The next wave of identity standards is arriving just in time for the rise of AI agents. The IETF’s proposed Identity Assertion Authorization Grant (aka ID-JAG) is an OAuth 2.0 profile that lets an identity provider issue access tokens for multiple services based on an existing identity assertion such as an OpenID Connect ID Token or a SAML assertion. It’s a clean, elegant approach to centralized authorization for workloads, non-human identities, and agentic AI systems. 

But history suggests elegance isn’t enough. ID-JAG’s “same IdP” assumption breaks down in complex enterprises where multiple providers coexist, and political fiefdoms between major vendors may stall cross-ecosystem trust. Meanwhile, smaller SaaS players often lag in adopting new OAuth profiles, threatening to fragment the standard’s promise of unified, auditable policy enforcement.

This session examines ID-JAG through the lens of SAML’s early federation struggles to show what’s different, what’s not, and why AI-driven urgency could change the outcome. Where SAML grew slowly from the bottom up, ID-JAG may advance top-down—pushed by executives, regulators, and security teams demanding stronger control over agent-driven access across the cloud.