TL;DR: AWS Bedrock AgentCore Code Interpreters can be invoked with IAM permissions and, when custom interpreters carry privileged execution roles, that access can be used to pivot into those roles and perform control plane actions, according to Sonrai Security. Existing cloud IAM patterns do not yet control this AI-centric privilege path cleanly, so organisational-level guardrails matter now.
NHIMG editorial — based on content published by Sonrai Security: AWS AgentCore, the overlooked privilege escalation path in Bedrock's AI tooling
By the numbers:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams govern AI tools that can act with privileged cloud roles?
A: Security teams should govern AI tools as privileged identity paths, not as harmless application components.
Q: When does an AI code interpreter become a privilege escalation risk?
A: An AI code interpreter becomes a privilege escalation risk when callers can reach it directly and the interpreter runs with permissions broader than the caller should have.
Q: What do security teams get wrong about AI tool sandboxing in cloud environments?
A: Teams often assume that sandboxing alone prevents privilege abuse, but sandboxing does not remove the interpreter’s execution role or the permissions attached to it.
Practitioner guidance
- Inventory every callable AI tool as a privileged identity path Map Bedrock AgentCore Code Interpreters and similar agent tools to the IAM permissions that invoke them, then identify the execution roles they can act under.
- Restrict interpreter execution roles to task-scoped permissions Remove broad control plane and data plane access from custom code interpreters unless the task explicitly requires it.
- Enable and monitor CloudTrail data events for interpreter use Turn on logging for InvokeCodeInterpreter and review CreateCodeInterpreter activity so that unauthorized use and risky setup patterns are visible.
What's in the full article
Sonrai Security's full blog covers the operational detail this post intentionally leaves for the source:
- The exact IAM permissions required to invoke Bedrock AgentCore Code Interpreters and how they map to the escalation path.
- Step-by-step examples of default and custom interpreter execution roles in AWS.
- The CloudTrail data event configuration needed to catch InvokeCodeInterpreter activity.
- The SCP pattern Sonrai describes for denying unintended interpreter access at the organization level.
👉 Read Sonrai Security's analysis of AWS AgentCore privilege escalation →
AgentCore code interpreters: what IAM teams are missing?
Explore further
AI-centric tools become part of the identity plane the moment they can invoke privileged actions. This article shows that a code interpreter is not a neutral runtime helper once IAM permissions and execution roles are involved. The control boundary shifts from the agent to the tool, which means identity governance must cover the tool surface as well as the agent runtime. The practitioner conclusion is simple: if a tool can act with role privilege, it must be governed as privileged identity infrastructure.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when a privileged AI tool is invoked outside its intended scope?
A: Accountability sits with the teams that own IAM policy, platform guardrails, and the tool’s execution role, because those controls determine whether the invocation path exists. If logging is not enabled or resource-level controls are unavailable, the governance gap becomes organizational, not just technical. Frameworks such as Zero Trust and privileged access governance should cover the tool path itself.
👉 Read our full editorial: AWS AgentCore code interpreters expose an AI role escalation path