Subscribe to the Non-Human & AI Identity Journal

Who is accountable when an AI agent performs an AWS action under a shared role?

Accountability sits with the organisation that designed the delegation chain, because the shared role is a governance choice, not a technical accident. The accountable teams are usually IAM, platform engineering, and the business owner of the workflow. If the role cannot be tied back to a principal, the control design is incomplete and the record is weak.

Why This Matters for Security Teams

When an AI agent performs an AWS action under a shared role, the real risk is not just access. It is the collapse of traceability across identity, intent, and approval. Shared roles can make a delegated action look legitimate while hiding which agent, workflow, or human approved it. Current guidance suggests treating this as a governance failure, not a logging problem, because accountability depends on a provable chain from workload identity to business owner. NHIMG’s research on LLMjacking shows how quickly exposed AWS credentials are abused in the wild.

This is also where agentic systems differ from ordinary service accounts. The agent may chain tools, request new permissions mid-task, or act in ways the original approver did not anticipate. The NIST AI Risk Management Framework and the OWASP Agentic AI Top 10 both reinforce that accountability must be designed into the system, not inferred after an incident. In practice, many security teams encounter weak ownership only after an agent has already made a cloud change and the audit trail cannot explain who truly authorised it.

How It Works in Practice

Accountability should be mapped to the delegation chain, not to the AWS role alone. The role is the mechanism; the accountable party is the organisation and workflow owner that allowed the agent to assume it. Practitioners should require three linked records: the workload identity that authenticated the agent, the policy decision that allowed the action, and the business context that justified it. That is why emerging best practice is shifting toward runtime authorisation, where the system evaluates what the agent is trying to do at the moment of action.

Operationally, this usually means combining workload identity, just-in-time credentials, and policy-as-code. A common pattern is to issue short-lived credentials only for the specific task, then revoke them automatically when the task ends. The agent’s identity should be cryptographically bound to the workload, using mechanisms such as SPIFFE/SPIRE or OIDC-backed tokens, so the system can distinguish the agent from a shared automation bucket. The control objective is not to give the agent broad AWS access, but to prove which principal received which capability, for which purpose, and for how long.

For auditability, teams should also ensure that policy evaluation happens at request time, not only during onboarding. Tools such as OPA or Cedar can support this, provided the policy expresses business intent clearly. NHIMG’s OWASP NHI Top 10 highlights the broader identity risk in autonomous systems, while CSA MAESTRO agentic AI threat modeling framework is useful for structuring the threat model around autonomy, tool use, and delegation. These controls tend to break down when teams keep long-lived shared roles in environments where multiple agents, humans, and CI pipelines all reuse the same AWS principal.

Common Variations and Edge Cases

Tighter delegation controls often increase operational overhead, requiring organisations to balance auditability against deployment speed. That tradeoff becomes sharper when an AI agent must complete multi-step cloud tasks across several services. In those cases, current guidance suggests using finer-grained short-lived entitlements rather than a single broad shared role, but there is no universal standard for this yet.

Two edge cases matter most. First, if a shared role is used by both an agent and a human operator, accountability can blur unless every assume-role event is tagged with a durable principal and task identifier. Second, if the agent acts inside an orchestrated pipeline, the accountable owner may be the platform team for the delegation design, while the business owner remains accountable for approving the workflow risk. NHIMG’s reporting on AI Agents: The New Attack Surface report shows how often agent behaviour escapes intended scope, which makes ownership clarity essential rather than optional. The practical rule is simple: if the action cannot be traced back to a principal, a policy decision, and a business purpose, the accountability model is incomplete.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A2 Agent autonomy and tool use create accountability gaps in shared-role AWS actions.
OWASP Non-Human Identity Top 10 NHI-01 Shared roles are an NHI governance issue when principals cannot be traced.
CSA MAESTRO ICM-02 MAESTRO addresses trust, identity, and delegation across agentic workflows.
NIST AI RMF AI RMF governance requires clear accountability for autonomous system outcomes.
NIST CSF 2.0 PR.AC-4 Access control must ensure each shared role is tied to an authorised principal.

Design approval and delegation paths so runtime actions inherit explicit accountability.