TL;DR: Authorization is moving from code-level checks to a governed control plane as Cerbos says its platform now covers data enrichment, policy evaluation, enforcement, and audit across applications, infrastructure, and AI agents, with more than 1.2 billion checks processed monthly. The real shift is that incomplete agent context now becomes an authorization design problem, not just an implementation detail.
At a glance
What this is: Cerbos says authorization now needs a unified policy, data, and audit layer for applications, infrastructure, and AI agents.
Why it matters: IAM teams have to govern delegated machine actions with the same rigor as human access, because incomplete context and scattered policy logic create over-permission at runtime.
👉 Read Cerbos's announcement on end-to-end authorization for AI agents
Context
Authorization breaks down when policy logic is embedded in application code and context has to be reconstructed at runtime. For AI agents, that problem gets sharper because the decision often depends on identity, resource, and relationship data that is spread across directories, databases, APIs, and infrastructure systems. In practice, the primary keyword here is authorization management, and the governance gap is that many teams still treat it as an app feature rather than an identity control.
Cerbos's framing points to a broader IAM issue: the policy engine is only as good as the data fed into it, and the same applies whether the subject is a human user, a service account, or an AI agent. When authorization requests arrive without enough context, teams either over-grant access or hard-code logic into each system, which makes auditability and change control much harder.
Key questions
Q: How should security teams govern AI agent authorization in distributed systems?
A: Security teams should govern AI agent authorization as a per-request decision problem, not a one-time entitlement. That means enriching each request with identity, resource, and relationship data, then enforcing policy at the tool or protocol boundary. The goal is consistent access control across apps, APIs, queues, and data platforms, with audit logs that show exactly what drove each decision.
Q: Why do AI agents create more authorization risk than traditional workloads?
A: AI agents create more authorization risk because they can trigger many checks across many systems during one task, often with incomplete context. A single misconfigured permission can therefore expand into broad downstream access. Traditional workload controls assume narrower action paths, while agentic systems fan out across tools and resources in ways that increase blast radius.
Q: What breaks when authorization logic is embedded directly in application code?
A: When authorization logic is embedded in application code, teams lose central visibility, policy changes require redeployment, and consistency breaks across services. That makes it harder to audit decisions, version policies, and enforce the same rule everywhere. The usual result is drift between intended access and actual runtime enforcement.
Q: What should teams do when an AI agent is allowed to call multiple tools?
A: Teams should authorise each tool call separately and preserve delegated human context in the decision path. If the agent can call infrastructure, data, or workflow tools, every call needs its own policy check because the risk changes by resource and protocol. This is the point where per-session thinking stops being enough.
How it works in practice
Context enrichment for authorization decisions
Authorization engines need identity, resource, and relationship context before they can make a defensible decision. In distributed environments, that context usually lives in multiple sources, such as IdPs, databases, graph systems, and internal APIs. A data enrichment layer assembles those inputs into one decision request so the policy engine does not have to guess. For AI agents, this matters because a bare agent ID often does not capture the delegated human context or the resource relationship needed to judge intent.
Practical implication: centralise context collection so policy decisions are consistent across apps, infrastructure, and agent workflows.
Policy control plane and decision enforcement
A policy control plane separates authoring, testing, versioning, distribution, and audit from the runtime decision point. That separation matters because access rules change faster than deployments, especially when many services consume the same policy. The decision point remains lightweight and stateless, while the control plane pushes updates to every enforcement point. This reduces drift, but only if teams treat policy as governed identity logic rather than embedded application code.
Practical implication: move policy lifecycle management out of code paths and into a controlled distribution model with full decision logs.
AI agent authorization across tools and protocols
AI agents expand the authorization surface because one task can trigger many checks across tools, APIs, queues, and data platforms. The core issue is not the model itself, but the delegated action chain: one permission failure can now affect every downstream action the agent takes. Externalised authorization is therefore needed at the tool or request layer, not just at the application boundary. Without that, teams end up authorising the agent once and assuming the rest of the session is safe.
Practical implication: authorise each agent tool call and downstream request separately, using native protocol enforcement wherever possible.
NHI Mgmt Group analysis
Authorization is becoming an identity control plane, not a code pattern. Once policy moves out of application logic and into a managed decision layer, teams can govern access consistently across apps, infrastructure, and AI systems. That shift matters because the same decision can then be audited, versioned, and enforced everywhere instead of being reimplemented in each service. Practitioners should treat authorization as shared identity infrastructure, not as local application plumbing.
AI agent authorization exposes a context problem that human IAM did not have to solve at this scale. Human sessions usually carry enough identity and session data to support an access decision, but agent calls often arrive with minimal context and delegated intent. That creates a governance gap between who initiated the action and what the runtime decision can actually see. Practitioners should assume agent requests are incomplete until enriched.
Delegated machine access turns one misconfiguration into a blast-radius problem. A single over-permissive policy no longer affects one user action in one app, it can cascade through every tool and resource reachable by the agent. That changes the governance unit from an individual entitlement to the full action path. Security teams should evaluate authorization by downstream reach, not by isolated permission objects.
Context enrichment is the named control gap this article reveals. The platform problem is not simply policy evaluation, it is the absence of reliable identity, resource, and relationship data at decision time. Without that data, least privilege becomes approximate rather than enforceable. Practitioners should treat context completeness as a first-class authorization requirement.
Authorization for AI agents must be judged by delegated scope, not by tool count. The more systems an agent can reach, the more likely a single policy defect becomes an enterprise-wide access issue. That makes audit visibility and policy distribution as important as enforcement. Practitioners should re-evaluate whether their current authorization architecture can survive agent-driven fan-out.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
- For a broader control framework, see NHI Lifecycle Management Guide for how lifecycle discipline reduces standing access exposure.
What this signals
Context completeness is becoming the real authorization benchmark. Once AI agents, APIs, and infrastructure all depend on the same policy layer, the question is no longer whether access is technically controlled but whether the control has enough data to be trustworthy. That puts identity enrichment, policy distribution, and auditability on the same footing as enforcement in the programme roadmap.
The governance pattern is shifting from isolated access checks to end-to-end decision visibility. Teams that cannot reconstruct why a request was allowed will struggle to prove least privilege, especially when delegated machine actions cross multiple systems and protocols. This is where authorization management converges with NHI governance rather than sitting beside it.
A stronger pattern is emerging around externalised authorization for agentic workflows, and it aligns closely with the controls described in the OWASP Agentic AI Top 10. As agent use expands, practitioners should expect policy drift, tool sprawl, and audit gaps unless they treat agent access as a governed identity surface from day one.
For practitioners
- Map where context is missing at decision time Inventory which identity, resource, and relationship attributes are unavailable when authorization checks fire, then backfill the highest-risk gaps first across agent, API, and infrastructure requests.
- Separate policy lifecycle from application deployment Move policy authoring, testing, versioning, and distribution into a governed control plane so access changes do not depend on code releases or manual redeployments.
- Enforce per-tool authorization for AI agents Treat every agent tool call as a distinct authorization event, especially where the agent can reach MCP servers, data retrieval layers, messaging systems, or internal APIs.
- Require audit logs that expose decision inputs Log the attributes used in each authorization decision, including delegated identity context, so security and compliance teams can reconstruct why a request was approved.
- Test whether one permission can fan out across systems Review the downstream reach of each agent permission and simulate how a single misconfigured rule propagates across multiple protocols and services.
Key takeaways
- Authorization is shifting from embedded application logic to a governed control plane that can apply consistent policy across systems.
- AI agents make incomplete context a security problem, because one task can fan out into many access decisions across tools and protocols.
- Practitioners should prioritise context enrichment, per-request enforcement, and auditable policy lifecycle management before agent access scales further.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent tool access and delegated scope map to agentic AI authorization risk. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Agent identities and service credentials are non-human identities that need governed access. |
| NIST CSF 2.0 | PR.AA-04 | Access management and authentication support policy-based decision visibility. |
Document who or what is authorised, then log decision inputs so access can be reviewed and audited.
Key terms
- Authorization management: Authorization management is the governed process of deciding what an identity can access, when, and under what conditions. In modern environments it spans applications, APIs, infrastructure, and agents, with policy lifecycle, auditability, and decision consistency becoming core security requirements rather than implementation details.
- Policy decision point: A policy decision point is the component that evaluates a request against policy and returns an allow or deny decision. For autonomous or distributed systems, it must receive enough context to make a defensible choice, otherwise the decision is technically valid but operationally incomplete.
- Context enrichment: Context enrichment is the act of attaching missing identity, resource, and relationship data to an authorization request before policy evaluation. It reduces guesswork in the decision path and is especially important when an AI agent, service account, or API key arrives with minimal intrinsic context.
- Delegated access: Delegated access is access exercised by one identity on behalf of another, such as an AI agent acting for a user or a service account carrying inherited scope. The security challenge is proving the delegated intent at decision time and preserving that relationship in audit logs.
Deepen your knowledge
AI agent authorization and policy lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is now dealing with delegated machine access across apps and infrastructure, it is worth exploring.
This post draws on content published by Cerbos: authorization management for AI agents and distributed systems. Read the original.
Published by the NHIMG editorial team on 2026-03-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
