Descope targets agentic AI identity gap with Hub 2.5 launch

As AI agents proliferate, Descope's updated identity platform tackles the hardcoded-secrets crisis undermining enterprise agentic deployments.

By Disrupts Editorial Team Wed, 10 Jun 2026 - 06:55

Colorful fiber optic cables are spread across a white surface, with a bright light emanating from a clear segment connecting blue and orange cables.

Descope, the California-based identity platform, has released version 2.5 of its Agentic Identity Hub — a dedicated authentication and authorisation layer designed specifically for AI agents and Model Context Protocol (MCP) servers. The update arrives as enterprises scramble to deploy agentic AI systems while simultaneously discovering that the identity infrastructure underpinning those systems was never built for non-human actors.

The problem is not abstract. Research cited by Descope from GitGuardian found that 28.65 million new hardcoded secrets were added to public GitHub repositories in 2025 — a 34% year-on-year increase. A separate study from API-management firm Gravitee found that only 22% of development teams treat AI agents as independent identities, with most relying on shared API keys that offer no meaningful audit trail, no scope restriction, and no revocation pathway. As agentic deployments scale from pilots to production, that shortcut becomes a material security liability.

Identity as infrastructure

The 2.5 release introduces several capabilities aimed at closing that gap. Enhanced access policies allow organisations to set granular, least-privilege authorisation rules for agents accessing backend APIs or MCP servers, using OAuth Token Exchange flows to maintain clear attribution. New support for autonomous agents — those operating without a delegating human user — enables them to authenticate and receive scoped, policy-backed credentials independently. A human-in-the-loop mechanism, built on the Client-Initiated Backchannel Authentication (CIBA) standard, lets users approve sensitive agent actions out-of-band, via push notification or email, before a time-bound elevated token is issued.

Descope has also added standalone MCP authentication, allowing organisations to bolt on MCP auth and consent without replacing existing user authentication systems — a deliberate design choice aimed at reducing the adoption barrier for enterprises with entrenched identity stacks. You.com, WisdomAI, Daylight Security, and Octave are cited as live customers. "The Agentic Identity Hub already powers auth for hundreds of MCP servers and millions of agentic transactions," said Slavik Markovich, Co-Founder and CEO of Descope.

The analyst community is broadly aligned with the thesis. "In the race to deploy AI systems, organisations are employing identity anti-patterns that can't be governed at scale," said Alejandro Leal, Senior Analyst at KuppingerCole. "Enforcing scoped, delegated access and maintaining identity context across API interactions is critical for secure, sustainable AI growth."

The convergence angle: where cybersecurity meets the agentic stack

The Descope announcement sits at the intersection of two accelerating trends that cross-sector strategists should track together. First, the proliferation of agentic AI architectures — where autonomous software agents execute multi-step workflows, call external APIs, and interact with data systems without human intermediation — is creating an entirely new attack surface that traditional identity and access management (IAM) vendors, built for human users, are poorly positioned to address. Second, the rapid standardisation around MCP as an interoperability protocol for AI agents is concentrating risk: a compromised MCP server identity becomes a skeleton key across any system the agent can reach.

For enterprise technology buyers, this is already prompting a reassessment of IAM vendor relationships. Incumbent providers such as Okta and Microsoft Entra ID were architected around the assumption that an identity maps to a person. The agentic era breaks that assumption structurally. Descope, alongside a small cohort of purpose-built agentic identity startups, is positioning to capture the IAM refresh cycle that enterprises will need to fund — a cycle that touches cloud infrastructure spend, cybersecurity budgets, and the operational roadmaps of any organisation deploying AI at scale.

From a capital-allocation perspective, the identity layer of the agentic stack remains relatively underfunded compared with model infrastructure and orchestration tooling. That gap is likely to close as enterprise security teams begin formally auditing agentic deployments — a process regulators in the EU, under the AI Act's operational-security provisions, are beginning to formalise. For investors scanning the agentic AI landscape, the identity and governance layer may represent one of the more defensible infrastructure bets in the current cycle.