Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic authorization at Identiverse: what IAM teams missed


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: At Identiverse, the clearest message was that autonomous agents expose authorization gaps that human workflows could hide, and that existing building blocks like Shared Signals, AuthZEN, and SPIFFE can support fresher, decision-time governance, according to Cerbos. The decisive shift is that access review cadences and static permissions no longer match runtime agent behaviour, so governance has to move to the decision point.

NHIMG editorial — based on content published by Cerbos: AI agent authorization is exposing long-standing governance gaps

By the numbers:

Questions worth separating out

Q: How should security teams govern delegated authorization for AI agents and service accounts?

A: Security teams should govern delegated authorization by defining the delegator, the trustee, the allowed purpose, and the revocation path before any action can run.

Q: Why do AI agents create problems that traditional access reviews miss?

A: AI agents create problems that access reviews miss because review cycles assume privilege exists long enough to be observed and certified.

Q: What breaks when OAuth scopes are used to authorise agent tool calls?

A: OAuth scopes break down when they are asked to authorise a specific agent action, because scopes do not fully express who is acting, what tool is being called, with which arguments, and in what context.

Practitioner guidance

  • Map your delegated-authority boundaries List every workflow where an agent, service account, or third party can act on behalf of another principal, then mark where the original organisation no longer controls the trustee.
  • Move authorization checks to the action point Treat tool calls, resource access, and privileged operations as individually authorised events.
  • Wire fresh signals into policy evaluation Feed revocation, account changes, device risk, and provisioning events into the systems that evaluate requests.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

  • The 8-point delegation framework used to grade trust, purpose, revocation, and auditability across multi-hop chains.
  • The runtime authorization model behind AuthZEN, Shared Signals, and transaction tokens in agentic workflows.
  • The practical distinction between session-level trust, continuous authorization, and decision governance for AI agents.
  • The author’s own Identiverse session notes on shadow AI, SPIFFE, and local policy enforcement across a mesh.

👉 Read Cerbos' Identiverse analysis of AI agent authorization and delegation →

Agentic authorization at Identiverse: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Authorization is becoming the control plane for AI agents, not a downstream policy check. The article's core insight is that agents expose the weakness of systems that still treat authorization as a post-authentication formality. When the actor chooses actions at runtime, the decision itself becomes the governance object. That shifts identity programmes toward decision governance, where context, intent, and revocation all have to be available before the action runs. Practitioners should treat runtime authorization as the primary enforcement surface.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.

A question worth separating out:

Q: Who is accountable when delegated access crosses trust domains?

A: Accountability becomes shared and harder to prove when delegated access crosses trust domains, because the original principal, the trustee, and the receiving organisation all influence the outcome. The only defensible answer is an auditable chain that shows authority, constraints, and revocation all the way back to the original principal.

👉 Read our full editorial: AI agent authorization is exposing long-standing governance gaps



   
ReplyQuote
Share: