TL;DR: AI agents can become privilege escalation paths when tool access, token scopes, and the human user's real entitlements are not enforced as a single intersection, according to Andromeda Security. The confused deputy problem is now a core agent-security failure mode, because shared identities can hide the human ceiling and bypass application-level checks.
NHIMG editorial — based on content published by Andromeda Security: The Permission Gap: Why Your AI Agent is a Privilege Escalation Machine
Questions worth separating out
Q: How should security teams prevent AI agents from escalating user privileges?
A: Security teams should enforce the user's real entitlement at the point where the agent request is mediated, not only at the target application.
Q: Why do AI agents create confused deputy risk in IAM?
A: AI agents create confused deputy risk because the actor making the request, the identity carrying the token, and the user who asked for the task may not be the same authority.
Q: When do OAuth scopes fail to protect AI agent access?
A: OAuth scopes fail when teams expect them to express precise tool and resource boundaries that they were never designed to describe.
Practitioner guidance
- Map every agent flow to the real entitlement boundary Document where the user's permissions are preserved, where they are lost, and where the agent can exceed the initiating identity.
- Require resource-bound authorization for agent calls Use token audience binding and structured authorization data so the receiving service can validate both the resource and the action, not just the presence of a valid token.
- Separate delegated flows from shared-identity flows Treat true on-behalf-of execution differently from autonomous or pooled agent execution, because the control assumptions are not the same.
What's in the full article
Andromeda Security's full article covers the operational detail this post intentionally leaves for the source:
- How the gateway obtains and presents delegated OAuth 2.0 token exchange flows in practice.
- Why OAuth scopes, resource indicators, and rich authorization requests differ operationally for agent use cases.
- Where shared agent identities break user-ceiling enforcement in real applications.
- How the author frames gateway-level enforcement as the control point for agent-mediated access.
👉 Read Andromeda Security's analysis of AI agent permission gaps and confused deputy risk →
AI agent privilege escalation: where the permission gap opens up?
Explore further
AI agent privilege escalation is a governance failure, not just an access-control defect. The article shows that the true authorization boundary is the intersection of agent policy, token scope, and the human user's entitlement. That means traditional IAM logic, which assumes the application can independently enforce the right ceiling, breaks down when the agent runs under a shared identity. Practitioners should treat this as a delegation-design problem, not a simple permission review.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What is the difference between delegated AI access and shared agent identities?
A: Delegated access preserves the user's ceiling because the application can still see the human as the subject of the request. Shared agent identities remove that ceiling from the decision path, so the application only sees the agent's broader permission set. That difference determines whether the user's entitlement still acts as a control or disappears entirely.
👉 Read our full editorial: AI agent privilege escalation happens at the permission intersection