Agent authorization at IIW42: what changes for IAM teams?

TL;DR: At IIW42, the core debate moved from authentication to agent authorization, with participants converging on a pattern where a sandboxed agent invokes tools while a deterministic policy engine evaluates capability, intent drift, and accountability, according to Cerbos. The governance problem is no longer whether an agent can log in, but how identity, evidence, and audit survive runtime behaviour.

NHIMG editorial — based on content published by Cerbos: IIW42 and the rise of agent authorization

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should teams authorize AI agents without relying only on roles?

A: Teams should authorise AI agents using capability and context, not just a static role.

Q: Why is intent drift a governance risk for AI agents?

A: Intent drift is risky because a sequence of individually allowed actions can still produce an outcome that no longer matches the original request.

Q: What do security teams get wrong about agent authorization logs?

A: Many teams log whether an action was allowed but not whether the actor’s original purpose changed along the way.

Practitioner guidance

• Model request chains, not isolated tool calls Capture the declared goal, the intermediate actions, and the final outcome in one trace so reviewers can spot intent drift instead of only validating each step in isolation.
• Preserve accountable subject context Keep enough evidence to reconstruct the actor behind the decision, including workload identity, human origin, and any delegated sub-agent context, so post-incident review can assign responsibility.
• Treat cross-domain action translation as a policy control Define a normalised action vocabulary for external systems and map local verbs to policy-safe equivalents before the agent crosses a trust boundary.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

• The session-level arguments around whether the subject should remain in the authorization request or be replaced by evidence arrays.
• The practical architecture patterns discussed by attendees for deterministic policy engines and sandboxed agents.
• The nuances of cross-trust-domain action translation when one system’s vocabulary does not map cleanly to another’s.
• The hallway-track debate on identity, accountability, and whether agent identity must remain stable for audit purposes.

👉 Read Cerbos's analysis of agent authorization, intent drift, and accountability →

Agent authorization at IIW42: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →