There are two elements here. Agent can start a full authorization request with AS through authorization code grant flow, even requiring a step-up or some rich authorization details, therefore whatever OTP by SMS or Magic link is an AS - Subject/Client "problem".
For Agent that cannot start a full authorization request (too costly, to complex, subject directly unreachable at the moment), we have a mention to OpenID Connect CIBA into it. With it, the Agent will start a back channel authorization request with the AS and the AS will use a method of authentication / confirmation with the subject in front channel, for example sending a SMS or sending a link to click. Again the resolution will remain an AS - Subject/Client "problem".
The authentication section is very bizarre, the Agent should go through an OAuth(2?) process to finally access server through an API Key?
That sounds more painful than bringing a better state of security...
This AISLE benchmark is interesting in this matter: https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jag...
And the recently discovered Copy Fail by Xint code is another proof that the gating is overblown: https://xint.io/blog/copy-fail-linux-distributions