TL;DR: A weekend Instagram support-chatbot takeover showed that location checks and conversational guards can be bypassed when an AI assistant makes access decisions itself, according to TechCrunch and 404 Media. The real control failure is architectural: agents need externalized authorization, least agency, and identity context that they cannot negotiate around.
NHIMG editorial — based on content published by Cerbos: AI agent authorization and why external policy beats chat-based trust
Questions worth separating out
Q: How should security teams govern AI agents that can reset accounts or change credentials?
A: They should treat the agent as a request origin, not an authorization authority.
Q: Why do AI support agents create confused deputy risk?
A: Because they often sit between a user and a privileged backend, yet lack enough context to know whether the caller is entitled to the action.
Q: What breaks when an AI agent can make its own access control decisions?
A: Access control stops being deterministic and becomes negotiable.
Practitioner guidance
- Externalize sensitive authorization decisions Move password resets, email changes, record reads, and similar privileged actions behind a policy engine that the agent cannot edit or reason around mid-session.
- Bind requests to verified principal context At decision time, resolve the real human, account, and relationship context from authoritative identity systems before the assistant can complete the action.
- Reduce standing authority in support agents Strip support assistants of default permission to complete account recovery tasks unless policy and context explicitly authorize the specific request.
What's in the full article
Cerbos's full article covers the operational detail this post intentionally leaves for the source:
- The exact externalized authorization pattern used to keep the agent out of the decision path.
- How identity context is pulled from existing systems at decision time for support workflows.
- The practical distinction between request handling and access approval in an agentic architecture.
- The policy boundaries needed to keep recovery actions from becoming conversationally negotiable.
👉 Read Cerbos's analysis of AI agent authorization and Instagram account takeover risk →
AI agent authorization: why external policy beats chat-based trust?
Explore further
Conversational access control is a broken assumption, not just a weak control. The support bot treated the conversation itself as evidence of legitimacy, which is exactly the kind of assumption that fails when an agent can be persuaded in real time. Identity verification is necessary, but it does not solve the deeper issue that the authority path was embedded in dialogue. Practitioners should treat conversational approval as an unsafe control boundary.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why identity and secret handling remain uneven in real programmes.
A question worth separating out:
Q: What should teams do when an AI agent sits in the account recovery path?
A: They should force every privileged action through a separate authorization service, require verified identity and relationship context, and remove standing permissions from the agent itself. Account recovery should fail closed unless the policy engine confirms the request is legitimate and the actor is entitled to proceed.
👉 Read our full editorial: AI agent authorization needs external policy, not conversational trust