TL;DR: Static RBAC and ABAC models assume predictable actor behaviour, but AI agents plan, adapt, and chain tool calls at runtime, creating privilege drift and out-of-scope access as intent changes mid-session, according to Reva.AI. The control gap is no longer permission assignment alone but continuous purpose verification across every agentic hop.
NHIMG editorial — based on content published by Reva.AI: intent-based authorization for AI agents and the limits of static access control
By the numbers:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams govern AI agents that can change scope mid-session?
A: Security teams should govern agents by declared purpose, approved tools, and continuous action checks rather than by static roles alone.
Q: Why do RBAC and ABAC struggle with AI agent access?
A: RBAC and ABAC were built for predictable actors whose likely actions can be defined in advance.
Q: What breaks when privilege drift is not controlled in agentic systems?
A: When privilege drift is left unchecked, an agent’s current task can diverge from the permissions it still carries.
Practitioner guidance
- Define intent scopes for every agent workflow Map each agent use case to a declared purpose, allowed tools, and approved data sources before deployment.
- Enforce authorization at every agentic hop Place policy checks at each tool invocation so a session cannot pivot into HR records, finance systems, or external APIs unless that action still matches the approved intent.
- Review new agent capabilities as boundary expansions Require governance review whenever an agent receives a new tool, new data source, or new downstream write path.
What's in the full article
Reva.AI's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step IBAC flow for parsing intent into structured access scope and enforcing it at each agentic hop.
- The judge-and-gateway architecture used to compare current actions against the approved purpose of the session.
- The practical mapping between intent templates and policy engines such as Cedar, OPA, OpenFGA, and Amazon Verified Permissions.
- Examples of how behavioural monitoring and authorization enforcement are combined in production deployments.
👉 Read Reva.AI's analysis of intent-based authorization for AI agents →
AI agent privilege drift: what runtime authorization must change?
Explore further
Static authorization assumptions were designed for predictable actors, and that assumption fails when an agent can re-plan at runtime. RBAC and ABAC assume the access request is the last meaningful point of interpretation. That breaks when the actor can select new tools, alter its path, and continue under the same identity without a human approval gate. The implication is that agentic governance cannot rely on provisioning-time intent alone.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to the same report.
A question worth separating out:
Q: How do you know whether agent observability is enough?
A: Observability is enough only when the organisation already has real-time policy enforcement at the tool layer. If logs and alerts are the main defence, the session can complete harmful actions before anyone responds. In agentic systems, visibility supports investigation, but enforcement prevents misuse.
👉 Read our full editorial: Identity-first authorization breaks down as agents shift intent