Cheat Sheet: Agentic Authorization for Securing AI Agents, Tools & Delegated Access
What this is and why you should care
The What
Agentic authorization must be considered as part of a bigger agentic identity security concept. The Cyber Hut covered this in a two-part introduction.
This cheat sheet will take a more detailed introduction in the authorization components.
Agentic authorization is the process of deciding and enforcing what an AI agent is allowed to do, which tools it can use, what data it can access, and under whose authority it is acting.
This brings up three high level question:
Where to enforce?
How to enforce?
What to enforce?
Where to Enforce
Enforcement points are becoming broad and varied as agents are accessing a range of different assets and resources. We need to consider where agents are running, how they are created or built and how they themselves are accessed to trigger their objectives. We need to consider tools access, data access, interception patterns and evaluation locations.
How to Enforce
Implementation relies on a combination of several core methods to secure execution paths:
Enforcement Libraries and Plugins: Embedded in code and LLMs
Token Exchange and Binding: Generating ephemeral permissions via token exchange that binds intent and the human requester
Gateway Plugins: Leveraging gateways to intercept MCP to straight API paths
PxP: modular and distributed enforcement and decision points
What to Enforce
This will be much more evolutionary than historic human-centric session and linear allow/deny access to a page or transaction. We need to encompass pre-execution data and tasks, tools access at both a coarse and fine-grained level, traditional API and data access as well as output and response access and masking.
Why It Matters
AI agents change the access model because they can:
act on behalf of users;
call a broad set of tools and APIs;
access enterprise data;
chain actions together;
operate semi-autonomously;
use delegated credentials;
Traditional access control asks:
“Can this user access this app?”
Agentic authorization asks:
“Can this agent, acting for this user or workload, perform this specific action, against this resource, right now?”
Key Concepts
Agent identity - The agent needs its own identifiable subject, not just borrowed from a human “owner” or trigger.
Delegated authority - The agent acts under authority granted by a human, workload, team or policy.
Tool governance - Controls which tools, APIs, MCP servers and connectors the agent can use - and do this to a fine grained level
Runtime authorization - Access is evaluated at action time, not just at login or consent time
Credential downscoping - Agents receive short-lived, narrow credentials rather than broad secrets.
Policy evaluation - Decisions use a broad set of signals - such as the task at hand, risk, resource, data or context.
Runtime enforcement - Decisions are enforced before the tool call or action executes - which introduces latency, delay style questions.
Audit chain - Logs must show human → agent → tool → data → action → outcome.
Agent BOM - AI bill of materials that focus on defining a secure running state of agentic configuration
Key Capabilities
The following are considerations as part of the agentic authorization concept:
Agent discovery and inventory - more part of the governance and life cycle process, but a key initial starting point
Agent access - restrictions on who or what can start the agent process and who has access to it
Agent identity and registration - even with ephemeral agents, full traceability and accountability is anchored by identifiers and issuance
Binding - an ability to link the agent to the calling human (or agent) and bind intent and potentially any permissions
Human-to-agent delegation - what can and should be delegatable to the agent?
Agent-to-tool authorization - this should include tool access, but also what can be done within the tool. Eg Bash access, but not “rm -rf” command.
MCP gateway or tool proxy controls - intermediary ways of validating actions and tools
Policy decisioning - an ability to combine a range of signals to decide access
Action-time authorization - moving almost towards a stateless evaluation
Short-lived credential issuance - could be part of token exchange services, with downgrade and scope reduction potentially
Tool and parameter-level control - extension of the coarse grained tool access
Data access filtering and masking - both inbound and outbound filtering
Human-in-the-loop approval - agent owner or risk owner as an escalatable contact
Behaviour monitoring - whether specialist or part of standard ITDR layer
Session and token revocation - as a function of risk evaluation and policy response
Audit and explainability - integrity protected way of looking at all actions and lineaage back to the human (or other agent) that triggered the agent
Agent to agent - agents will likely access other agents - that needs controlling and evaluating from a combined set of actions point of view
JIT/JEA privileges - an ability to reduce permissions to a just in time / just enough access model
Questions to Ask Vendors
How do you identify agents in an environment?
Can agents be uniquely identified?
Can agents be classified and risk assessed?
Can agents be bound to a calling user?
Can we control which tools they call?
Can we control which commands are called within a tool?
Can access be scoped to a task?
Can we enforce policy before action?
Can we reconstruct the audit chain?
Can we revoke or downscope access in real time?
What context is used during policy evaluation?
Where is policy located and managed?
Where is policy enforcement located and managed?
Sample Vendors
Runtime Authorization
Process of making and enforcing access decisions at the moment an action is attempted, rather than relying only on login-time authentication or pre-assigned permissions. It evaluates live context which is likely to be volatile and changing per request.
Aembit - https://aembit.io/
Axiomatics (now Leonardo) - https://axiomatics.com/
Britive - https://www.britive.com/
ClevrSecurity - clevrsecurity.com
Kontext Security - https://kontext.security/
Natoma (now Snowflake) - https://natoma.ai/use-cases/authorization
Opal - https://www.opal.dev/
osohq - https://www.osohq.com/
Oasis Security - https://www.oasis.security/
Ory - https://www.ory.com/
Permit.io - https://www.permit.io/
PlainID - https://www.plainid.com/
P0 - https://p0.dev/
Reva.ai - https://www.reva.ai/
SGNL (now Crowdstrike) - https://sgnl.ai/
SecureAuth - https://secureauth.com/
Silverfort - https://www.silverfort.com/
MCP and Tool Access
MCP facilitates capability discovery by allowing agents to retrieve metadata describing available functions and system constraints, with access management at this layer intercepting traffic directly at the edge or via plugins, binding short-lived, ephemeral tokens directly to the agent's tool execution flow right down to specific commands within a tool.
Aembit - https://aembit.io/
Britive - https://www.britive.com/
Natoma (now Snowflake) - https://natoma.ai/use-cases/authorization
Ory - https://www.ory.com/
Scalekit - https://www.scalekit.com/mcp-auth
SecureAuth - https://secureauth.com/
Silverfort - https://www.silverfort.com/
Privileged Access and Infrastructure Enforcement
AppViewX - https://www.appviewx.com/products/ai-agent-identity-security-software/
Britive - https://www.britive.com/
P0 - https://p0.dev/
Teleport - https://goteleport.com/
Sonrai Security - https://sonraisecurity.com/use-cases/ai-agent-security/
Silverfort - https://www.silverfort.com/
About The Author
Simon Moffatt has over 25 years of experience in IAM, cyber, and identity security. He is the founder of The Cyber Hut, a specialist research and advisory firm based out of the UK. He is the author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker, and a strategic advisor to entities in the public and private sectors.
Last updated 17 July 2026.




