OAuth-based authentication is becoming the default foundation for MCP-enabled systems. However, while authentication is standardized, authorization across agent boundaries remains unresolved.

In multi-agent MCP pipelines, orchestrators delegate tasks to sub-agents that act using the user’s authority. This creates a classic confused deputy problem: a sub-agent executes with valid credentials, but under the influence of untrusted inputs such as prompt injections or malicious tool manifests. As a result, it can access or exfiltrate data beyond the user’s original intent.

This talk demonstrates how privilege propagation, not authentication failure, is the core risk.

I will present a three-layer enforcement model:

1) Token attenuation using RFC 8693 to restrict sub-agent privileges at delegation time
2) Policy enforcement using Open Policy Agent to treat every tool call as untrusted input
3) Structured audit trails to ensure post-incident analysis

Live demo: the same MCP pipeline executed twice, first with default delegation (resulting in silent data exfiltration via prompt injection), and then with all three controls applied, where the attack is blocked, logged, and auditable.