Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
Agentic AI, AI Agen...
Agent authorization...
 
Notifications
Clear all

Agent authorization and vault controls: are your IAM controls ready?

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 4368
Topic starter 10/06/2026 10:58 pm  

TL;DR: Agents are moving from pilots to production, but IAM models built for human sessions cannot reliably govern continuous tool use, delegated actions, and runtime decision paths, according to Cerbos' EIC 2026 analysis. The real control question is no longer inventorying agents first, but deciding what actions they may take at the point where money, data, or production state can move.

NHIMG editorial — based on content published by Cerbos: EIC 2026 analysis of AI agent authorization, delegation, and runtime policy

Questions worth separating out

Q: How should security teams govern AI agent actions at runtime?

A: Security teams should evaluate each consequential action at the point of execution, not only at authentication or provisioning time.

Q: Why do AI agents complicate traditional IAM and PAM controls?

A: AI agents complicate traditional IAM and PAM controls because those models assume stable entitlements and human-paced review cycles.

Q: What breaks when an agent uses a human credential for delegated work?

A: What breaks is accountability.

Practitioner guidance

  • Map the vaults first Identify the tools, APIs, data stores, workflows, credentials, and transactions where an agent action can create real harm.
  • Preserve delegation at every hop Use token exchange or equivalent claims propagation so each downstream service can see the actor chain, audience, and delegated authority.
  • Move policy evaluation into the runtime path Evaluate access where the action becomes real, whether that is a gateway, MCP server, application service, or data layer.

What's in the full article

Cerbos' full analysis covers the operational detail this post intentionally leaves for the source:

  • Runtime policy placement across gateways, MCP servers, application services, and data layers
  • Decision log design for reconstructing agent actions with policy basis and context
  • Delegation patterns using token exchange and actor claims across service hops
  • Practical examples of where authorization should happen when an agent reaches a vault

👉 Read Cerbos' analysis of AI agent authorization and runtime policy →

Agent authorization and vault controls: are your IAM controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
cerbos agentic-ai authorization delegation-chain runtime-policy
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  cerbos (105) , agentic-ai (614) , authorization (71) , delegation-chain (3) , runtime-policy (12) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.