CrowdStrike’s SDNL acquisition exposes the authorization gap

At a glance

What this is: This is an EnforceAuth analysis of CrowdStrike's SDNL acquisition and the growing case for real-time authorization across human, machine, and AI agent identities.

Why it matters: It matters because IAM, PAM, and NHI programmes are being pushed from static access control toward continuous decision governance across fast-moving identities and delegation chains.

By the numbers:

• CrowdStrike announced it was acquiring SDNL for $740 million on January 8, 2026.
• SDNL had raised $63 million in total funding before the acquisition.
• IDC projects the identity security market will grow from $29 billion in 2025 to $41 billion by 2029.

👉 Read EnforceAuth's analysis of the CrowdStrike SDNL acquisition and authorization gap

Context

Authorization is the control that decides whether a specific action should happen now, given the identity, context, and policy in play. In this article's framing, the problem is no longer basic authentication. It is the gap between granting access and governing the decision an identity makes after access is granted, especially when the identity is a machine or AI agent.

That gap matters across human IAM, NHI governance, and emerging agentic AI programmes because static roles and periodic reviews do not match real-time execution. The article uses CrowdStrike's SDNL acquisition as the market signal, but the governance issue is broader: enterprises need to understand when access is merely present versus when a decision should be permitted.

Key questions

Q: What breaks when authorization is handled only through RBAC?

A: RBAC breaks when the risk is not membership in a role but the specific decision an identity makes at runtime. It cannot see context shifts, delegated authority, or multi-step actions that are individually allowed but collectively unsafe. In modern NHI and AI agent environments, RBAC remains useful for baseline structure, but it is not enough to govern execution-level risk.

Q: Why do AI agents and machine identities complicate authorization decisions?

A: They complicate authorization because they can act continuously, delegate authority, and chain tool use faster than human review cycles can intervene. That makes access a starting condition, not the control point. Security teams need policy that evaluates the action itself, the context around it, and the chain of identities that enabled it.

Q: How do security teams know if access reviews are actually working?

A: Access reviews are working only if they remove privileges before those privileges create operational risk, not after the fact. If reviews mostly confirm existing access, or if critical permissions remain unchanged between review cycles, then the process is governance theatre rather than control. The signal to watch is whether review outcomes materially reduce standing privilege and delegated access.

Q: Who is accountable when a valid identity makes a harmful decision?

A: Accountability usually sits with the control owner who allowed the decision path to exist, not just the person or system that executed it. In practice, that means IAM, PAM, platform, and application teams share responsibility for defining the approval boundary, logging the decision, and making the policy auditable. Without that, valid access can still produce invalid outcomes.

Technical breakdown

Why continuous authorization matters in delegated identity chains

Continuous authorization means policy is evaluated during the session, not just at login. SDNL's CAEP-based approach reflects a shift from one-time authentication decisions to continuous context checks, so permission can change when device trust, risk signals, or session conditions change. That model is useful when identities act across tools and clouds, because the risk is rarely the initial login alone. The harder problem is that delegated chains can outlive the original trust decision, especially when an identity inherits permission from another identity or system. Practical implication: teams need to separate session admission from ongoing decision control.

Practical implication: split admission control from ongoing decision control in your authorization model.

Decision-centric authorization versus identity-centric authorization

Identity-centric authorization asks whether an actor may access a resource. Decision-centric authorization asks whether a specific action should execute right now, in this context, through this chain of authority. That distinction becomes critical for AI agents, workflows, and machine identities that can initiate cross-system actions without a human at the keyboard. Identity systems were built to answer entitlement questions. They were not built to classify every task, transaction, or tool call as it happens. When action scope is more important than role membership, policy has to move closer to execution. Practical implication: evaluate whether your controls govern access, or govern the action itself.

Practical implication: move policy closer to execution if action scope drives risk.

Why RBAC and periodic access reviews miss runtime risk

RBAC works well when duties are stable and predictable. It breaks down when authorization depends on context, delegation, and task-level intent that changes during execution. Periodic access reviews are even weaker in that environment because they assume privilege persists long enough to be observed and certified. The article's core point is that modern AI systems and machine identities can make security-relevant decisions faster than review cycles can catch up. That does not make reviews useless, but it does limit them to baseline governance rather than active decision control. Practical implication: keep RBAC and reviews, but do not treat them as runtime safeguards.

Practical implication: use reviews for governance, not as a substitute for runtime safeguards.

Threat narrative

Attacker objective: The objective is to turn legitimate access into unauthorized or unreviewed action at execution time, especially across AI-driven or machine-driven workflows.

1. Entry occurs when a human, machine identity, or AI agent receives legitimate access through an existing delegation chain or session token.
2. Escalation happens when the actor uses that access to make additional cross-system decisions that were not explicitly reviewed at the time of execution.
3. Impact follows when the authorized actor completes sensitive actions such as data access, workflow execution, or infrastructure change without decision-level oversight.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authorization has become the control plane for modern identity risk. The acquisition does not just validate a product category, it validates the need to govern decisions after authentication has already succeeded. That shift matters because the security problem is no longer only who can log in, but what that identity can do once it is inside the environment. Practitioners should treat authorization as an independent governance layer, not a checkbox inside IAM.

Identity-centric authorization is too narrow for AI-driven execution. A system that answers only whether an identity may reach a resource cannot fully govern autonomous or machine-driven workflows that chain multiple actions together. The real governance question is decision-centric: what should happen now, given the actor, the data, the policy, and the delegation chain. Teams that keep authorization at the entitlement layer will miss the risk created by task-level execution.

Standing privilege remains the structural weakness that continuous access evaluation tries to reduce. The article is right to emphasise continuous context, because static permission grants remain too durable for fast-moving workflows. But the larger lesson is that periodic governance assumes access will stay visible long enough to be reviewed, and that assumption is increasingly fragile. Practitioners should read this as a warning that delayed oversight is not the same thing as control.

Real-time authorization is becoming a category boundary in NHI and agentic AI governance. The market is moving toward separate budget, separate tooling, and separate accountability for runtime decisions. That does not eliminate IAM, PAM, or lifecycle governance, but it does force a clearer split between entitlement management and execution-time policy enforcement. The implication is that identity programmes now need a control model for who gets access and a separate model for what actions are allowed when access is used.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That is why the 52 NHI Breaches Report is the right next reference point for teams studying how standing access turns into real incidents.

What this signals

Decision-level authorization is becoming a practical requirement, not a theoretical refinement. As AI agents and machine identities take on more cross-system action, teams need to know where execution policy lives and who owns it. The old split between authentication and authorization is still useful, but the real governance split is now between entitlement and runtime decisioning.

A useful operating model is to treat every delegated chain as a potential control boundary failure until it is explicitly mapped. That means service accounts, tokens, APIs, and agent actions should be reviewed together, not as separate silos, because risk often travels through the handoff rather than the identity itself.

For practitioners

• Separate entitlement approval from execution-time policy Map which identities can authenticate, which can inherit access through delegation, and which decisions still need to be checked at runtime before execution. Use this to identify where RBAC ends and decision governance must begin.
• Inventory delegation chains for machine and agent identities Trace how service accounts, tokens, APIs, and AI agents inherit authority across environments. Focus on chains that span multiple systems because those are the paths most likely to bypass simple access review models.
• Reassess periodic access reviews for runtime-sensitive roles Classify which permissions support real-time operations, then decide whether review cadence alone is enough. Where the answer is no, add continuous evaluation, logging, and explicit action-level policy before execution.
• Align PAM and NHI controls with action approval boundaries For high-risk systems, define the exact actions that must be approved separately from access to the account or token. This is especially important where a valid identity can still perform an unsafe transaction or change.

Key takeaways

• The article's core message is that authorization is no longer a supporting IAM function, but a central control plane for modern identity risk.
• The market signal is reinforced by large-scale investment, but the operational problem remains the same: static role-based controls do not govern runtime decisions well enough.
• Practitioners should separate access granting from action approval and map where delegated chains need continuous policy enforcement.

Key terms

• Decision-Centric Authorization: Authorization model that evaluates whether a specific action should execute in the current context, not just whether an identity may reach a resource. It is especially relevant where machine identities and AI agents can chain actions quickly, because the control point moves from access to execution.
• Delegation Chain: The sequence of identities, tokens, APIs, and permissions through which authority is passed before an action is performed. In NHI and AI agent environments, the chain often matters more than the original login because risk can accumulate at each handoff.
• Continuous Authorization: A control model that reevaluates permissions during a session as context changes, rather than assuming the initial access decision remains valid. It reduces the gap between changing risk and enforcement, but it still needs action-level policy when tasks themselves are sensitive.
• Standing Privilege: Persistent access that remains available until someone removes it. In identity programmes, standing privilege is the main source of excess access because it survives after the immediate need has passed and often becomes invisible in fast-moving operational workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by EnforceAuth covering CrowdStrike's acquisition of SDNL: authorization, AI agent governance, and the growing decision-level access gap. Read the original.