Winslow Homer painting depicting a ship navigating a stormy sea
← Back to blog

Agent security

Why OAuth Alone Isn't Enough for AI Agents

OAuth was built for apps and human-driven interactions—not autonomous, multi-step AI agents. As organizations rely on AI for operational work, the limitations of OAuth become clearer—and riskier.

Paulina XuNovember 25, 20259 min
OAuthAgentsSecurity

Why OAuth Alone Isn’t Enough for AI Agents

OAuth was built for apps and human-driven interactions—not autonomous, multi-step AI agents. As organizations increasingly rely on AI to perform operational work, the limitations of OAuth become clearer—and riskier.

OAuth’s Core Assumptions Don’t Match How Agents Behave

OAuth 2.0 assumes three things:

  1. A human is present to grant consent.
  2. The application invoking actions is static and predictable.
  3. Scopes represent the entire boundary of what the app can do.

But autonomous agents break all three assumptions.

AI Agents Are Dynamic by Design

  • Take actions that are not predefined in code
  • Interact with APIs based on LLM reasoning
  • Make decisions based on context, not static flows
  • Chain multiple API calls driven by emergent behavior

This is fundamentally incompatible with OAuth’s model, which presumes a predefined set of actions and a deterministic application.

Academic Support:

Research from Stanford HAI (2024) shows that LLM agents routinely produce “unbounded and unpredictable actions” even when guardrailed. Agents frequently deviate from intended workflows due to reasoning drift.

OAuth never anticipated a world where applications improvise.

OAuth Scopes Are Too Coarse for Real-World Agent Permissions

OAuth scopes map to provider-defined permissions, not to user intent or agent-level behavior.

Example: Slack scopes

  • chat:write → allows sending messages to any channel
  • channels:history → read history of all public channels
  • users:read → read the entire company directory

Now consider an AI agent whose purpose is to:

“Send a message to the #marketing channel only when summarizing weekly metrics.”

OAuth provides no way to express:

  • “Only this channel”
  • “Only under this condition”
  • “Never send messages on behalf of this agent for any other purpose”
  • “Only for the user who initiated the task”

The scope is either granted—or not. OAuth lacks resource-level constraints, contextual rules, and intent validation.

Industry Note:

Slack, Google, and Microsoft intentionally design scopes broadly because granular scopes are difficult to manage for typical app developers. But broad scopes create massive risk when used by autonomous agents.

OAuth Does Not Bind Actions to Human Identity

OAuth connects:

  • A user → grants permission
  • To an application → receives a token

OAuth does not connect:

  • Each action → back to a specific, validated human user
  • Each tool call → to a user’s actual permissions
  • Each decision → to a traceable identity event
  • Each workflow step → to a chain of user-approved intent

In AI systems, the agent is often the one “deciding” what action to take—not the human.

The Result:

You can have a fully valid OAuth token, yet:

  • The action is not something the human intended
  • The action exceeds what the human could do manually
  • The action misuses a token the human granted only once
  • The action is triggered by a hallucinated interpretation

OAuth provides initial consent, not ongoing identity proof.

Research:

NIST SP 800-63 (Digital Identity Guidelines) emphasizes continuous identity assurance—something OAuth does not provide or enforce.

OAuth Doesn’t Prevent Hallucinations, Misfires, or Unsafe Actions

AI agents hallucinate API calls the same way they hallucinate text.

Examples documented in industry testing:

  • Creating channels not requested
  • Editing files instead of reading them
  • Deleting tickets instead of updating them
  • Pushing code to production repos unintentionally
  • Running administrative commands that humans rarely use

OAuth will allow these actions if the scope allows them—even if the intent does not.

OAuth Is Blind to Intent

OAuth cannot ask:

  • “Why is this action being taken?”
  • “Is this within the user’s typical behavior?”
  • “Does this action match what the user asked for?”
  • “Does this action violate organizational rules?”
  • “Is this action safe in the context it’s being performed?”

OAuth has zero semantic understanding of business logic, tool semantics, user boundaries, agent intent, and operational risk. It simply checks token validity and scope.

Academic Support:

The “LLM Safety & Reliability” 2024 survey (Stanford/Berkeley/Microsoft Research) highlights that “permissioned but unsafe actions” are one of the most common agent failure modes.

OAuth Cannot Express “Least Privilege” for Agents

Enterprises require the ability to say:

“This agent can do X, for user Y, under condition Z, and nothing else.”

OAuth cannot express:

  • per-action constraints
  • conditional permissions
  • workflow-level permissions
  • resource-specific access rules
  • time-bound or ephemeral permissions
  • environment- or data-dependent authorizations

OAuth scopes are global, not transactional.

Example: Google Drive

Even the restrictive drive.readonly scope allows reading every file the user can access. If the agent’s job is to summarize a single document, accessing any other file is excessive privilege.

Industry Trend:

Google’s BeyondCorp and Microsoft’s Entra PIM emphasize that modern systems require dynamic access checks, not scope-based static grants. OAuth predates this shift.

OAuth Has No Multi-Tool, Multi-Step Governance Model

Agents frequently chain actions across multiple tools:

  1. Query Jira
  2. Write summary to Notion
  3. Send Slack message
  4. Update CRM
  5. Save files to Drive

OAuth sees none of this as a single workflow. It sees multiple tokens, multiple APIs, multiple providers, no shared identity context, and no centralized policy.

This fragmentation creates risk:

  • No unified audit trail
  • No map of which user triggered which action
  • No consistent permission boundary
  • No way to enforce workflow-level rules
  • No system-wide detection of anomalies

OAuth is provider-level authorization. Agents need system-level authorization.

IETF Commentary:

The GNAP working group (successor to OAuth) explicitly calls out that OAuth 2.0 lacks native support for continuous authorization, delegated capabilities, and multi-party access orchestration. These are foundational needs for AI agents.

OAuth Lacks Comprehensive Auditability

Enterprise audit requirements include:

  • Who took an action
  • What action they took
  • In which system
  • When
  • Under what permissions
  • Under what context
  • Whether it was approved
  • Whether it was safe
  • Whether it violated policy

OAuth provides logs for:

  • token creation
  • token refresh
  • scope consent

That’s it.

Every agent action performed after token issuance happens outside OAuth’s visibility.

This creates governance gaps:

  • Security teams can’t answer “why did this happen?”
  • Compliance teams can’t prove least-privilege enforcement
  • Incident response teams can’t reconstruct the chain of events

This is especially problematic in regulated industries (financial services, healthcare, gov).

OAuth Was Never Designed for Autonomous Behavior

The original OAuth 2.0 spec (RFC 6749) defines the framework for delegation, consent, token issuance, and third-party application access. It does not define tool-level permissioning, continuous authorization, intent verification, agent/action risk scoring, cross-service permission mediation, dynamic policies, multi-user identity mapping, or hallucination prevention.

The gap between OAuth’s human-driven model and AI agents’ autonomous behavior continues to widen. As Gartner notes in its 2024 IAM report, modern authorization challenges require “policy-based, contextual access frameworks” that go far beyond OAuth’s static scope design.

Conclusion

OAuth is foundational for modern authentication and authorization. It’s proven, battle-tested, and necessary.

But OAuth alone is not designed for autonomous agents, because:

  • Agents act dynamically, not predictably
  • OAuth scopes are broad, not task-specific
  • OAuth captures initial consent, not ongoing intent
  • OAuth cannot prevent unsafe or hallucinated actions
  • OAuth offers no multi-tool governance
  • OAuth provides minimal auditability
  • OAuth doesn’t model real-time, user-bound, agent-level permissions

In short:

OAuth authenticates access.

AI agents need something that governs every action.

As organizations adopt agents for real operational work, we need a layer above OAuth—not replacing it, but complementing it—one designed for the realities of autonomous, multi-step, cross-tool AI behavior.

References & Suggested Reading