Beyond OAuth: Why SCIM must evolve for the AI agent revolution

Hello, innovators and identity architects!

A few months ago, I shared my thoughts on the future of AI agents – and why OAuth must evolve. We explored how AI agents, with their newfound autonomy and need for secure, programmatic access, challenge the very foundations of how we think about authorization. Today, I want to address the equally important but less visible area of identity provisioning and governance.

As AI agents transition from concept to widespread implementation, the current identity infrastructure—effective for humans and traditional applications—must adapt to new requirements. Along with the need for advanced authorization mechanisms in OAuth, AI agents also require updated approaches to identity lifecycle management and provisioning of those identities and their access. This leads to System for Cross-domain Identity Management (SCIM), a protocol facilitating automated identity exchange.

SCIM today: The foundation for human identity

For years, SCIM has been the workhorse of enterprise identity. It's the standard that seamlessly provisions and de-provisions human users and groups between disparate systems—from your core identity provider like Microsoft Entra ID to SaaS applications, IaaS/PaaS and on-premises systems, and countless other platforms. SCIM's elegance lies in its simplicity and standardization, allowing for automated, secure, and efficient identity synchronization across hundreds of applications. 

The agentic shift: New demands on SCIM

Now imagine an ecosystem teeming with AI agents. These aren't just users with accounts; they’re autonomous entities, often with highly specialized functions, dynamic lifecycles, and a need to be understood and managed across an enterprise.  These agents will be working alongside human users in those same cloud and on-premises systems, so will need identities with access there as well. This requires enhancements of traditional SCIM implementations.

• Agents as first-class Identities: How do we represent an AI agent as a distinct identity within existing applications? An agent isn't always a user in the way represented in SCIM; it has different properties and authentication from human users.
• Flexible lifecycle: Agents, their identities, and their access, can all be ephemeral. While some agents may retain a need for access in an application indefinitely, we also expect agents will be created on-demand for specific tasks. Their provisioning, updates, and de-provisioning will be triggered from different events than traditional HR changes triggering updates for human users and their access.
• Capability and access provisioning: Like humans with roles, agents often use tools and can also provide capabilities to other agents. How do we provision not just the agent's identity, but also its capabilities, so that applications those agents use understand what the agent needs to do, and how it can interact with other agents in the same application?
• Consistent Identity Governance: Consider scenarios where an AI agent needs a representation in an Enterprise Resource Planning (ERP) system to trigger a business process on behalf of a user, or to autonomously access specific and regulated data for a task. We need to ensure these agents that interact with critical enterprise systems have the necessary, but tightly controlled, access, through approvals and regular reviews, and their access and activities can be audited.

SCIM is still the answer

SCIM remains the most logical and powerful foundation for agent identity and access provisioning. Its core principles—standardized schema, RESTful API, and focus on automation— with broad industry adoption are precisely what we need. Therefore, SCIM must evolve.

Key areas for SCIM's evolution in the agentic era:

1. Agent-specific schema: We need standardized extensions to the SCIM schema to represent agent-specific attributes: how the agent will authenticate to the application, capabilities exposed, responsible human, and access rights for agents. This allows applications to represent an agent's true nature, as distinguished from the existing SCIM users for humans.
2. Event-driven provisioning and lifecycle: The creation of a new task-specific agent identity, its temporary existence, and its eventual termination trigger updates automatically across the applications the agent will use, without manual intervention.
3. Representing the lifecycle of Agent access rights: SCIM is needed for not just provisioning an agent's identities but also provisioning its access requirements, tools, or "skills", to target applications. This will allow applications to enforce access assignment workflows so agents cannot request inappropriate access and dynamically enforce policies on what an agent can do with that access, as well as how other agents can interact with it.
4. Maintaining the delegated authority context: As agents act on behalf of humans or other agents, SCIM will work alongside other protocols, including OAuth, that carry the context of that delegation. This ensures that when an agent initiates an action autonomously or with assisting another agent or human user, the agent’s identity as well as any additional human or agent on whose behalf it's acting can be correlated in the audit trail.

The future: A secure, seamless agent ecosystem

An evolved SCIM, working together with an evolved OAuth, is critical for building a truly secure, interoperable, and scalable AI agent ecosystem. When agents can be seamlessly provisioned with precise identities and capabilities into any enterprise system, our customers gain unprecedented flexibility and control.

Standardized schema extensions allow us to provision agents with the rich context applications need.

At Microsoft, we’re deeply invested in this evolution. Our teams are actively involved in platform-neutral discussions on enhancing SCIM for the agentic era, including submitting an Internet-Draft of a SCIM Agentic Identity Schema to  the Internet Engineering Task Force (IETF).

The platform we’re building with Microsoft Entra Agent ID is our foundational step, providing a secure, centralized hub for managing agent identities and their associated metadata. This solution will not only manage native Microsoft agents but also third-party agents, leveraging standards like SCIM to ensure consistent and secure provisioning across the entire digital estate.

This is a journey we're embarking on with our partners and the broader identity community. Your feedback and insights are invaluable as we shape the future of identity for AI agents.

What are your thoughts on SCIM's role in the agentic future? Let me know in the comments. And you might also want to consider reading more and joining the discussion with the IETF working group System for Cross-domain Identity Management.

 

Alex Simons

Corporate Vice President, Microsoft Entra

 

Related posts:

• Igor Sakhnov | Securing and governing autonomous agents with Microsoft Security
• Alex Simons | The future of AI agents—and why OAuth must evolve
• Alex Simons | Announcing Microsoft Entra Agent ID: Secure and manage your AI agents
• Vasu Jakkal | Microsoft extends Zero Trust to secure the agentic workforce

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community