Between August 9 and August 17, 2025, malicious actors were able to export data from over 700 organizations. To make matters worse, the breach, referred to as UNC6395, was caused by insecure tokens leaked by a third-party app called Salesloft. As a representative from Google put it in a statement, “After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.”

Data breaches caused by improper access token usage are rampant. A 2025 report from Verizon found that 21% of data breaches are caused by credential abuse. They also report 88% of basic web application attacks are caused by stolen credentials. Too often, access tokens fall outside of our cybersecurity systems, becoming a crack in the armor we spend so much time building.

This oversight extends to AI, which many developers still consider to be outside the governance of traditional cybersecurity solutions. This thinking is unsustainable, however, given that one out of three AI adopters have already experienced a breach related to AI. A new approach to cybersecurity, and especially to token handling, is clearly needed. Below, we’ll see why and how token handling for AI agents must evolve.

Improving Token Handling for the Agentic Era

Agentic AI further complicates the issue. Traditional API authentication is designed for humans asking for permission to do something. Once they’ve got an access token, they’ve often got free rein to do what they want. A different approach to token management is needed in the era of autonomous AI agents, which often act in unpredictable ways.

As Jacob Ideskog, co-founder and CTO at Curity, who recently released Access Intelligence, a real-time authorization system for enterprise AI agents, puts it, “Authentication is a moment, but authorization is a process. Most identity systems were built for the moment. We built for the process.”

To support this authorization process, token handling must evolve in a number of key areas.

It Needs to Happen at Runtime

In traditional identity and access management, authorization only occurs at the beginning of a transaction. An entity is given a set of permissions at the beginning, and those credentials are evaluated for each interaction. This model breaks down completely in agentic AI, as agents often aren’t predictable or around long enough to make this setup sustainable. Instead, the system needs to evaluate each call as it occurs, which requires real-time evaluation that occurs when an action is executed, also known as just-in-time authorization.

Must Be Highly Context-Dependent

In the agentic era, cybersecurity systems need context to do their jobs effectively. It’s not enough for an agentic system to know who’s making the call but also why they’re making it. It also needs to know the system’s condition at the exact moment the call is made. Agents need their own identity — as do tools and skills — in order to determine how much access should be granted. Without this layer, authorization can become either too permissive or overly restrictive.

Tokens Should Be Short-Lived

Persistent tokens were designed for human users, where a person logs in and performs a relatively limited series of actions in a short amount of time. Existing security measures fall short in this paradigm, as agents often act unpredictably. There’s no telling how long they’ll log in for or what they’ll do while in the system. Simply handing out a universal token granting access to all tools and assets would be a terrible idea, as it would allow any bad actor with access to the token to essentially do anything they want. Instead, tokens should be as short-lived as possible, being issued for each individual request.

Highly Scoped to Agent’s Needs, and Nothing More

Least privilege is one of the central ideas in cybersecurity, but it becomes even more vital when AI agents are involved. Agentic AI doesn’t always possess the common sense to protect systems from extreme errors. If granted limitless permissions, one errant agent could theoretically spell disaster for an organization. Issuing tokens that offer as little access as possible becomes even more of a priority in light of this reality.

An Example of Token Handling in The Era of AI Agents

Imagine that you authorize an AI agent to act as a virtual travel agent on your behalf. This would give the agent the ability to purchase as many tickets as your budget will allow, as long as the access token remains active. In a traditional authorization system, a long-lasting access token would likely be granted for the duration of the session.

Giving an AI agent that amount of privilege could be a disastrous mistake for numerous different reasons. A bad actor could potentially get access to this agent and buy every seat on a flight to Acapulco without setting off any warning bells, for example. Or, an agent operating in good faith could misinterpret its prompt, resulting in a similar outcome. Adding guardrails helps to provide the correct scope for an agent, which lets the system issue tokens that offer as little privilege as possible while still remaining useful.

By adding context, the agentic system limits the scope to a particular action. If you tell the agentic AI to purchase a plane ticket to San Francisco next Tuesday, for example, the system should only keep the access token active for that specific transaction. It will also restrict the actions that are allowable. In this example, if the agent were to try to do something other than look up flight information, make a reservation, or purchase a ticket, the transaction won’t complete.

Agentic AI Requires Intelligent Token Handling

Considering how much damage a rampaging AI agent could inflict, it’s no surprise that developers have been rushing to implement innovative new ways to add context to AI ecosystems. Specifications like MCP, Arazzo, A2A, and ANP all help agentic systems understand not only what an agent is but also what it’s doing. Emerging technologies like Curity’s Access Intelligence fulfill a similar function on the backend.

While protocols can help agentic systems give agents an identity and monitor their activities, better token intelligence is necessary to evaluate an agent’s identity, who it’s working for, and a reasonable scope for its activities, all of which are completely auditable. Handling tokens properly lets you make the most of your AI agents while remaining easy to use and efficient.