OAuth 2.1 (draft) and JWT bearer tokens (RFC 9068) lack standardized claims for agent instance identity, delegating user, and delegation chain, creating an unauditable identity gap for any enterprise deploying AI agents via OAuth-based authorization. Organizations using MCP-based systems, Claude Code, or similar agentic frameworks cannot enforce least-privilege access at the agent level, reconstruct who authorized what action, or expire agent tokens at the individual instance level using existing tooling. This is a standards-level architectural gap, not a patchable vulnerability.