Thanks for the link Dan. I did look around in this location this morning.
Which is all good. I imagine that I could ask it with arcpy... But what I want to know is why does ArcCatalog not report this back to the end user?
servProp = layer.serviceProperties print "Authentication: " + servProp.get('AuthenticationMode', 'N/A')
Output: "Authentication: OSA"
So, that part does work. I also revoked permissions for the Oracle OSA reader role and the layer does in fact stop working, as one would hope. The behavior looks right.