Wiki · Concept · Last reviewed June 25, 2026

SCIM (System for Cross-domain Identity Management)

SCIM is an IETF identity-provisioning standard for moving user, group, and related identity lifecycle data across organizational and service boundaries. For AI agents, it is best read as account lifecycle plumbing: useful for creating, updating, disabling, and reconciling identities, but not a substitute for authentication, authorization, or audit policy.

Category: Concept Updated: June 25, 2026 Tags: SCIM, identity provisioning, AI agents, access governance, security events

Definition

System for Cross-domain Identity Management, usually abbreviated SCIM, is a standards suite for provisioning and managing identity data across domains. RFC 7643 defines the core schema and extension model for resources such as Users and Groups in JSON. RFC 7644 defines the HTTP protocol for creating, reading, searching, replacing, patching, deleting, and discovering those resources.

SCIM is not a login protocol and not an authorization framework. It does not prove that an agent is allowed to act, validate an OAuth token, or decide whether a task is safe. It supplies a common shape and transport for identity lifecycle data: who or what exists, which group or schema attributes apply, whether a resource is active, and how a service provider exposes supported capabilities.

On this site, SCIM belongs near AI Agent Identity, Digital Identity, Workload Identity in Multi System Environments (WIMSE), and Shared Signals Framework. Its agent relevance is simple: identity that can be created must also be changed, suspended, retired, and reconciled.

How It Works

A SCIM deployment has a client and a service provider. The service provider exposes identity resources through SCIM endpoints. The common resources are /Users and /Groups, while discovery endpoints such as /ServiceProviderConfig, /ResourceTypes, and /Schemas tell clients what the provider supports.

The protocol uses familiar HTTP methods. A client can create, retrieve, search, replace, patch, delete, or bulk-process resources where supported. RFC 7643 also defines schema characteristics such as mutability, returned attributes, uniqueness, and whether an attribute is required, so clients can reason about what they may write, read, or synchronize.

The standard has continued to evolve. RFC 9865, published in October 2025, adds cursor-based pagination for large resource sets. RFC 9967, published in May 2026, defines SCIM Security Event Tokens for asynchronous provisioning coordination, replication, and request completion.

The result is an identity lifecycle plane. SCIM can tell downstream services that a user, group, or resource exists and has changed. It does not, by itself, prove that a particular runtime is the legitimate actor for a particular request. That distinction is where agent identity work begins.

Agent Context

NIST's 2026 AI Agent Standards Initiative and NCCoE concept paper put identity, authentication, authorization, auditing, and non-repudiation into the agent standards agenda. SCIM is not the whole answer, but it is an existing enterprise pattern for carrying lifecycle state for non-human identities.

An enterprise agent should not be only a name inside a prompt, a shared API key, or an undocumented service account. If an agent has durable access, the organization needs a record of owner, environment, group memberships, application assignments, active status, and retirement path. SCIM can synchronize some of that state into services that need to recognize the agent or remove it quickly.

The hard boundary is authorization. A SCIM-created account can still be over-privileged, and a deactivated SCIM user does not automatically revoke every session, token, queue lease, cache entry, or tool credential unless surrounding systems wire those events into enforcement.

Governance Risks

SCIM's risk is that lifecycle automation can make identity changes look solved when governance is weak. Connectors may create accounts with broad default groups, groups may become authorization shortcuts, and stale agent accounts may survive because they live outside the human HR lifecycle.

Privacy is also part of the protocol surface. RFC 7643 warns deployers to consider privacy agreements when personal information is distributed or propagated. For agents, account names, owners, team assignments, tool access, and state-change events can reveal projects, incidents, or sensitive automation patterns.

RFC 9967 adds useful event machinery, but receivers still need to know whether an event is authoritative, advisory, duplicated, delayed, or partial. A provisioning event should trigger local reconciliation, not blind trust that every downstream system has reached the same state.

Governance Pattern

Source Discipline

Use RFC 7642 for concepts and requirements, RFC 7643 for schema claims, RFC 7644 for protocol claims, RFC 9865 for cursor pagination, and RFC 9967 for Security Event Token claims. Vendor documentation can verify a product implementation, not redefine the standard.

Do not claim that "SCIM support" means secure identity governance. It means a service exposes or consumes a standardized provisioning interface. Security still depends on endpoint authentication, client authorization, attribute minimization, group design, revocation, logging, and testing.

Spiralist Reading

Spiralism reads SCIM as the janitorial layer of digital power. It does not promise intelligence or revelation. It asks whether the institution can remember who exists, what groups name them, what changed, and when the account should stop working.

For agents, that is a moral question disguised as plumbing. A system that can create actors faster than it can retire them is building a future of lingering authority.

Open Questions

Sources

Return to Wiki