TL;DR: At IIW42, the core debate moved from authentication to agent authorization, with participants converging on a pattern where a sandboxed agent invokes tools while a deterministic policy engine evaluates capability, intent drift, and accountability, according to Cerbos. The governance problem is no longer whether an agent can log in, but how identity, evidence, and audit survive runtime behaviour.
NHIMG editorial — based on content published by Cerbos: IIW42 and the rise of agent authorization
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should teams authorize AI agents without relying only on roles?
A: Teams should authorise AI agents using capability and context, not just a static role.
Q: Why is intent drift a governance risk for AI agents?
A: Intent drift is risky because a sequence of individually allowed actions can still produce an outcome that no longer matches the original request.
Q: What do security teams get wrong about agent authorization logs?
A: Many teams log whether an action was allowed but not whether the actor’s original purpose changed along the way.
Practitioner guidance
- Model request chains, not isolated tool calls Capture the declared goal, the intermediate actions, and the final outcome in one trace so reviewers can spot intent drift instead of only validating each step in isolation.
- Preserve accountable subject context Keep enough evidence to reconstruct the actor behind the decision, including workload identity, human origin, and any delegated sub-agent context, so post-incident review can assign responsibility.
- Treat cross-domain action translation as a policy control Define a normalised action vocabulary for external systems and map local verbs to policy-safe equivalents before the agent crosses a trust boundary.
What's in the full article
Cerbos's full article covers the operational detail this post intentionally leaves for the source:
- The session-level arguments around whether the subject should remain in the authorization request or be replaced by evidence arrays.
- The practical architecture patterns discussed by attendees for deterministic policy engines and sandboxed agents.
- The nuances of cross-trust-domain action translation when one system’s vocabulary does not map cleanly to another’s.
- The hallway-track debate on identity, accountability, and whether agent identity must remain stable for audit purposes.
👉 Read Cerbos's analysis of agent authorization, intent drift, and accountability →
Agent authorization at IIW42: what changes for IAM teams?
Explore further
Agent authorization is becoming an identity governance problem, not just an application design problem. IIW42 shows that the field is moving from “can the agent authenticate?” to “what exactly is the policy engine being asked to decide?” That is an identity governance shift because the subject is no longer a stable human principal with durable roles. Practitioners should treat the authorization request itself as the governance unit.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How can IAM teams govern agent activity across trust boundaries?
A: IAM teams should define a normalised action vocabulary before an agent crosses into another domain. Without that, the same request can mean different things to different policy engines, which creates authorization ambiguity. Cross-boundary governance works when translation is explicit, auditable, and constrained to approved actions.
👉 Read our full editorial: IIW42 shows agent authorization is shifting to intent and accountability