Agent Identity Is Not Agent Authorization: What Entra Agent ID Still Leaves to Runtime Policy

Microsoft's Entra Agent ID framework marks a significant advancement in enterprise identity and access management (IAM) by treating AI agents as first-class identities, allowing them to be registered, governed, and audited. Despite this progress, the framework highlights a crucial gap between identity and authorization, where an agent can possess a valid identity but still perform unauthorized actions. The document emphasizes that agent identity involves recognizing an AI agent as a distinct principal, while agent authorization requires a separate runtime decision to evaluate whether the agent should be allowed to perform specific actions in a given context. The architecture suggests using an MCP gateway as a policy enforcement point, which intercepts tool calls and evaluates them against a policy decision point to ensure compliance with authorization requirements. The Entra Agent ID framework, alongside standards like SD-JWT and A2A protocols, focuses on authentication and governance but necessitates an additional enforcement layer to address runtime authorization, ensuring that agents act within their intended scope and context.