AI Agent Authorization: How to Solve the On-Behalf-Of Problem

The Demo That Died in the Q&A

A few months ago, a team I was working with showed off their first real AI agent to leadership. It pulled live deal data from the CRM, summarized it, and drafted a follow-up plan. Smooth. Impressive. Everyone leaned in.
‍

Then the head of security raised a hand: "Whose data is the agent seeing right now?"
‍

The presenter paused. The agent was using a service account with read access to everything. Every deal, every rep, every region. The demo wasn't broken - but the auth model was. Two weeks later the project was on hold pending a "delegated identity design."
‍

That conversation is happening in a lot of rooms right now.

Why This Is Suddenly Everyone's Problem

AI agents are moving from notebooks into production workflows. They query CRMs, write to project boards, pull from data warehouses, and call internal APIs. Each of those systems already has a permission model - usually one built around human users, not autonomous software.
‍

The moment your agent does real work across real systems, you inherit every one of those permission models at once. What makes this an AI problem, not just an integration problem: in a traditional app, the user's actions are explicit and pre-defined - every API call traces back to code a developer wrote. With an agent, the LLM chooses which API to call and with what arguments, at runtime - and adversarial input in the data the agent reads can steer those choices.

The On-Behalf-Of Problem Explained

The agent must act on behalf of a specific user, with that user's exact permissions, across multiple external platforms - and prove it at every hop.
‍

Two scenarios make this concrete:

A sales rep asks "What's the latest on the Acme deal?" Reps can only see deals they own. A service account either sees everything (security risk) or sees a different data surface entirely (wrong answers). The agent needs to hit the API as that rep.
‍

"Create a follow-up task for every stale deal." Now the agent reads from a CRM and writes to a PM tool. It needs valid credentials for both platforms, scoped to that user, obtained through separate OAuth flows - and a write carries fundamentally different risk than a read.

Common Approaches (And Why They Fail)

Service accounts violate least privilege, destroy audit trails, and can't replicate per-user platform permissions. Your next SOC 2 audit will not be fun.
‍

Passing the user's IdP token through doesn't work - that token authenticates them to your system, not to the CRM, the PM tool, or the data warehouse. Those are separate OAuth relationships.
‍

Authenticating the agent itself solves the wrong problem. Proving the agent is legitimate doesn't tell the downstream platform whose data it should return. What's missing is delegated authorization - a way for the agent to act with a specific user's permissions, not just with valid credentials of its own.

Production-Grade Solution: Four Core Components

Production solutions converge on four components:

1. ‍Mint an identity assertion at the edge. When the user authenticates, create a signed, short-lived token carrying their identity - audience-restricted, ideally bound to the target platform. For higher-assurance environments, use proof-of-possession (DPoP) instead of bearer tokens.
   ‍‍
2. Propagate identity, not credentials. The signed token travels through every hop. Within a single trust zone, mTLS or a service mesh can substitute for per-request signatures.
   ‍‍
3. Check policy, then exchange identity for platform credentials. A policy enforcement point sits between the identity assertion and the credential broker, deciding: can this user perform this action on this platform in this tenant? Only after that check does the broker return a platform token.
   ‍
   The broker itself is the highest-value target in the system. Treat it that way: KMS-encrypted token storage, per-user rate limits, and correlation IDs on every exchange.
   ‍
4. Execute with the user's effective permissions. The external platform - not your code - enforces the permission boundary. The agent itself stays credential-blind: it carries proof of who the user is, but never touches platform tokens.
   ‍

One principle to remember: keep credentials away from the LLM. The agent processes untrusted input; it should not hold the keys.

In practice this maps to existing standards: OAuth 2.0 Token Exchange (RFC 8693) for the credential exchange step, and increasingly to MCP's auth spec for the agent-tool boundary.

‍

Scope Intent: Declaring What the Agent Is Trying to Do

OAuth scopes are too coarse to describe individual agent actions. A token with crm.write can update one record or wipe out the entire opportunity table - the scope alone doesn't distinguish them. That's why every credential exchange should also carry an action intent: a per-request declaration of what the agent is about to do, on which resource, in which context.
‍

Concretely, intent is a structured payload sent alongside the identity token at the policy check step. It should include:

• The action (e.g., read, update, delete, bulk_delete)
• The target resource (a specific record ID, a query, a board ID)
• The triggering context (the user's original request, environment, channel)

‍

The policy enforcement point uses intent to decide more than just "is this user allowed?" It can compare the declared intent against what the user actually asked for, require step-up confirmation for high-risk actions, rate-limit by action type, and produce an audit log that captures what the agent was trying to do, not just which API it called.
‍

Without intent, every authorized call looks the same. With intent, "user X tried to delete 5,000 records" is a different audit event from "user X read 5 records" - and your policy layer can treat them differently.

‍

When the Token Is Right but the Intent Is Wrong

Everything above this section is classical security applied to a new context. This part is where AI genuinely breaks the auth model in a new way.
‍

A correctly issued identity token proves who the user is. It cannot prove that the agent's next action reflects what the user actually wants. A malicious email subject line, a poisoned web page, a crafted CRM note - any untrusted text the agent reads can override the agent's instructions while it still holds the user's full permissions. The auth layer sees a perfectly authorized request. The user sees their inbox emptied.
‍

This is where scope intent earns its keep. If every tool call must declare its intent before executing, the policy layer can check whether that intent matches what the user actually asked for - and flag the mismatch when prompt injection tries to steer the agent toward something the user never requested. Intent declaration alone won't stop PI, but it gives you a verifiable hook other defenses can build on: tool allowlists per agent, mandatory confirmation for writes, separate trust zones for tool execution, per-user rate limits. None are sufficient alone. This is the threat that justifies treating AI agent identity as a distinct discipline rather than an integration checkbox.

‍

What Else Will Bite You in Production

A short list, because every team rediscovers these the hard way:

• The OAuth zoo. Static vs. rotating refresh tokens, workspace-scoped URLs, header quirks - every platform is different. You will build per-platform refresh logic.
• Concurrent refresh = silent logout. Two parallel refreshes can trigger replay-attack revocation. Coordinate with a lock.
• Reads ≠ writes. Different operation types deserve different controls. Treating all tool calls equally is a dangerous simplification.
• Revocation isn't automatic. When a user disconnects or leaves, tokens must die immediately - not on the next refresh cycle.

Conclusion: Build the Identity Layer First

Remember that team from the opening - the one whose demo died in the Q&A? They eventually shipped. But not before investing time in retrofitting an identity layer they should have built on day one. The agent didn't change. The auth model around it did.

Most teams building production agents are solving some version of this problem, and most are solving it from scratch. That's the same trajectory API gateways followed a decade ago.
‍

The teams that skip identity work won't fail dramatically. They'll just never get past internal demos. The first security review will end the project.

Build the identity layer before you build the second agent. It's not the exciting part. But it's the part that separates production systems from demos.

At CloudZone, we help teams get this right from day one. Let’s talk.

‍