The ask is to have the platform act as an OIDC Identity Provider, so it can issue short lived tokens that other systems can validate and grant access based on combination of parameters such as workspace/pipeline/environment/workflow/event/repo.

Here is workload identity documentation from HCP:

and here is another example from github explaining it:

We would use this to grant roles and access in a secret management platforms such as HashiCorp Vault or Akeyless. This would enable workflows to either access secrets directly or configure access for other systems, all while avoiding hard coded, long lived secrets.