TL;DR: AWS IAM changes can take seconds to propagate, and OFFENSAI’s notyet tool shows how an attacker with valid credentials can exploit that window to restore privileges and outlast common containment steps. The core problem is that incident response playbooks still assume privilege removal is immediately durable, according to Sonrai Security’s analysis.
At a glance
What this is: This is an analysis of AWS IAM eventual consistency and how it can let compromised identities reassert access during containment.
Why it matters: It matters because IAM, PAM, and cloud incident response teams need containment controls that survive propagation delays, not just policy changes that look effective on paper.
👉 Read Sonrai Security's analysis of eventual consistency persistence in AWS IAM
Context
AWS IAM does not apply every change atomically across the service, which means privilege removal can lag by a few seconds. That delay creates a practical containment gap when a compromised cloud identity still has enough standing access to react before the change fully settles.
For IAM and incident response teams, the issue is not whether revocation was requested but whether revocation can be relied on immediately. In cloud environments, that distinction determines whether containment actually holds or whether an attacker-controlled identity can restore itself before the response completes.
Key questions
Q: What breaks when IAM revocation is not immediately enforced?
A: The compromised identity can observe the change, recreate permissions, or shift into a fresh credential path before containment completes. That turns revocation into a race rather than a boundary. In practice, the failure is not policy syntax but delayed enforcement, which is why cloud containment needs a higher-order control that the identity cannot undo.
Q: Why do service accounts with standing privilege complicate cloud containment?
A: Standing privilege gives the identity enough room to react during the time it takes access changes to propagate. If the principal can still call IAM or orchestration APIs, it may restore the access you just removed. The risk is highest when containment depends on local edits instead of an organisation-level quarantine.
Q: How do security teams know whether containment is actually working?
A: They should test whether the identity can still execute privileged actions after revocation, not just whether the API call succeeded. A working containment model prevents re-escalation, blocks credential regeneration, and remains effective even when the target is polling for state changes. If any of those fail, containment is only partial.
Q: Who is accountable when cloud quarantine depends on timing-based tactics?
A: The security team owns the outcome if containment relies on a race that may not be repeatable under pressure. Timing-based tactics can be useful as a fallback, but accountability sits with the team that chose them over durable org-level controls. In regulated environments, that means proving the quarantine design, not just the response effort.
Technical breakdown
Eventual consistency in AWS IAM
Eventual consistency means a change is accepted by one part of the system before it is fully visible everywhere else. In AWS IAM, that creates a short propagation window after policy edits, key deactivation, or role changes. A control can appear to succeed in the console or API response while the target identity still operates against stale state for a few seconds. Tools like notyet exploit that gap by monitoring for containment actions and reacting before the change settles. The result is not a broken AWS identity model, but a timing mismatch between defender action and service state.
Practical implication: design containment assuming a delayed state transition, not an instant privilege removal.
Why inline policies and managed policy changes can be reversed
Inline policy deletion, deny statements, managed policy detachment, permission boundaries, and group changes all depend on the target identity observing the change before it can act again. If the identity retains enough permission during the propagation window, it can recreate the removed control surface or swap into another path that restores equivalent access. That is why normal-looking IAM cleanup can fail against an adaptive adversary. The issue is not the policy type itself, but the fact that the attacker can use the short delay to preserve execution continuity.
Practical implication: treat policy edits as insufficient containment unless a harder outer control can override the identity immediately.
Why service control policies change the containment model
Service Control Policies operate above the member-account identity and can block actions even when a principal still believes it has broad rights. In the article’s testing, that makes SCP-based quarantine materially different from local IAM edits because the compromised identity cannot simply undo the restriction from within the account. This is the technical reason org-level guardrails are more durable than identity-local fixes in a propagation-delay scenario. The same logic also explains why timing-based scripts can sometimes work, but only as an opportunistic race rather than a dependable control.
Practical implication: place quarantine authority at the organisation layer if you need containment that survives identity self-repair.
Threat narrative
Attacker objective: The attacker’s objective is to keep cloud access alive long enough to outlast containment and preserve administrative control.
- Entry begins with valid access key or role session credentials that already grant the attacker-controlled identity enough privilege to observe and react to IAM changes.
- Escalation happens when the identity uses the propagation window to restore removed permissions, recreate credentials, or shift into a fresh role before containment fully lands.
- Impact is persistent administrative access that defeats ordinary incident response actions and keeps the compromised identity operational inside the AWS account.
Breaches seen in the wild
- Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity revocation is not the same as identity containment. AWS IAM can accept a change before the environment has fully converged, and that distinction matters when the subject is already executing with the privileges being removed. The article shows that a compromised identity can exploit the gap between request and propagation to preserve control. Practitioners should treat containment as a state-control problem, not a policy-edit problem.
Standing privilege becomes more dangerous when the revocation path is slower than the attacker’s reaction loop. Inline policy edits, managed policy detachment, and permission boundaries all assume the target will observe the change before it can compensate. notyet demonstrates that this assumption can fail in practice because the identity can self-heal inside the same operational window. The implication is that incident response playbooks must be judged by their ability to survive adversarial timing, not by whether they are syntactically correct.
Organisation-level guardrails are the real control plane for cloud quarantine. Service Control Policies work because they sit outside the compromised identity’s direct control, which makes them materially different from local IAM cleanup. That is the governance boundary that survives self-repair behaviour in the article. For cloud IAM teams, the lesson is to separate reversible account-local cleanup from non-reversible organisational containment.
Eventual consistency-based persistence is a named failure mode, not a theoretical edge case. It describes a control environment where an identity can continuously reassert privilege during the delay between revocation and enforcement. This failure mode is especially relevant for incident response, PAM quarantine, and cloud access governance because it turns time into the attacker’s ally. Practitioners should build playbooks around that failure mode explicitly.
Cloud containment procedures built for humans are too slow for adversarial automation. Manual containment can work against a person, but it is structurally weaker when the target is a script that polls and reacts faster than an operator can click. The article’s timing-based countermeasures succeed only when the defender wins a race. That means durable cloud response must be policy-driven and centrally enforced, not operator-speed dependent.
From our research:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- That gap reinforces why readers should also review Ultimate Guide to NHIs for lifecycle and governance patterns that survive privileged access drift.
What this signals
Eventual consistency-based persistence: this is the kind of control failure that will increasingly appear wherever identity changes are treated as instantly effective. Cloud teams should assume adversarial timing, not operator timing, and move quarantine authority above the compromised account boundary.
With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, the broader lesson is that credential state alone does not equal control. Identity programmes need containment models that remain effective even when the subject can keep acting during the revocation window.
For practitioners
- Build organisation-level quarantine paths Use Service Control Policies or an equivalent org-root control to block the compromised principal from reasserting access. Keep the quarantine mechanism outside the affected account so the identity cannot remove it from within the same blast radius.
- Separate containment from cleanup Treat access-key deactivation, policy detachment, and role deletion as cleanup tasks, not the containment boundary itself. Verify that a higher-order control is in place before assuming the identity is actually contained.
- Test response playbooks against timing races Rehearse scenarios where the compromised identity can react during the propagation window and measure whether your controls still hold. Include automated containment scripts and repeated API actions in the test, but do not depend on operator timing as the primary defence.
- Quarantine identities before key rotation alone Do not assume rotating or disabling static credentials will stop an active adversary if the principal can create replacement access during the delay. Pair credential revocation with an immediate outer quarantine so the account cannot self-remediate.
Key takeaways
- The article shows that cloud identity containment can fail even when revocation is requested correctly, because propagation delay gives the target time to recover.
- The strongest evidence in the piece is that local IAM cleanup can be outpaced by an adaptive identity, while organisation-level quarantine can still hold.
- Practitioners should redesign incident response around durable quarantine boundaries, not around the assumption that policy changes take effect immediately.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on revocation and containment of privileged non-human access. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed so revocation actually constrains the principal. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero trust requires continuous enforcement, not just a one-time permission change. |
Align cloud access containment with PR.AC-4 and validate that policy changes are enforced outside the account.
Key terms
- Eventual Consistency: A system property where a change is accepted before every part of the platform reflects it. In cloud identity, that matters because a revoked permission may still be usable for a short period, creating a window in which an attacker or automated tool can act before enforcement converges.
- Service Control Policy: An organisation-level guardrail in AWS that restricts what accounts and identities can do. Because it sits above member-account IAM state, it can be used to quarantine a compromised principal even when local policies, roles, or keys are still in flux.
- Standing Privilege: Persistent access that remains available without time-bound approval or reauthorization. In cloud environments, standing privilege increases containment risk because a compromised identity may still have enough operational reach to reverse local remediation during a propagation delay.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Sonrai Security: Fighting Eventual Consistency-Based Persistence. Read the original.
Published by the NHIMG editorial team on 2026-04-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
