The MCP ecosystem crystallizes this problem perfectly. When you connect an agent to an MCP server, you're not granting scopes — you're granting capabilities. Most MCP server implementations don't differentiate between 'list' and 'delete' at the authorization layer; they're a single connection with all tools available.

This is a design collision: OAuth was built around the assumption that a human reviews scopes once and an app uses them predictably. Agents break both assumptions — they operate continuously and make decisions non-deterministically.

The approach I've found most promising: treat each tool invocation as a separate authorization event with its own budget constraints and resource limits, rather than relying on a session-level grant. It's more overhead, but it changes the threat model substantially — 'this agent can make 100 read-only API calls per hour' is a much safer primitive than 'this agent has read access.'