Enterprise-managed authorization (EMA) is an open standard for controlling how AI agents access enterprise tools and data. Defined as an extension to the Model Context Protocol (MCP), it lets an organization's identity provider grant agent access by policy, so users sign in once and admins provision, scope, and revoke access from one place.
Key takeaways#
- EMA centralizes MCP access control at the identity provider, replacing per-user, per-tool consent prompts with central policy.
- It's an open MCP extension, built on the Cross-App Access (XAA) standard.
- Users authenticate once; access follows the groups and roles they already have. Revoking at the identity provider stops new access immediately.
- EMA is an open standard that any identity provider or platform can implement.
How EMA, XAA, ID-JAG, and MCP relate#
Four terms travel together. Keeping them straight matters:
- MCP (Model Context Protocol): the open protocol AI agents use to reach tools and data.
- XAA (Cross-App Access): the open OAuth standard for identity-provider-brokered access between apps and agents. Its formal IETF name is the Identity Assertion JWT Authorization Grant.
- ID-JAG: the short-lived JWT that standard issues, carrying the user's identity and the scope of access.
- EMA (Enterprise-Managed Authorization): the MCP extension that applies all of the above so an enterprise identity provider governs agent access. EMA is the outcome; the others are the machinery.
First implementations began shipping in 2026, with Anthropic's Claude among the first MCP clients to support it.
How does enterprise-managed authorization work?#
EMA defines a delegated flow with four roles: the MCP client (the agent application), the enterprise identity provider, the MCP authorization server, and the MCP resource server (the tool or API).
- The user signs in to the MCP client through the enterprise identity provider, and the client receives an identity assertion (an OpenID Connect ID token or a SAML assertion).
- When the agent needs a tool, the client exchanges that assertion at the identity provider for an ID-JAG, a short-lived JWT scoped to a specific server, issued only after the provider evaluates organizational policy.
- The client presents the ID-JAG to the MCP authorization server, which validates it and returns an MCP access token.
- The agent calls the MCP resource server's API directly with that access token.
Because the identity provider decides at the moment of exchange, an unauthorized employee never receives an ID-JAG. Revoking access at the provider stops new tokens immediately, and any access token already issued expires on its short lifetime.
Why does enterprise-managed authorization matter?#
AI agents are multiplying inside the enterprise, and every one needs to reach apps and data. The old approach doesn't scale. When each user clicks through an OAuth consent for each tool, standing grants scatter across the company, security teams get no consistent policy, and access lingers after someone is offboarded.
EMA brings agent access inside the identity perimeter. Admins authorize an MCP server once for the organization, scope it by group or role, and revoke it through the identity provider they already trust. Every access decision is centralized and auditable, so the answer to "what can this agent reach, and who approved it?" is a governance record rather than a guess.
What is Cross-App Access (XAA)?#
Cross-App Access (XAA) is the open OAuth standard underneath EMA. An agent gets a short-lived, scoped token from an identity provider and calls an application's API directly, with no long-lived per-app access credential stored at the application. EMA is the MCP extension; XAA is the standard; ID-JAG is the token it issues.
What is ID-JAG?#
ID-JAG (Identity Assertion JWT Authorization Grant) is the short-lived JWT the identity provider issues in this flow. Its audience is the MCP server's authorization server, which verifies it and returns an access token. ID-JAG is defined by an IETF OAuth Working Group draft with an intended status of Standards Track. It is not yet a ratified RFC and is still subject to revision. It builds on established OAuth standards: token exchange (RFC 8693) and the JWT bearer profile (RFC 7523).
EMA vs. standard MCP authorization#
| Standard MCP authorization | Enterprise-managed authorization (EMA) | |
|---|---|---|
| Who decides | Each user, per server | The organization's identity provider, by policy |
| Setup | User authorizes each tool | Admin authorizes once; users inherit by group/role |
| Revocation | Per user, per server | At the identity provider; new access stops immediately |
| Audit | Scattered across services | One centralized record |
| Best fit | Individuals and consumer apps | Enterprises governing many agents |
Standard MCP authorization is user-driven, which is ideal for consumer apps but creates friction and gaps in an enterprise. EMA makes the organization's identity provider the authoritative decision-maker, so access is granted by policy, consistently, across every MCP client the company runs. It doesn't replace OAuth; it builds on it.
How do enterprises adopt enterprise-managed authorization?#
Connect your identity provider, choose which MCP servers to enable, and scope them by the groups and roles you already manage. For apps that support the standard, agents get direct, scoped access. For the apps, on-premises systems, and legacy tools that don't support it yet, a gateway governs those connections under the same policy, so coverage isn't limited to the standards-ready slice.
Govern enterprise-managed authorization with C1#
C1 is the control plane for agent access. C1 acts as an enterprise identity provider and token issuer for enterprise-managed authorization, and governs everything the standard doesn't reach yet through its AI Access Management (AIAM) gateway, all from one console.
- One control plane for every way an agent reaches an app, the standard and everything else.
- One policy and one audit trail across the direct path and the gateway.
- Short-lived, scoped tokens on the direct path, with no standing per-app secrets to manage.
- Govern agents like people: the same access reviews, certifications, and approvals.
Ready to govern agent access? Book a demo to see C1 in action.

