Agent OAuth Scope Drift Detection
Monitor OAuth token scopes granted to AI agents and alert when scopes exceed the originally authorized set or when new permissions are acquired outside the formal provisioning process.
Objective
Prevent privilege escalation in AI agents that interact with OAuth-protected systems by detecting when token scopes have expanded beyond what was explicitly authorized.
Maturity Levels
Initial
OAuth tokens for AI agents are not inventoried; scope changes are not detected.
Developing
An inventory of agent OAuth tokens exists but is reviewed manually and infrequently.
Defined
Authorized scopes for each agent are documented at provisioning; automated alerts fire when live scopes diverge from the authorized set.
Managed
Scope drift is tracked as a metric; reports are reviewed by security on a defined cadence; unexplained drift triggers an access review.
Optimizing
Scope drift triggers automatic token revocation for non-allowlisted expansions; agents must re-authorize through the formal provisioning process.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Agent OAuth token inventory with authorized scope baselines, provisioning dates, and approving humans
- —Automated scope drift detection configuration and alert thresholds
- —Alert history showing detected scope deviations and their disposition (accepted with justification, or revoked)
- —Agent deployment pipeline configuration confirming scope manifest requirement before go-live
- —Periodic access review records for agent OAuth tokens
Implementation Notes
Key steps
- Inventory all OAuth tokens held by AI agents, including tokens obtained via tool-use integrations (calendar, email, CRM, code repos).
- For each token, document the authorized scope set at the time of provisioning and the approving human.
- Implement a daily or continuous scan that compares live token scopes against the authorized baseline; log and alert on any deviation.
- Treat any unrecognized scope as a potential security event — investigate before accepting or revoking.
- Include scope baseline checks in agent deployment pipelines so new agents cannot go live without a documented, approved scope manifest.
Example Implementation
Sales automation agent with calendar, email, and CRM integrations
Agent OAuth Scope Baseline — Sales Automation Agent v2
| Integration | Authorized scopes | Provisioned | Approved by |
|---|---|---|---|
| Google Calendar | calendar.readonly | 2026-03-01 | T. Nguyen (Security) |
| Gmail | gmail.send, gmail.readonly | 2026-03-01 | T. Nguyen (Security) |
| Salesforce | read, write (Opportunities) | 2026-03-01 | T. Nguyen (Security) |
Drift alert — 2026-05-14: Live token shows gmail.modify added. Disposition: Not in baseline. Token revoked. Root cause: agent tool update silently requested broader scope. Vendor notified.