Agentic authorization at Identiverse: what IAM teams missed

TL;DR: At Identiverse, the clearest message was that autonomous agents expose authorization gaps that human workflows could hide, and that existing building blocks like Shared Signals, AuthZEN, and SPIFFE can support fresher, decision-time governance, according to Cerbos. The decisive shift is that access review cadences and static permissions no longer match runtime agent behaviour, so governance has to move to the decision point.

NHIMG editorial — based on content published by Cerbos: AI agent authorization is exposing long-standing governance gaps

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern delegated authorization for AI agents and service accounts?

A: Security teams should govern delegated authorization by defining the delegator, the trustee, the allowed purpose, and the revocation path before any action can run.

Q: Why do AI agents create problems that traditional access reviews miss?

A: AI agents create problems that access reviews miss because review cycles assume privilege exists long enough to be observed and certified.

Q: What breaks when OAuth scopes are used to authorise agent tool calls?

A: OAuth scopes break down when they are asked to authorise a specific agent action, because scopes do not fully express who is acting, what tool is being called, with which arguments, and in what context.

Practitioner guidance

• Map your delegated-authority boundaries List every workflow where an agent, service account, or third party can act on behalf of another principal, then mark where the original organisation no longer controls the trustee.
• Move authorization checks to the action point Treat tool calls, resource access, and privileged operations as individually authorised events.
• Wire fresh signals into policy evaluation Feed revocation, account changes, device risk, and provisioning events into the systems that evaluate requests.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• The 8-point delegation framework used to grade trust, purpose, revocation, and auditability across multi-hop chains.
• The runtime authorization model behind AuthZEN, Shared Signals, and transaction tokens in agentic workflows.
• The practical distinction between session-level trust, continuous authorization, and decision governance for AI agents.
• The author’s own Identiverse session notes on shadow AI, SPIFFE, and local policy enforcement across a mesh.

👉 Read Cerbos' Identiverse analysis of AI agent authorization and delegation →

Agentic authorization at Identiverse: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →