The future of AI agents—and why OAuth must evolve

I believe we're at the beginning of something extraordinary. 

Today's AI agents are already impressive—they're helping software engineers write code, assisting site reliability teams in troubleshooting systems, and handling a variety of analytical tasks. Yet, as capable as these specialized agents are becoming, we're just beginning to glimpse their potential. The next wave of changes is approaching fast, bringing capabilities that will transform how we work across a wide variety of fields.  

At Microsoft, we believe the next 12–24 months will fundamentally change the AI agent space. Instead of simply responding to requests, agentic systems will start working independently, spotting problems, suggesting solutions, and carrying context across conversations. The difference might seem small at first, but you'll notice it when your agent starts to proactively help you solve problems rather than just follow instructions.

To support this future, we need to evolve the identity standards that underpin how agents access data and act across connected systems—from APIs, code repositories, and data warehouses, to productivity tools, enterprise systems, and sensitive business processes. It starts with OAuth 2.

What’s changing? 

At Microsoft, we’re building a robust and sophisticated set of agents. Recently, we launched the public preview of our new Conditional Access Optimizer Agent. It’s a multi-functional AI agent that: 

• Analyzes an organization’s Conditional Access policies
• Identifies security gaps
• Recommends policy improvements and simplifications
• Deploys new policies in pilot mode
• Ensures new users and apps are protected 

We’ve also been extensively investing in agents for developer and operations workflows, such as the SWE and SRE agents to help teams boost their productivity when writing and maintaining their applications. As new AI-driven scenarios are introduced, we anticipate an emerging flood of rich, smart, multi-functional, and autonomous agents.  

AI agents will augment and amplify the capabilities of an organization. Marketing agents could propose full digital marketing campaign plans, refine and update them based on feedback, and then when the plans are approved, execute them end-to-end. Engineering agents could autonomously create specifications for new features, as well as start to build and test them with minimal human interactions. You might’ve already seen some of these experiences at this year’s Microsoft Build conference. We could see all kinds of agents helping people to manage compliance, onboard new employees, or even run parts of their IT operations more efficiently. 

But here’s the thing: today’s OAuth 2 standards weren’t built for the world of AI agents. Some existing efforts, like RFC 9396 – OAuth 2.0 Rich Authorization Requests, set some of the fundamental ideas in motion, but we believe we need a more scalable solution for AI-first scenarios. 

Why OAuth 2 needs an update 

OAuth 2 works well for today’s task-focused agents that act on behalf of a user. But as agents become more autonomous and capable, a new set of authorization requirements surfaces. Agents need much more granular permissions, and they need to be dynamic, easily revokable, yet auditable. They need to be able to interact securely with other agents across different trust boundaries, as well as handle scenarios where the ownership of an agent changes on the fly. To enable these capabilities, we need to drive a set of changes to existing standards to support them, unlocking the ability of enterprises to adopt them while maintaining compliance and confidence in the security of their data. 

Here’s what we think needs to change: 

1. Recognize Agent IDs as first-class actors: Agents need to be distinct from clients. They should have their own identity in the OAuth model. When an agent registers with an IDP, it should be able to register as an agent, not a client. When an agent accesses a resource, it should be able to represent that it is an agent. When a computer-using agent accesses a resource through a client, we need a standards-based approach to represent this interaction.
2. Have a standard model for granting agents their own permissions: Agents should be able to act with their own defined set of privileges—not just proxy a user’s rights.

3. Make agent actions transparent and traceable: We need a clear way to distinguish when an agent is acting: 

   • On behalf of a user 
   • On its own behalf 
   • On behalf of another agent or a chain of agents

   This is critical for forensics, policy enforcement, and trust.

   
4. Enable permission discovery and delegation: Agents should be able to discover the permissions required to perform a task and request them—either directly from the user, from an upstream agent, or through a chain of upstream agents ultimately linked to the user.
5. Support for fine-grained, resource specific, least-privilege access: We need updates to the OAuth scopes model to support common approaches to identifying a specific subset of resources a user can delegate access to. For example: 
   • A collection or container of resources, such as all photos from last week  
   • A node in a hierarchy of resources, such as all files in the /taxinfo directory 
   • A specific class or category of resource, like high business impact or confidential 
   • A query, such as SELECT * FROM my_emails WHERE sender LIKE ‘%@microsoft.com’
   • A specific resource, like {customer_ID, 12345} 

      

We believe this set of targeted updates will give users and organizations the controls, visibility, specificity, and granularity necessary to realize the incredible transformative potential of AI agents. 

Let’s build this together 

We’re excited about the future of AI agents. But we also know that to get there, we need to evolve the standards that make secure delegation possible.

We’re looking forward to working with our partners in the broader OAuth community, the Model Context Protocol (MCP), and Agent-to-Agent (A2A) protocol steering committees, as well as the machine identity ecosystem to define the right path forward. Microsoft’s recent work in helping shape a more robust authorization specification for MCP together with the broader security community and Anthropic is just the beginning. 

If you’re attending Identiverse in Las Vegas next week, I hope you’ll reserve a seat for the AI Agents and the Future of Identity roundtable discussion on Wednesday at 7:15 a.m. with breakfast. You can also drop by the booth or request a meeting at Identiverse with Microsoft Security.  

Let’s make sure the next generation of AI agents is not just powerful—but secure, trustworthy, and standards-based. 

- Alex 
P.S.: If you’re working in this space, I’d love to hear from you! Drop a note in the comments below.

 

 

Read more on AI agent innovation from Microsoft Security   

• Announcing Microsoft Entra Agent ID: Secure and manage your AI agents | Microsoft Community Hub
• Microsoft extends Zero Trust to secure the agentic workforce | Microsoft Security Blog
• Microsoft unveils Microsoft Security Copilot agents and new protections for AI | Microsoft Security Blog
• Microsoft Entra Conditional Access optimization agent - Microsoft Entra ID | Microsoft Learn

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community