Why Existing AuthZ Does Not Extend to Agents

Same problem, different blast radius.

A reasonable assumption: if your authorization works for human users, it should work for the agents they spawn. After all, the agent is just acting on behalf of the user, right? In practice, four things break.

Speed

A human takes seconds between actions. An agent takes milliseconds. An authorization system that is fast enough for human-paced clicks may not survive the volume of an agent making thousands of policy queries per session. Caching becomes dangerous. Stale decisions become costly.

Volume

One human does dozens of things in an hour. One agent might do thousands. The policy layer designed for human throughput hits limits you did not plan for. The audit log designed for human actions becomes unreadable noise.

Chaining

A human chain looks like: user to app to data. An agent chain looks like: user to agent to tool to another agent to data to another tool to response. By the time an action happens, the original user context may be three or four hops upstream. Whose authorization context applies? When is identity preserved, and when is it lost?

Standing privileges become catastrophic

A human with overprovisioned access is a risk. An agent with overprovisioned access is the same risk, multiplied by speed and volume. If an agent credentials get compromised, or if the agent is manipulated by a clever prompt, the blast radius is whatever standing access it had. Zero standing privileges stops being a nice-to-have.

What this means in practice

You cannot bolt agents onto existing authorization. The principles transfer: externalized policy, fine-grained decisions, real-time enforcement. The implementation usually has to evolve:

• Agents need their own identities, not shared ones
• Standing access needs to give way to ephemeral, just-in-time credentials
• Authorization needs to happen at every hop in the chain, not just the entry point
• Audit needs to capture intent, not just action
• Real-time revocation has to actually be real-time

The practical first step

Inventory your agents. Find out what credentials they are using. Find out what they could access if they were compromised right now. Most teams who do this exercise are surprised, and not in a good way.