AI agent authorization is exposing long-standing governance gaps

At a glance

What this is: This conference reflection argues that AI agents are exposing authorization weaknesses, cross-org delegation limits, and stale access-review models in existing identity systems.

Why it matters: It matters because IAM, NHI, and PAM teams now have to govern runtime decisions, delegated authority, and machine identities with controls designed for non-deterministic actors as well as humans.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Cerbos' Identiverse analysis of AI agent authorization and delegation

Context

AI agent authorization is the point where runtime behaviour, delegated authority, and resource access have to be evaluated together. The article argues that human-paced access reviews and implicit trust assumptions break down once a non-deterministic agent starts acting on behalf of a user or organisation.

For identity teams, the real issue is not whether the agent is clever. It is whether the governance model can answer who authorised the action, what the agent was allowed to do, and which context the decision used before the action executes.

The article also frames this as a systems problem, not a single tool problem. Shared Signals, AuthZEN, transaction tokens, and workload identity standards are presented as building blocks for a decision-time control plane, which is the right lens for NHI and agentic governance.

Key questions

Q: How should security teams govern delegated authorization for AI agents and service accounts?

A: Security teams should govern delegated authorization by defining the delegator, the trustee, the allowed purpose, and the revocation path before any action can run. The policy must be enforceable at runtime, especially when delegation crosses organisational boundaries. Without that, the trustee can exceed the original intent even when the initial grant looked legitimate.

Q: Why do AI agents create problems that traditional access reviews miss?

A: AI agents create problems that access reviews miss because review cycles assume privilege exists long enough to be observed and certified. Agents can acquire, use, and release access within a single session, so the governance evidence disappears before the next review. That makes decision-time control and logging more relevant than periodic recertification alone.

Q: What breaks when OAuth scopes are used to authorise agent tool calls?

A: OAuth scopes break down when they are asked to authorise a specific agent action, because scopes do not fully express who is acting, what tool is being called, with which arguments, and in what context. That gap leaves room for the confused deputy problem. Practitioners need a finer-grained decision model for tool invocation.

Q: Who is accountable when delegated access crosses trust domains?

A: Accountability becomes shared and harder to prove when delegated access crosses trust domains, because the original principal, the trustee, and the receiving organisation all influence the outcome. The only defensible answer is an auditable chain that shows authority, constraints, and revocation all the way back to the original principal.

Technical breakdown

Delegated authorization across trust domains

Delegated authorization extends access from the original principal to a trustee that may act across one or more organisations. The hard part is not issuing the delegation, but preserving purpose, constraints, and revocation as the chain crosses trust boundaries. Once the trustee is outside the delegator's control, contracts and transparency become part of the trust model, not just policy metadata. That is why cross-org delegation fails in practice when the delegation scheme assumes a single administrative domain. The article's framing aligns with the idea that authorization must remain deterministic and locally enforceable at the decision point, not inferred later from logs.

Practical implication: define which delegated actions remain valid outside your boundary and require runtime enforcement at the decision point.

Shared Signals and continuous authorization

Shared Signals moves identity governance away from a one-time login check and toward asynchronous event delivery. Security events are sent as signed tokens so systems can react when a session becomes risky, an account changes, or provisioning state changes. In the agentic extension, the model shifts to a control plane for setup, a data plane for fast authorization, and a signaling plane that carries fresh context before the decision. That matters because a policy decision point is only as current as the context it receives. If the signal arrives late, the decision is already stale.

Practical implication: connect revocation, risk, and provisioning signals to the systems that make authorization decisions in real time.

The confused deputy problem in agentic and MCP workflows

The confused deputy problem appears when a trusted system is tricked into using its authority on behalf of the wrong intent. In agentic and MCP-style workflows, the risk intensifies because the agent may choose tools, sequence actions, and act with non-deterministic timing. OAuth scopes alone cannot express whether an agent, acting for a user, may call a specific tool with specific arguments in a specific context. That is why the author argues for fresh authorization at the moment of action. The boundary must be enforced where the call is made, not assumed from the prompt or session.

Practical implication: authorise tool calls and resource actions at runtime, not by relying on agent instructions or coarse OAuth scopes.

Threat narrative

Attacker objective: The objective is to turn legitimate delegated access into authority that exceeds the original trust boundary and executes actions that should not have been authorised.

1. Entry occurs when an agent or delegated workflow is granted legitimate access through credentials, scopes, or a trust relationship that looks acceptable at onboarding.
2. Escalation happens when the actor uses that access in a non-deterministic way, selects tools dynamically, or crosses organisational boundaries where the original policy assumptions no longer hold.
3. Impact is the execution of an unintended action, such as overreaching resource access, revoked-session misuse, or a mistaken high-risk operation that the human operator never explicitly approved.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authorization is becoming the control plane for AI agents, not a downstream policy check. The article's core insight is that agents expose the weakness of systems that still treat authorization as a post-authentication formality. When the actor chooses actions at runtime, the decision itself becomes the governance object. That shifts identity programmes toward decision governance, where context, intent, and revocation all have to be available before the action runs. Practitioners should treat runtime authorization as the primary enforcement surface.

Cross-org delegation is where trust assumptions collapse first. The article correctly identifies the crossing-the-trustee problem as the point where hand-waving stops working. Inside one organisation, governance can rely on shared infrastructure and informal accountability. Once a delegation chain crosses into another trust domain, the original delegator no longer controls the trustee's environment, so revocation, auditability, and purpose limitation all degrade. Practitioners should assume that B2B delegation needs a stronger evidence model than internal IAM ever did.

Access review processes were designed for stable privileges, not runtime agent behaviour. That assumption fails when the actor is autonomous because the access may be acquired, used, and discarded inside a single session. The implication is not simply that reviews need to be more frequent. The premise that privilege persists long enough to be reviewed is broken, and governance has to move to decision logs, runtime policy, and continuous context instead of static certification cycles. Practitioners should rethink what evidence can still be certified.

Decision governance is the right named concept for this shift. The article's strongest contribution is the move from access management to decision governance, where what matters is whether the policy intended, the runtime context, and the executed action all matched. That is a materially different operating model from periodic access review or token issuance. Practitioners should align IGA, PAM, and NHI controls around the decision record, not just the identity record.

Shared signals and authorization standards are converging into one governance layer. The article points to a realistic architecture in which signaling, policy evaluation, and identity proofing are no longer separate problems. That convergence matters because machine identities, delegated agents, and human users all need the same freshness of context at decision time, even if the actors differ. Practitioners should stop separating identity telemetry from authorization design.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
• That concern connects directly to OWASP Agentic AI Top 10, which is the right next resource for teams evaluating agentic access, tool use, and governance boundaries.

What this signals

Decision governance is now the programme-level control point for AI agents and delegated NHI access. Teams that still separate telemetry, authorization, and recertification will keep finding that the useful evidence arrives too late. The practical shift is to treat the decision record as the primary governance artefact and to align policy engines, audit, and access operations around it.

Access review cadence is too slow for runtime agent behaviour, which is why decision logs matter more. When privileged actions can happen between review windows, the programme needs evidence that captures context, intent, and outcome in one place. That is where IAM, PAM, and NHI governance converge for operators, not just architects.

With 44% of developers reported to follow secrets management best practices, the operational gap is not limited to policy design. It extends into the build and runtime layers where delegated agents, service accounts, and application secrets all need the same discipline, which is why the 52 NHI Breaches Analysis remains a useful reference point for programme owners.

For practitioners

• Map your delegated-authority boundaries List every workflow where an agent, service account, or third party can act on behalf of another principal, then mark where the original organisation no longer controls the trustee. Require explicit runtime constraints for cross-org delegation and document which actions can be revoked downstream.
• Move authorization checks to the action point Treat tool calls, resource access, and privileged operations as individually authorised events. Use a policy decision point that receives current context before execution, rather than relying on prompt instructions, broad scopes, or session-level approval.
• Wire fresh signals into policy evaluation Feed revocation, account changes, device risk, and provisioning events into the systems that evaluate requests. Continuous authorization only works when the decision engine can see changes before a call is allowed to proceed.
• Replace review snapshots with decision evidence Shift governance evidence from quarterly access review lists to logs that show what was intended, what context was used, and what action actually ran. This gives IAM, IGA, and audit teams something that reflects runtime behaviour instead of stale entitlement state.

Key takeaways

• AI agents expose a governance problem that human workflows could hide, because runtime decisions now need to be authorised in context.
• Cross-org delegation, continuous signals, and decision-time enforcement are the practical building blocks that separate workable governance from theory.
• Access reviews alone are no longer enough, because the evidence for agent behaviour has to be captured at the moment the action is authorised.

Key terms

• Delegated Authorization: Delegated authorization is the act of allowing one identity to exercise limited authority on behalf of another. In agentic and machine-identity settings, the key question is not just whether access is granted, but whether the delegation can be constrained, audited, and revoked at the moment of action.
• Decision Governance: Decision governance is the practice of governing the authorization decision itself rather than only the identity record or entitlement list. It focuses on the subject, action, resource, and context that produced the result, which is especially important when agents and service accounts can act dynamically at runtime.
• Shared Signals: Shared Signals are asynchronous security events that move risk and state changes between systems so downstream controls can react quickly. For identity teams, they are a way to keep authorization and session decisions current when access state changes after login or after a delegation is granted.
• Confused Deputy Problem: The confused deputy problem occurs when a trusted system is tricked into using its authority for the wrong purpose. In agentic environments, the issue sharpens because the actor may be non-deterministic and able to choose tools or actions that exceed the original intent of the user or delegator.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerbos: AI agent authorization is exposing long-standing governance gaps. Read the original.