Is it possible to handle machines with ESC? I was thinking along the lines of an invite link setup which you could set specific environments for access and it follows the same path as normal invite link. Where an admin/user will need to accept (maybe even allow auto-accept) when requested. If this is already possible, please point me to the documentation 😅 maybe via an API? Right now each machine could be set with an access token but if that token changed all machines would need to be changed like on a compromise situation. Whereas the machines specific access could be revoked one-by-one vs all.

Have you explored our OIDC Auth? https://www.pulumi.com/docs/esc/access-management/oidc-authentication/

They're servers that "humans" shouldn't ever need to go into. Ephemeral in nature so they could be stood up and torn down relatively frequently. Their machine IDs could be used as "sort" of an identity so that it doesn't change on Pulumi side for access. We've looked into SPIFFE aswell for identity purposes also Wouldn't OIDC require user interaction to complete?

No, OIDC does not require use interaction once the relationship is established. I just requires an identity token that is signed with a key that is registered as part of the trust relationship. Where are your servers hosted? For example, you can trade your Cloud identity token for a Pulumi token with OIDC