惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
The Last Watchdog
The Last Watchdog
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security
SecWiki News
SecWiki News
V
Vulnerabilities – Threatpost
Project Zero
Project Zero
O
OpenAI News
W
WeLiveSecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
H
Hacker News: Front Page
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
Help Net Security
Help Net Security
P
Privacy & Cybersecurity Law Blog
K
Kaspersky official blog
S
Security @ Cisco Blogs
Latest news
Latest news
AWS News Blog
AWS News Blog
U
Unit 42
Martin Fowler
Martin Fowler
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Scott Helme
Scott Helme
博客园 - 司徒正美
B
Blog RSS Feed
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
D
Docker
Google Online Security Blog
Google Online Security Blog
Jina AI
Jina AI
aimingoo的专栏
aimingoo的专栏
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Last Week in AI
Last Week in AI
月光博客
月光博客
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
小众软件
小众软件

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
Audience-Driven Authorization for AI Agents | CSA
2026-04-09 · via Cloud Security Alliance

Written by Kundan Kolhe.

This is the sixth blog in a seven-part series on identity security as AI security.

TL;DR:

AI agents retrieve data using the permissions of whoever they authenticate as (checked), but output to shared workspaces where recipients have mixed permissions (not checked). For example, a CFO's agent in a Slack channel can expose executive compensation to junior analysts. Four critical vulnerabilities (CVSS 9.3-9.4) hit AnthropicMicrosoftServiceNow, and Salesforce in 2025. Same pattern: authorized retrieval, unauthorized recipients. The fix requires fine-grained authorization that computes the intersection of all recipients' permissions before data leaves the retrieval layer, a step that happens after OAuth's job is done.

The Problem

OAuth was built for a simpler world: one user, one application, one set of permissions. AI agents break that model. They operate in shared contexts where multiple people see their output. The protocol never anticipated this. Neither did the platforms built on top of it.

The result: your AI agent inherits one executive's access but broadcasts to everyone in the room. According to McKinsey, 80% of organizations have already encountered risky behaviors from AI agents, including improper data exposure and access to systems without authorization. They are right to worry.

How does this play out in practice? The OpenID Foundation's whitepaper on agentic AI describes this scenario:

A CFO deploys an AI agent in a Slack channel. The agent authenticates with the CFO's credentials and inherits access to compensation data, board materials, and HR systems. A junior analyst asks: "What's our Q3 compensation budget?" The agent retrieves budget spreadsheets, compensation plans, and executive salary schedules. Authorization check: Can the CFO access these files? Yes. The agent responds to the channel. The junior analyst now knows the CEO's salary. So does everyone else in that channel.

The agent worked exactly as designed. The authorization model failed.

The Pattern: Four Platforms, One Common Thread

Between June and October 2025, four critical-severity vulnerabilities revealed a pattern. These vulnerabilities aren't identical, but they share a common thread: authorization checked at retrieval, not at output.

Anthropic Slack MCP Server, July 2025

Johann Rehberger discovered the first critical MCP vulnerability. When agents post to Slack, the platform "unfurls" hyperlinks to generate previews. An attacker injects a prompt causing the agent, operating with admin OAuth permissions, to read sensitive files and embed that data in a URL. Slack's preview bots fetch the URL, completing zero-click exfiltration. Anthropic archived the server rather than patch it. Retrieval: admin permissions (checked). Output destination: attacker's server (not checked).

Microsoft 365 Copilot (EchoLeak), June 2025

Aim Security disclosed the first zero-click attack against a production AI agent. An attacker sends an email with hidden instructions; the recipient never opens it. Copilot's RAG engine ingests the payload alongside SharePoint and OneDrive files, then encodes sensitive data into an outbound URL bypassing Content Security Policy. The researchers called it "LLM Scope Violation": the agent flattened untrusted input with trusted data without isolating trust boundaries. Microsoft deployed a fix, but the pattern persists. Retrieval: victim's M365 permissions (checked). Output destination: attacker's URL (not checked).

ServiceNow AI Platform (BodySnatcher), October 2025

Aaron Costello at AppOmni found that Virtual Agent and Now Assist trusted a hardcoded secret plus email address for account linking. An attacker knowing only a target's email could impersonate any user, including administrators, bypassing MFA entirely. Once impersonated, attackers invoke AI agents with full victim privileges to access ITSM records or trigger privileged workflows. Costello called it "the most severe AI-driven vulnerability uncovered to date." Retrieval: impersonated user's permissions (checked). Requester identity: attacker (not checked).

Salesforce Agentforce (ForcedLeak), September 2025

Noma Security found prompt injection via Web-to-Lead forms enabling CRM data exfiltration. An attacker submits a form with hidden instructions; when an employee later queries the AI about that lead, the agent executes both requests. Worse: the domain my-salesforce-cms.com remained whitelisted despite expiring. Attackers purchased it for $5 and established a trusted exfiltration channel. Retrieval: employee's CRM permissions (checked). Output destination: attacker's domain (not checked).

The common thread: each system checked whether the invoking user could access the data. None checked whether all recipients of the output could.

What OAuth Was Never Asked to Do 

For two decades, OAuth worked because applications output data back to the same user who authorized access. AI agents break this assumption. Agents authenticate in different ways: with delegated user credentials, with their own service identities, or as user-built automations shared with others. The pattern varies, but the problem is the same - they respond in shared contexts where multiple people see their output.

The result: authorization happens at retrieval, but no check happens at output. Multi-audience contexts require extending OAuth with audience-aware authorization. In OAuth specs, "audience" refers to the target API. Here, we mean something different: the people who see what the agent outputs.

This infographic illustrates the concept of the authorization gap, contrasting checked data retrieval with unchecked data output in AI systems.

OAuth provides the foundation. Extending it for audience-aware authorization is what helps make AI agents safe.

The Architecture That Solves This

Fixing this requires audience-aware authorization: the authorization layer must know the audience before retrieval and compute the permission intersection in real time. The agent responds only with data that every audience member is authorized to see.

The architecture requires three components working together:

Fine-grained authorization engine. Models permissions as relationships, not static roles. Computes the intersection of what all audience members can access in milliseconds.

Credential management layer. Stores OAuth tokens for connected applications. Issues scoped credentials to agents based on the computed permission intersection.

Identity governance. Keeps the permission graph accurate through continuous review and remediation. Without accurate permissions, intersection computation produces wrong answers.

Permission Intersection Flow

A technical diagram illustrates the reference architecture for audience-aware authorization.

The key insight: CEO salary data is never fetched in the first place. The token issued to the agent cannot access it. This is not filtering after retrieval. This is scoping before retrieval.

Why not just use DLP? Data Loss Prevention catches sensitive data after it appears in the response. Fine-grained authorization prevents retrieval in the first place. DLP is the seatbelt. Scoped retrieval is not driving into the wall.

The Regulatory Exposure

GDPR Article 32 and Article 5(1)(f). Article 32 requires "appropriate technical and organisational measures" including protection against "unauthorised disclosure of, or access to personal data." Article 5(1)(f)  mandates processing "in a manner that ensures appropriate security." When an AI agent surfaces employee PII to unauthorized internal users, both articles apply. Fines can reach €20 million or 4% of global annual revenue.

CCPA Section 1798.150. California's private right of action allows consumers to sue when personal information "is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures." Internal overexposure via AI agents could meet this standard. Statutory damages: $100-$750 per consumer per incident.

Sarbanes-Oxley Section 404. Section 404 requires public companies to "establish and maintain an adequate internal control structure." When AI agents with executive permissions can surface material nonpublic information to unauthorized employees, your ability to demonstrate adequate controls is seriously undermined. Auditors could flag this as a material weakness.

As McKinsey's research confirms, 80% of organizations have already encountered risky behaviors from AI agents, including improper data exposure. FGA computing permission intersections before retrieval to help directly address these compliance obligations.

The Question for Your Next Security Review

Ask your security team: "For every AI agent deployed in a shared workspace, can we demonstrate that the agent's output is restricted to data that every member of that workspace is authorized to see?"

If the answer is no, you could have a regulatory violation waiting to be flagged.

Next: Blog 7 brings all six identity challenges together into a unified framework.

Building Okta’s agentic AI security business from zero to one, a $100M+ opportunity. Leads product strategy and solutioning for Okta’s AI Agents business, a CEO-level initiative defining how enterprises secure AI agents at scale before the market has fully settled. Leads a team of architects and partners with Fortune 500 security and IT executives across financial services, manufacturing, and technology. Shapes the agentic security product roadmap across Okta and Auth0. Brings two decades of experience across product, pre-sales, and marketing at startups and global enterprises across North America, the UK, Australia, and Asia.