| S["Sub-Agent
(narrower scope)"]
    S -->|"token exchange"| T["Tool-Agent
(single action)"]
    T --> API["Resource Server"]
    style U fill:#e94560,stroke:#fff,color:#fff
    style O fill:#16213e,stroke:#fff,color:#fff
    style S fill:#2c3e50,stroke:#fff,color:#fff
    style T fill:#2c3e50,stroke:#fff,color:#fff
    style API fill:#4CAF50,stroke:#fff,color:#fff

Figure 3: A multi-agent delegation chain — each hop narrows scope and records the actor

The final token's payload carries the full delegation history through nested act claims — exactly what makes "who-acted-for-whom" post-incident auditing feasible:

{
  "sub": "user-8842",
  "aud": "https://mcp.example.com",
  "scope": "files:read calendar:write",
  "act": {
    "sub": "agent://orchestrator-prod",
    "act": {
      "sub": "agent://subagent-scheduler"
    }
  }
}

Standardization in flight: the IETF agent draft

There is an active IETF draft — draft-oauth-ai-agents-on-behalf-of-user — extending OAuth specifically for agent delegation: a requested_actor parameter so the consent screen shows the agent's identity, and an actor_token parameter so the agent authenticates itself when exchanging the authorization code. The result is an access token documenting the full delegation chain: user → client application → this specific agent.

6. Identity in MCP and A2A

The two foundational protocols of the 2026 agent ecosystem — MCP (agent ↔ tool) and A2A (agent ↔ agent) — both treat identity as a first-class citizen, but differently:

Aspect	MCP (Model Context Protocol)	A2A (Agent-to-Agent)
OAuth role	MCP Server = pure Resource Server; separate Authorization Server	Each agent is both client and resource to other agents
Authentication	Bearer token + resource indicator (RFC 8707)	Agent Card declares the auth scheme; mTLS/OIDC between agents
Token discovery	Protected Resource Metadata points to the AS	Capability + auth requirements exchanged in the handshake
Shared principle	Separate user identity from agent identity; short-lived tokens; minimal scope

A key design point in the June 2025 MCP spec: the MCP Server acts only as a resource server, never issuing tokens itself but merely validating tokens issued by a dedicated Authorization Server. This separation avoids the "every server rolls its own IAM" anti-pattern — the root of countless vulnerabilities.

7. The vendor landscape: Entra Agent ID and friends

The IAM heavyweights have moved in. In April 2026, Microsoft Entra Agent ID reached General Availability — an identity platform purpose-built for agents, extending Zero Trust principles (authentication, authorization, governance, lifecycle) to non-human identities via the open OAuth 2.0, MCP, and A2A standards.

06/2025

MCP spec splits the Authorization Server from the Resource Server — agents authenticate through a dedicated AS.

11/2025

MCP adds step-up authorization and server identity; the IETF on-behalf-of draft for agents gains momentum.

04/2026

Microsoft Entra Agent ID GA: each agent gets a stable object ID/app ID, authenticating via Federated Identity Credentials, no passwords.

2026

The NHI governance ecosystem (discovery, rotation, privilege revocation) becomes mandatory for enterprise-scale agent rollouts.

Entra Agent ID — the core points

An agent identity has an object ID and app ID that always share the same value, usable reliably for auth decisions. Unlike humans, agents don't use passwords, SMS, or passkeys — they authenticate only via Federated Identity Credentials issued by an "agent blueprint". The service is OAuth 2.0 + OIDC compliant, supports both app-only and delegated access, and gives admins a central place to monitor and control agent behavior.

8. Design principles: least privilege, just-in-time, human gates

Technology is only half the story; the other half is design discipline. Four principles for every production agent:

Scope-level least privilege: each token carries exactly the scopes for the task at hand. Don't grant admin:* when the agent only needs files:read.
Just-in-time & step-up: elevate privileges only when needed; tokens expire when the work is done. Sensitive operations trigger step-up authorization.
Human-in-the-loop as an authorization gate: irreversible actions (moving money, deleting data, sending external mail) must pass human approval — the final authorization layer.
Make every action traceable: every call carries the agent identity plus the act chain, pushed to an immutable audit log to answer "who did what" after an incident.

Anti-patterns to avoid

A static, all-powerful, never-expiring API key baked into an env var — one leak loses everything. Sharing a single service account across all agents — you forfeit traceability and least privilege. An agent using system rights to access user data — bypassing that user's own access controls. Multi-day tokens never rotated — stretching the attack window. Each of these shows up in the statistics: 97% over-privileged NHIs and 71% never rotated.

9. Conclusion

As AI agents move from demo to production, identity becomes the new security perimeter. An agent with no identity of its own is an agent you cannot trace, cannot scope, and cannot audit — the three minimum conditions for any autonomous system to be trusted.

The good news: we don't need to reinvent the wheel. OAuth 2.1 + PKCE for authentication, RFC 8707 for resource binding, RFC 8693 Token Exchange for delegation chains, the on-behalf-of draft for agent identity on the consent screen, and platforms like Entra Agent ID for governance — the toolkit is ready. What remains is discipline: minimal privilege, short-lived tokens, and humans placed at exactly the irreversible gates. In an era where non-human identities outnumber humans 45:1, this is no longer a nice-to-have — it's a survival condition.

References

#Agentic AI #Identity #Security #AI Agents #OAuth

# AI Agent Identity 2026: Authentication & Authorization

In 2026, the hardest question when shipping AI agents to production is no longer *"is the model smart enough?"* but *"when the agent hits a database, sends an email, or moves money — **on whose behalf** is it acting, and **who is accountable**?"*. This is the problem of **identity** and **authorization** for autonomous agents — the quiet infrastructure layer that decides whether a multi-agent system can run safely at all.

If the previous post in this series covered **AI agent security** from the angle of prompt injection and the Lethal Trifecta, this one goes one layer deeper: the **identity of the agent itself** — who it *is* in the eyes of your IAM, how it obtains tokens, and what it is (and isn't) allowed to do.

## 1. Why does an AI agent need its own identity?

In traditional architectures everything runs *as the user* (via a session) or *as the service* (via a static API key). AI agents break both models: they act **on behalf of a user** while also having the **autonomy** to call dozens of tools, spawn sub-agents, and run asynchronously long after the user has gone offline. The question *"who just deleted this record?"* becomes nearly unanswerable if the agent has no independent, traceable identity.

45:1Non-human to human identity ratio in the enterprise

250K+Non-human identities per average cloud enterprise

97%NHIs carrying excessive privileges

68%Security incidents involving machine identities

#### The Non-Human Identity explosion

Non-Human Identities (NHIs: service accounts, workloads, bots, and now AI agents) now **outnumber human identities** in most enterprises, with a typical ratio of 45:1 and up to 144:1 in cloud-native environments. The catch: 97% of them carry more privileges than they need, and 71% have never been rotated on schedule. A single AI workflow can mint dozens of new NHIs in one afternoon — a brand-new attack surface that legacy IAM tooling was never designed to handle.

## 2. Three core problems: Authentication, Authorization, Delegation

Agent identity is not one problem but three tightly-coupled ones. Separating them from the start is the key to a correct design:

| Problem | Question it answers | Standard mechanism |
| --- | --- | --- |
| **Authentication** | "Who is this agent, really?" | Federated credential, OAuth client, mTLS, workload identity |
| **Authorization** | "What is the agent allowed to do?" | Scoped token, RBAC/ReBAC, policy engine, consent |
| **Delegation** | "On whose behalf, through which chain?" | Token Exchange (RFC 8693), on-behalf-of, act claim |

The most common mistake is collapsing all three into a single **static, all-powerful API key**: the agent simultaneously "is" that service account, "may do anything", and "has no idea on whose behalf". When the key leaks — and for agents processing untrusted content, leakage is a matter of time — the attacker inherits that full power.

## 3. Why agents don't use passwords — two authentication models

AI agents don't type passwords, receive SMS OTPs, or tap passkeys. They authenticate with a **federated identity credential** or a **workload certificate** — things a machine can prove, not a human memorizes. There are two access models, and picking the right one per operation is the single most important architectural decision:

```
graph TD
    U["User"] -->|"delegates"| AG["AI Agent  
(own identity)"]
    AG -->|"Model 1:  
Delegated / On-Behalf-Of"| R1["Resource with  
the USER's permissions"]
    AG -->|"Model 2:  
App-only / Workload"| R2["Resource with  
the AGENT's own permissions"]
    R1 --> NOTE1["e.g. read the user's email,  
create a file in user's drive"]
    R2 --> NOTE2["e.g. write system logs,  
call an internal service"]
    style U fill:#e94560,stroke:#fff,color:#fff
    style AG fill:#16213e,stroke:#fff,color:#fff
    style R1 fill:#4CAF50,stroke:#fff,color:#fff
    style R2 fill:#2c3e50,stroke:#fff,color:#fff
    style NOTE1 fill:#f8f9fa,stroke:#e0e0e0,color:#2c3e50
    style NOTE2 fill:#f8f9fa,stroke:#e0e0e0,color:#2c3e50

```

Figure 1: An agent's two access models — Delegated (borrowing the user's rights) and App-only (the agent's own rights)

**Delegated access** applies when the agent works for a specific user: permissions are bounded by the intersection of *the user's rights* and *the agent's rights*. **App-only / workload access** is for background work tied to no user. The golden rule: *any operation touching a user's data must go through delegated access* — never let the agent use "god-mode" system rights to bypass that user's own access controls.

## 4. OAuth 2.1 for agents: Authorization Code + PKCE

The de-facto standard for an agent to obtain a token on a user's behalf is the **OAuth 2.1 Authorization Code Flow with PKCE**. Because an agent is a **public client** — it cannot securely store a client secret — PKCE (Proof Key for Code Exchange) is mandatory, not optional as it was under OAuth 2.0.

```
sequenceDiagram
    participant U as User
    participant A as AI Agent (client)
    participant AS as Authorization Server
    participant RS as Resource Server (MCP/API)
    A->>AS: 1. Authorize + code_challenge (PKCE)  
resource=https://mcp.example.com
    AS->>U: 2. Consent screen  
(shows agent identity)
    U->>AS: 3. Approve minimal scopes
    AS->>A: 4. Authorization code
    A->>AS: 5. Exchange code + code_verifier
    AS->>A: 6. Access token (short-lived)  
+ refresh token
    A->>RS: 7. Call API with Bearer token
    RS->>RS: 8. Validate aud == self  
(RFC 8707 resource binding)
    RS->>A: 9. Result

```

Figure 2: OAuth 2.1 Authorization Code + PKCE flow for an AI agent

A typical agent token request (step 5) looks like this — note the `resource` parameter (RFC 8707 Resource Indicators) binding the token to exactly one server, and the PKCE `code_verifier`:

```json
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
&redirect_uri=https://agent.example.com/callback
&resource=https://mcp.example.com
&client_id=agent-orchestrator
```

#### Four golden rules for agent tokens

**1. Keep tokens short-lived.** The MCP 2025-06-18 spec recommends short-lived access tokens to limit blast radius on leak. **2. Resource binding (RFC 8707).** Tokens must declare `aud`/`resource` as the target server's URI; the server rejects tokens not bound to itself — blocking cross-server replay. **3. Step-up authorization.** The Nov 2025 spec lets clients request extra scopes *only when* an operation actually needs them, rather than over-permissioning up front. **4. PKCE is mandatory** because agents are public clients.

## 5. Chained delegation: Token Exchange & On-Behalf-Of

Multi-agent systems are rarely flat: an *orchestrator* calls a *sub-agent*, which calls a *tool-agent*... Each hop must answer: *"who does this token ultimately represent, and through whose hands?"*. The answer is **OAuth 2.0 Token Exchange (RFC 8693)**.

Token Exchange lets one party swap an existing token for a new, narrower-scoped one, carrying information about the **actor** (the party wishing to act on behalf of the subject) via the `actor_token` parameter. The delegation chain is expressed by **nesting the `act` claim**: the outermost claim is the current actor, nested claims are prior actors.

```
graph LR
    U["User  
(subject)"] -->|"delegate"| O["Orchestrator  
Agent"]
    O -->|"token exchange"| S["Sub-Agent  
(narrower scope)"]
    S -->|"token exchange"| T["Tool-Agent  
(single action)"]
    T --> API["Resource Server"]
    style U fill:#e94560,stroke:#fff,color:#fff
    style O fill:#16213e,stroke:#fff,color:#fff
    style S fill:#2c3e50,stroke:#fff,color:#fff
    style T fill:#2c3e50,stroke:#fff,color:#fff
    style API fill:#4CAF50,stroke:#fff,color:#fff

```

Figure 3: A multi-agent delegation chain — each hop narrows scope and records the actor

The final token's payload carries the full delegation history through nested `act` claims — exactly what makes "who-acted-for-whom" post-incident auditing feasible:

```json
{
  "sub": "user-8842",
  "aud": "https://mcp.example.com",
  "scope": "files:read calendar:write",
  "act": {
    "sub": "agent://orchestrator-prod",
    "act": {
      "sub": "agent://subagent-scheduler"
    }
  }
}
```

#### Standardization in flight: the IETF agent draft

There is an active IETF draft — `draft-oauth-ai-agents-on-behalf-of-user` — extending OAuth specifically for agent delegation: a `requested_actor` parameter so the consent screen **shows the agent's identity**, and an `actor_token` parameter so the agent authenticates itself when exchanging the authorization code. The result is an access token documenting the full delegation chain: user → client application → this specific agent.

## 6. Identity in MCP and A2A

The two foundational protocols of the 2026 agent ecosystem — **MCP** (agent ↔ tool) and **A2A** (agent ↔ agent) — both treat identity as a first-class citizen, but differently:

| Aspect | MCP (Model Context Protocol) | A2A (Agent-to-Agent) |
| --- | --- | --- |
| OAuth role | MCP Server = pure **Resource Server**; separate Authorization Server | Each agent is both client and resource to other agents |
| Authentication | Bearer token + resource indicator (RFC 8707) | Agent Card declares the auth scheme; mTLS/OIDC between agents |
| Token discovery | Protected Resource Metadata points to the AS | Capability + auth requirements exchanged in the handshake |
| Shared principle | Separate user identity from agent identity; short-lived tokens; minimal scope | |

A key design point in the June 2025 MCP spec: the **MCP Server acts only as a resource server**, never issuing tokens itself but merely validating tokens issued by a dedicated Authorization Server. This separation avoids the "every server rolls its own IAM" anti-pattern — the root of countless vulnerabilities.

## 7. The vendor landscape: Entra Agent ID and friends

The IAM heavyweights have moved in. In April 2026, **Microsoft Entra Agent ID** reached General Availability — an identity platform purpose-built for agents, extending Zero Trust principles (authentication, authorization, governance, lifecycle) to non-human identities via the open OAuth 2.0, MCP, and A2A standards.

06/2025

MCP spec splits the **Authorization Server** from the Resource Server — agents authenticate through a dedicated AS.

11/2025

MCP adds **step-up authorization** and server identity; the IETF on-behalf-of draft for agents gains momentum.

04/2026

**Microsoft Entra Agent ID GA**: each agent gets a stable object ID/app ID, authenticating via Federated Identity Credentials, no passwords.

2026

The NHI governance ecosystem (discovery, rotation, privilege revocation) becomes mandatory for enterprise-scale agent rollouts.

#### Entra Agent ID — the core points

An agent identity has an **object ID and app ID that always share the same value**, usable reliably for auth decisions. Unlike humans, agents **don't use passwords, SMS, or passkeys** — they authenticate only via Federated Identity Credentials issued by an "agent blueprint". The service is OAuth 2.0 + OIDC compliant, supports both app-only and delegated access, and gives admins a central place to monitor and control agent behavior.

## 8. Design principles: least privilege, just-in-time, human gates

Technology is only half the story; the other half is design discipline. Four principles for every production agent:

- **Scope-level least privilege:** each token carries exactly the scopes for the task at hand. Don't grant `admin:*` when the agent only needs `files:read`.
- **Just-in-time & step-up:** elevate privileges only when needed; tokens expire when the work is done. Sensitive operations trigger step-up authorization.
- **Human-in-the-loop as an authorization gate:** irreversible actions (moving money, deleting data, sending external mail) must pass human approval — the final authorization layer.
- **Make every action traceable:** every call carries the agent identity plus the `act` chain, pushed to an immutable audit log to answer "who did what" after an incident.

#### Anti-patterns to avoid

**A static, all-powerful, never-expiring API key** baked into an env var — one leak loses everything. **Sharing a single service account** across all agents — you forfeit traceability and least privilege. **An agent using system rights to access user data** — bypassing that user's own access controls. **Multi-day tokens** never rotated — stretching the attack window. Each of these shows up in the statistics: 97% over-privileged NHIs and 71% never rotated.

## 9. Conclusion

As AI agents move from demo to production, **identity becomes the new security perimeter**. An agent with no identity of its own is an agent you cannot trace, cannot scope, and cannot audit — the three minimum conditions for any autonomous system to be trusted.

The good news: we don't need to reinvent the wheel. OAuth 2.1 + PKCE for authentication, RFC 8707 for resource binding, RFC 8693 Token Exchange for delegation chains, the on-behalf-of draft for agent identity on the consent screen, and platforms like Entra Agent ID for governance — the toolkit is ready. What remains is **discipline**: minimal privilege, short-lived tokens, and humans placed at exactly the irreversible gates. In an era where non-human identities outnumber humans 45:1, this is no longer a nice-to-have — it's a survival condition.

---

### References

- [Model Context Protocol — Authorization Specification](https://modelcontextprotocol.io/specification/draft/basic/authorization)
- [RFC 8693 — OAuth 2.0 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693)
- [Microsoft Learn — What is Microsoft Entra Agent ID?](https://learn.microsoft.com/en-us/entra/agent-id/what-is-microsoft-entra-agent-id)
- [Microsoft Learn — Authentication protocols in agents](https://learn.microsoft.com/en-us/entra/agent-id/agent-oauth-protocols)
- [Descope — Diving Into the MCP Authorization Specification](https://www.descope.com/blog/post/mcp-auth-spec)
- [NHI Mgmt Group — Identity governance & non-human identities outnumbering humans](https://nhimg.org/articles/identity-governance-is-shifting-as-non-human-identities-outnumber-humans/)

Voice AI Agents 2026: Building Real-Time Speech Agents

Disclaimer: The opinions expressed in this blog are solely my own and do not reflect the views or opinions of my employer or any affiliated organizations. The content provided is for informational and educational purposes only and should not be taken as professional advice. While I strive to provide accurate and up-to-date information, I make no warranties or guarantees about the completeness, reliability, or accuracy of the content. Readers are encouraged to verify the information and seek independent advice as needed. I disclaim any liability for decisions or actions taken based on the content of this blog.