IIW42 shows agent authorization is shifting to intent and accountability

At a glance

What this is: IIW42 showed that agent authorization is moving beyond authentication toward deterministic policy, intent awareness, and accountability for runtime behaviour.

Why it matters: This matters because IAM teams now have to govern agents as decision-makers, not just authenticated workloads, and that changes how policy, audit, and trust boundaries are designed across NHI, autonomous, and human identity programmes.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Cerbos's analysis of agent authorization, intent drift, and accountability

Context

IIW42 surfaced a basic problem that many IAM programmes still understate: authentication can succeed while authorization remains ambiguous. For AI agents, the hard question is not whether the subject can present credentials, but what the policy decision point is asked to evaluate when the subject is a mix of workload, human direction, device context, and sometimes sub-agent behaviour. That is why the debate is shifting from login flows to policy inputs, evidence quality, and auditability.

Cerbos frames the practical fault line as an authorization model that treats the agent as a sandboxed executor while the policy engine remains deterministic. That shift matters for identity governance because short-lived non-human identities do not fit clean principal-plus-role thinking, and the audit trail breaks if the subject cannot be represented consistently. For readers building NHI programmes, the relevant reference point is the Ultimate Guide to NHIs, which covers lifecycle, visibility, and control boundaries in more depth.

The event also reflected a broader identity reality: the subject of an authorization request is increasingly a vector, not a person. That makes the boundary between NHI, human intent, and autonomous behaviour much harder to model with traditional role-based assumptions, especially when the same agent traverses multiple trust domains.

Key questions

Q: How should teams authorize AI agents without relying only on roles?

A: Teams should authorise AI agents using capability and context, not just a static role. That means the policy decision point should evaluate the requested action, the target resource, session context, and the evidence trail behind the request. The goal is to keep authorization deterministic while still capturing enough runtime detail to support accountability and post-incident review.

Q: Why is intent drift a governance risk for AI agents?

A: Intent drift is risky because a sequence of individually allowed actions can still produce an outcome that no longer matches the original request. Governance breaks when teams assume per-call approval equals session safety. The practical test is whether the policy model can evaluate the whole request chain, not just one isolated tool invocation.

Q: What do security teams get wrong about agent authorization logs?

A: Many teams log whether an action was allowed but not whether the actor’s original purpose changed along the way. That leaves a gap between compliance evidence and actual behaviour. Good logging has to preserve the subject, the requested capability, the sequence of decisions, and enough context to reconstruct accountability later.

Q: How can IAM teams govern agent activity across trust boundaries?

A: IAM teams should define a normalised action vocabulary before an agent crosses into another domain. Without that, the same request can mean different things to different policy engines, which creates authorization ambiguity. Cross-boundary governance works when translation is explicit, auditable, and constrained to approved actions.

Technical breakdown

Agent authorization vs authentication

Authentication proves that an entity can present a credential. Authorization decides what that entity can do with a resource at a point in time. For agents, the friction is that login success tells you little about runtime intent, tool selection, or whether the request chain still reflects the original human purpose. A deterministic policy engine can evaluate rules consistently, but it still depends on the quality of the subject and evidence it receives. When the subject is a workload, a human, and possibly a sub-agent combined, the policy model has to carry more context than a simple principal identifier.

Practical implication: separate identity proof from authorization reasoning and design policy inputs for agent context, not just credentials.

Intent drift in tool-using agents

Intent drift occurs when an agent begins with one stated goal and, through a sequence of tool calls, reaches a materially different outcome. Each step may be individually permitted, which is why conventional per-action checks can miss the real risk. The failure is not only policy bypass. It is the widening gap between declared intent and runtime behaviour. That is why many practitioners are now talking about an intent plane alongside the action plane, so the decision system can reason about whether the session is still aligned to the original request.

Practical implication: log and evaluate request chains, not just isolated actions, so drift can be detected before the final outcome.

Cross-trust-domain authorization

Cross-trust-domain authorization becomes hard when one system’s action vocabulary does not map cleanly to another’s. An agent may ask to edit a photo in one domain, while the target system interprets the same activity as metadata modification or content transformation. That translation gap creates policy ambiguity, because the PDP can only reason accurately if the action semantics are stable across boundaries. In practice, the problem grows when agents cross organisational or product boundaries, where local schemas and control expectations diverge.

Practical implication: normalise action semantics at domain boundaries and avoid assuming one policy vocabulary will carry across every external system.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agent authorization is becoming an identity governance problem, not just an application design problem. IIW42 shows that the field is moving from “can the agent authenticate?” to “what exactly is the policy engine being asked to decide?” That is an identity governance shift because the subject is no longer a stable human principal with durable roles. Practitioners should treat the authorization request itself as the governance unit.

Intent drift is the named failure mode that exposes current control limits. The article describes a session that can begin with a benign goal and end in a materially different action chain, even when each tool invocation passes policy. That means the governance assumption that action-level approval equals intent-level safety is too weak for agentic systems. Practitioners should stop treating per-call authorization as sufficient evidence of alignment.

Identity is optional for authorization, but critical for accountability. That line captures a real governance tension. You can sometimes authorise a capability without a stable principal, but once something goes wrong, accountability collapses if the actor cannot be reconstructed from the evidence trail. The implication is that audit design now has to preserve enough subject context to answer who or what did this, even when the runtime actor is ephemeral.

The subject-as-vector model will force IAM teams to rethink principal design. The article’s “workload plus human, sometimes plus sub-agent, sometimes plus device attestation” framing is more than semantics. It means traditional principal plus roles thinking under-describes the actual decision surface, especially when authorization decisions depend on mixed evidence. Practitioners should expect policy models to become more compositional and less identity-centric over time.

Cross-trust-domain authorization is where agentic systems will fail first. The hardest unresolved problem is not single-system policy enforcement, but translating intent and action meaning across domains with different vocabularies. That creates a governance fracture between local correctness and end-to-end correctness. Practitioners should treat external domain translation as a first-class policy risk, not an integration detail.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For agentic systems, review the control model alongside Ultimate Guide to NHIs so accountability, lifecycle, and visibility stay aligned as identity subjects become more dynamic.

What this signals

Subject-as-vector is the useful concept to carry forward from IIW42. Once an authorization request can include workload identity, human direction, device context, and delegated sub-agent evidence, the old principal-plus-role model stops describing the real decision surface. That is why capability-based policy design will matter more, especially as agent workflows cross trust boundaries and identity context becomes compositional rather than fixed.

The broader signal for programmes is that auditability will become a design constraint, not a reporting layer. If teams cannot reconstruct the actor and the intent chain after the fact, they do not really have governance, only enforcement. For practitioners, the immediate watch item is whether current policy architecture can preserve subject continuity without forcing every agent into a human-shaped identity model.

The governance gap is not theoretical when secrets and access tokens remain slow to remediate. In The State of Secrets in AppSec, the average estimated time to remediate a leaked secret is 27 days, which is far too long in a world where short-lived agents can act and mutate within one session. That is the operational pressure that will push teams toward stronger request tracing, tighter domain translation, and clearer accountability boundaries.

For practitioners

• Model request chains, not isolated tool calls Capture the declared goal, the intermediate actions, and the final outcome in one trace so reviewers can spot intent drift instead of only validating each step in isolation.
• Preserve accountable subject context Keep enough evidence to reconstruct the actor behind the decision, including workload identity, human origin, and any delegated sub-agent context, so post-incident review can assign responsibility.
• Treat cross-domain action translation as a policy control Define a normalised action vocabulary for external systems and map local verbs to policy-safe equivalents before the agent crosses a trust boundary.
• Design authorization around capabilities and context Use capability-based policy inputs that reflect action, resource, and runtime context rather than assuming a stable role will describe the agent correctly for the whole session.

Key takeaways

• Agent authorization now depends on runtime context, not just whether an identity can authenticate successfully.
• Intent drift creates a governance gap because per-action approval can still produce an outcome that violates the original request.
• IAM teams need policy models that preserve accountability across mixed subject types, trust boundaries, and short-lived agent sessions.

Key terms

• Agent Authorization: The process of deciding what an AI agent or other non-human actor can do at runtime. It goes beyond login and focuses on capabilities, resource scope, and evidence, which makes it a governance control as much as a technical policy decision.
• Intent Drift: A mismatch between the original purpose of an agent session and the outcome produced by a later chain of actions. It matters because each step can be individually permitted while the overall behaviour still becomes unsafe or non-compliant.
• Subject-as-Vector: A way of describing an authorization subject as a bundle of evidence rather than a single identity record. In agentic systems, the subject may include workload identity, human direction, device context, and delegated components, which makes policy evaluation more compositional.
• Deterministic Policy Engine: A policy decision component that evaluates rules consistently rather than relying on ad hoc human judgment. For agentic authorization, it provides repeatable decisions, but it still depends on accurate subject context and well-defined action semantics.

Deepen your knowledge

Agent authorization, intent drift, and capability-based policy design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for short-lived agents and mixed subject types, it is worth exploring.

This post draws on content published by Cerbos: IIW42 and the rise of agent authorization. Read the original.