Agentic AI are smart computer programs that can make decisions and take actions on their own. Imagine a personal assistant that can book flights for you or manage your bank account. In a more specialized context, it could generate and run SQL from natural language and refine that based on your feedback. As one could imagine, this is changing how we interact with technology, and more importantly how can we trust and manage the access we give Agentic AI? 

For these agents to truly thrive, they need to access real-time data and external tools, which was historically a messy process with custom integrations. This is where the Model Context Protocol (MCP) comes in. MCP is an open standard that provides a universal language allowing AI systems to easily and reliably “plug in” to different data sources and services. It defines a structured way for agents to access capabilities, get information, and ensure consistent, safe responses.  

While MCP primarily provides the communication framework, it also specifies use of OAuth 2.1 for handling security measures. This allows developers to implement or use any auth system that follows OAuth 2.1, ensuring MCP remains open for easier adoption. You might not know it by name, but you use OAuth every time you log into a website using your Google or Facebook account. It’s a standard that allows you to grant one application limited access to your information on another website without sharing your password. 

The OAuth 2.1 specification is still a draft (a working document, not a finalized standard). The goal of OAuth 2.1 is to consolidate the best practices and security enhancements that have emerged since the original OAuth 2.0 was published. Since OAuth 2.1 is a refined and specialized version of OAuth 2.0, that means MCP is following the best security practices currently available.  

What Does the Future Hold? 

 The IETF (Internet Engineering Task Force), the global body that develops internet standards, including the OAuth 2.1 Draft, and multiple “Internet-Drafts” (working documents that are not yet formal standards) specific to Agent Authorization have been submitted for discussion. These drafts are in progress, and outline different pathways for security, but the importance is clear. The security community is not ignoring the risks. Robust frameworks are being put in place that embed security verification into every step of an agent’s workflow. The goal is to ensure that AI agents have just enough access to do their job, but not enough to cause widespread harm if compromised. 

One thing stands out the most among the various Internet-Drafts, and that is the concept of “on-behalf-of.” This means an Agent will always act as a delegate (“on-behalf-of”) of a specific user. It’s likely future solutions will reuse and extend OAuth, require explicit user consent for sensitive operations, follow zero trust and least privilege standards, and allow for accountability and traceability by using OAuth Identity. 

What Does This Mean for Higher Education? 

While the specifics of how are still undetermined, making use of powerful Agentic AI does not mean they have unfettered access to your data. Agents will be limited to the same access as the user, what the user has explicitly given permission to, and limited by what resources the Agent can even ask for. First the Agent needs to be connected to a data resource (anything implementing an MCP server) then the user would have to give permission to the Agent, and lastly the user must have access to the data. With the prevalence of OAuth 2.1 its likely any data resource implementing Open ID connect (OIDC) which is just an authentication layer on top of OAuth 2.0 would be available to connect to an Agent with minimal setup. OIDC allows users to log into a trusted provider like Microsoft SSO with one set of credentials and have access to other tools without having to log in with another set of credentials.

This may seem complicated, but the important information is for institutions looking to get the most out of their Agents having SSO that is connected to the tools you use with OIDC should allow easier integration to an Agent. That means any data connected to your SSO has the potential to be utilized by an Agent. Either through OIDC, or OAuth, ensuring your data stays safe and secure.

With how fast the world of AI is changing the future of how AI Agents access data may be uncertain but rest easy knowing the security community is not ignoring the risks, and Evisions is committed to following best practices.