We tried two brokers this year for our 14-person support pod and the scoped, short-lived tokens were the only reason legal signed off on giving agents Zendesk write access. The pain point nobody talks about is revocation latency: when an agent goes off the rails at 2am, you want kill switches measured in seconds, not the 5-10 minute propagation we still see.

We piloted one across our finance org (about 400 seats) and the bottleneck wasn't the broker, it was getting the underlying SaaS vendors to honor scoped, short-lived tokens instead of their own per-app service accounts. Half our stack still wants a static API key in a settings page, which makes the broker a glorified password vault for those integrations. Curious if anyone has gotten Workday or SAP to play nice with delegated agent identities yet.