The Authorization Trap: Why Your IAM Controls Don't Cover AI Agent Risk

If there's one idea that shaped RSA 2026, it was identity. Vendor booths, keynotes, conversations. All roads led back to the same instinct: control identity, control access, control risk. That instinct is directionally correct. Identity governance is foundational. But identity answers only part of the question agentic AI is asking.

Here's the part it doesn't answer: authorization tells you what an agent was permitted to do. It says nothing about whether what it actually did was appropriate. That gap between permitted and appropriate is where modern agentic risk lives, and where most enterprise security programs currently have no visibility.

A Tale of Two Sessions

Consider an enterprise customer service agent with access to a CRM, a customer data platform, and an internal knowledge base. The agent is provisioned with a service account that adheres to least privilege principles. Its audit log shows a clean chain of access events. Nothing in the IAM layer generates an alert.

Now consider two executions of that agent on the same day. In the first, a customer asks about their account balance. The agent retrieves the relevant record, answers the question, and closes the session. Routine.

In the second execution, an attacker has embedded a malicious payload inside a document the customer uploaded. That document contains an indirect prompt injection instruction that redirects the agent's behavior mid-session. The agent, operating under the same authorized identity, with the same clean credential chain, begins retrieving records for other customers and staging them for transmission to an external endpoint.

From an authorization standpoint, both executions look identical. One is customer service. The other is a data breach in progress. Neither triggers an IAM alert.

"Detection after exfiltration is not security. Authorization tells you what was reachable. Behavioral monitoring tells you what actually happened."

This Isn't Hypothetical

Zenity Labs has documented this attack pattern across multiple production environments. In one variant of the attack family it calls PleaseFix, a single malicious calendar invite caused a compromised agent to take over a user's credential vault with zero clicks required from the victim. The agent was authorized. The identity chain was clean. The activity was a material security incident.

The Cursor incident of early 2025 offers another concrete example. An AI coding agent with properly provisioned credentials executed a destructive database operation that was technically authorized but catastrophically misaligned with its intended purpose. Identity clean. Authorization valid. Runtime behavioral insight: absent. That absence was the failure.

The broader research landscape confirms this isn't isolated. A January 2026 MDPI review of prompt injection vulnerabilities, synthesizing 45 sources and documented real-world exploits, found that the rise of AI agents and the Model Context Protocol (MCP) has substantially expanded enterprise attack surfaces. Indirect prompt injection, where malicious instructions arrive through content the agent processes in the normal course of work, consistently requires fewer attempts to succeed than direct attacks and is significantly harder to detect through access controls alone.

The Structural Boundary of IAM

The authorization trap isn't a failure of identity governance. It's the structural boundary of what identity governance is designed to see. IAM controls were built to answer one question: was this principal permitted to access this resource? They weren't designed to answer the question that follows: was accessing this resource, in this sequence, toward this apparent purpose, consistent with what this agent is supposed to be doing?

Non-human identity (NHI) sprawl compounds the problem. According to Entro Labs' H1 2025 research, machine identities now outnumber human identities at a ratio of 144 to one, up from 92 to one in the prior period. That ratio is accelerating as agentic AI adoption drives NHI creation faster than any governance program can track. At the enterprise scale, agents can execute thousands of actions in the time a human operator would spend on a single decision, chain together individually authorized steps that collectively produce outcomes no human would have sanctioned, and do it all while the audit log reads as routine.

Gradual data exfiltration is the pattern most difficult to detect through access controls alone. Rather than staging a large extraction in a single session, an attacker who's manipulated an agent can instruct it to retrieve small amounts of sensitive data across many sessions over days or weeks. Each individual session triggers no data volume thresholds or credential anomaly alerts. The aggregate constitutes a significant breach.

What Closing the Gap Actually Requires

Closing the gap between permitted and appropriate requires extending the security architecture beyond access grants to encompass behavioral context. The framework for doing that is built on five converging signals, each of which captures a dimension of agent behavior that authorization alone cannot see:

• Identity (NHI layer): Which identity layer is active, and is it consistent with the agent's declared purpose?
• Data (DSPM): What did the agent actually touch, and was the access proportionate to the task?
• Model behavior: Is there evidence of prompt injection, jailbreaking, or mid-execution manipulation?
• Agent posture: Has the agent's configuration or dependency state drifted from its known-good baseline?
• Environment: Are there infrastructure conditions that change the risk calculus?

No single signal is sufficient. Assembled together at runtime, they answer the question authorization alone cannot: not just what the agent was allowed to do, but whether what it did made sense.

The goal isn't to replace identity governance with behavioral monitoring. It's to extend the security architecture so that it answers both questions. Both are required, and they're complementary.

Ready to understand the complete framework for securing AI agents beyond authorization? Download Beyond Identity: The CISO's Guide to Securing Agentic AI