The OAuth Scope Your Agent Inherited When On-Behalf-Of Quietly Became Act-As
The security review said the agent acts "on behalf of" the user. The OAuth token said something else, and the audit log agreed with the token.
A small distinction in language did a lot of architectural work nobody noticed. "On behalf of" is the language a security review reaches for when it wants to capture an arrangement where the agent is a delegate, recognizable as a delegate, and constrained by being a delegate. "Act as" is the runtime behavior when the agent holds a token indistinguishable from the user's own and is therefore the user as far as every downstream system can tell. These two phrases describe completely different threat models. A typical enterprise OAuth integration ships the second one and prices it as the first.
