Because the risk comes from who can invoke, modify, and share models, not only from malicious behaviour. Broad permissions can expose sensitive prompts, internal data, and cost controls, while still appearing operationally normal. The failure mode is overbroad access combined with weak separation of duties and weak identity traceability.
Why This Matters for Security Teams
Bedrock permissions become a governance risk when legitimate users can still do the wrong thing at scale. In practice, the issue is not simply access to a model invocation API, but who can change prompts, attach data sources, publish agents, share workspaces, or approve downstream use. Those permissions can expose sensitive inputs, create uncontrolled spend, and blur accountability while everything still looks operationally normal.
This is why NHI governance discussions increasingly focus on entitlement design, separation of duties, and traceability rather than just blocking abuse. The broader pattern is documented in Top 10 NHI Issues and in the OWASP Non-Human Identity Top 10, both of which highlight how overbroad machine permissions quietly expand blast radius. Current guidance suggests treating Bedrock access as a privileged workload problem, not a simple application permission.
The operational risk is heightened because model use often spans development, data engineering, and product teams, each with different tolerance for disclosure and cost exposure. In practice, many security teams encounter drift only after prompt data, model configuration, or usage quotas have already been shared beyond their intended scope, rather than through intentional policy review.
How It Works in Practice
Bedrock governance works best when permissions are broken into distinct actions and reviewed separately. A team may legitimately need to invoke a foundation model, but not to alter agents, publish prompt libraries, connect sensitive knowledge bases, or share assets across accounts. That distinction matters because legitimate usage can still create risk when the same principal can both build and approve, or when inherited permissions allow broad reuse with weak identity traceability.
A practical control pattern is to map permissions to business functions, then apply least privilege and explicit approval gates around high-impact actions. That includes separating model invocation from resource management, restricting who can register or share agents, and logging every action with a durable identity trail. For workload identity, current practice increasingly uses short-lived credentials and runtime trust signals instead of long-lived static secrets. NIST’s Cybersecurity Framework 2.0 is useful for aligning these controls to governance outcomes, while the Lifecycle Processes for Managing NHIs section explains why issuance, rotation, and revocation must be tied to operational ownership.
- Separate invoke, modify, publish, and share permissions.
- Use role design that limits who can create or attach data sources.
- Require strong logging for prompts, outputs, and configuration changes.
- Prefer short-lived credentials and scoped tokens over standing access.
- Review who can approve cost-bearing or data-exposing actions.
These controls tend to break down when teams reuse broad platform roles across dev, test, and production because the same identity can then both experiment and expose sensitive assets.
Common Variations and Edge Cases
Tighter Bedrock permissions often increase delivery friction, requiring organisations to balance developer speed against data protection and auditability. That tradeoff is real, especially where multiple teams share the same account structure or where model workflows are embedded in CI/CD and production automation.
There is no universal standard for exactly how granular these controls should be yet, but best practice is evolving toward context-aware authorization at request time rather than static role grants. That approach fits the way autonomous and semi-autonomous workloads actually behave: they can chain actions, call tools, and move from innocuous invocation to sensitive data access without a human change request in the middle. Guidance from the AI LLM hijack breach case study and the Regulatory and Audit Perspectives section both reinforce the same lesson: traceability matters as much as prevention.
One edge case is delegated administration, where platform owners need enough access to support business users but should not also be able to review sensitive content or approve their own controls. Another is cross-account sharing, which can look legitimate while bypassing local review and making ownership unclear. In those environments, current guidance suggests stronger identity binding, narrower trust boundaries, and periodic entitlement recertification rather than relying on platform defaults alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Overbroad Bedrock permissions map to weak NHI credential governance. |
| OWASP Agentic AI Top 10 | A-04 | Agent and tool permissions need runtime control, not static broad access. |
| NIST AI RMF | AI governance must address accountability, traceability, and misuse risk. |
Separate agent invocation, tool access, and publishing rights with request-time checks.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
