惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
T
Troy Hunt's Blog
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
M
MIT News - Artificial intelligence
G
Google Developers Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V2EX - 技术
V2EX - 技术
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
I
InfoQ
H
Hacker News: Front Page
D
Docker
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
博客园 - 【当耐特】
T
Tor Project blog
U
Unit 42
H
Heimdal Security Blog
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
PCI Perspectives
PCI Perspectives
美团技术团队
O
OpenAI News
T
Tailwind CSS Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog
GbyAI
GbyAI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MyScale Blog
MyScale Blog

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
IAM as Safety for AI-Controlled Systems | CSA
2026-03-17 · via Cloud Security Alliance

Written by Kundan Kolhe.

This is the fifth blog in a seven-part series on identity security as AI security.

TL;DR:

In mid-September 2025 Chinese state actors weaponized Claude Code to conduct the first documented large-scale autonomous cyberattack. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. Separately, in late August, a credential compromise shut down JLR's factories for five weeks at a cost of £1.9 billion. Now imagine that same attack pattern executed by an AI agent that doesn't sleep and can try a thousand credential combinations while you're reading this sentence. It's here. These attacks don't just breach perimeters. They abuse legitimate access.

The defense isn't better firewalls. It's authorization: controlling what agents can do at each step, with human oversight when it matters. For cyber-physical systems, IAM isn't IT infrastructure. It's a safety system.

The stakes are no longer theoretical

The OpenID Foundation calls this the "ultimate challenge" for identity: governing agents whose actions have direct and potentially irreversible consequences in the physical world. Authorization, the access management half of IAM, becomes a fundamental component of the system's safety case.

Three incidents in late 2025 proved we're already there.

First, AI agents proved they can attack critical infrastructure autonomously. In September, Anthropic disclosed that a Chinese state-sponsored group had weaponized Claude Code for what security researchers called the first large-scale cyberattack run primarily by an AI. The agent did most of the work: scanning for vulnerabilities, writing exploits, harvesting credentials, moving laterally through networks. Among the targets: chemical manufacturing companies. Some were successfully breached. These are facilities where compromised credentials could manipulate process controls with catastrophic consequences.

Then, researchers proved the attack surface extends to any agent with physical access. In August 2025, researchers demonstrated that a poisoned Google Calendar invite could hijack Gemini to control smart home devices like lights, shutters, and boilers. The attack, which researchers call "Promptwareopens in a new tab," exploited a fundamental authorization gap: calendar-reading permissions shouldn't grant actuator-control permissions. The mechanism is identical. Only the consequences scale.

And credential compromise proved it shuts down factories. Fast. Jaguar Land Rover suffered what is widely regarded as the most economically damaging cyberattack in UK history. Attackers gained access through a JLR supplier and kept going until they hit production systems. Robots froze. Workers went home for five weeks. More than 5,000 businesses in the JLR supply chain were impacted. Now imagine that same lateral movement executed by an AI agent that doesn't sleep, doesn't make typos, and can try a thousand credential combinations while you're reading this sentence. That's the threat model.

The credential crisis is accelerating this

IBM's X-Force 2025 confirms the shift: abusing valid accounts is now the preferred way in, accounting for 30% of all incidents. The first half of 2025 saw an 800% spike in credentials stolen by infostealer malware. Non-human identity compromise (API keys, service accounts, OAuth tokens) is now a top initial attack vector.

It's already hitting AI systems. A supply chain attack on the OpenAI plugin ecosystem harvested agent credentials from 47 enterprise deployments; attackers had access for six months before anyone noticed. Manufacturing attacks surged 61% year-over-year. Same pattern every time: stolen credentials, lateral movement, real-world damage.

The perimeter won't save you

Traditional security focuses on keeping bad actors out. Firewalls. Network segmentation. Endpoint protection. All necessary. But AI agents aren't breaking in. They're already inside, operating with legitimate credentials.

The Promptware attack didn't breach a firewall. It hijacked an authorized agent. The Claude Code operation didn't exploit a network vulnerability. It harvested valid credentials and used them. These attacks succeeded because the agents had permission to be there. They just didn't have permission to do what they did.

The question isn't where agents can go. It's what they're authorized to do at each step once they get there.

Consider a water treatment plant. An AI agent monitors chlorine levels, regulates pressure, and responds to demand fluctuations. What's its authorization envelope? It should be explicit: maintain reservoir levels between X and Y, never exceed pressure Z, escalate to a human for anything outside those bounds. But if the agent inherited broad "manage water systems" permissions from whoever deployed it, a compromised agent could push chlorine to toxic levels or trigger pressure failures. Here's the test: does your authorization architecture even let you express these constraints?

Authorization as safety infrastructure

For cyber-physical systems, IAM transcends its traditional role. It becomes a safety and policy enforcement layer.

Identity tells you who's acting. Authorization tells you what they're allowed to do, action by action, with human oversight where stakes demand it. For agents controlling physical systems, that's the architecture that prevents explosions.

Aviation doesn't rely on pilots to remember altitude limits. Nuclear facilities don't trust operators to avoid unsafe configurations. These industries learned decades ago that human attention isn't a safety system. Engineered constraints are. NIST's Zero Trust Architecture (SP 800-207) codifies this: never trust, always verify, enforce least privilege at every decision point.

For AI agents controlling physical systems, authorization is that engineered constraint. Done right, it works like this: credentials get issued just-in-time, scoped to the immediate operation, and revoked the moment context changes. Tokens that don't exist can't be stolen. A compromised agent still can't exceed its authorization envelope. High-stakes actions trigger human approval. And every action traces back to a specific user, agent, and moment.

Here's what that looks like technically. RFC 8693 (OAuth 2.0 Token Exchange) enables delegation tokens that preserve context:

{

  "sub": "[email protected]",

  "act": {

    "sub": "maintenance-agent-7"

  },

  "aud": "manufacturing-api.example.com",

  "scope": "actuator:write",

  "exp": 1737043200

}

The sub identifies the human. The act claim identifies the agent. The scope defines exactly what's permitted. Not "manage systems" but "actuator:write" for one specific resource. The exp sets expiration: 5-60 minutes for cyber-physical operations, not months. When the maintenance window closes, the token dies.

The EU AI Act classifies AI systems used as safety components in critical infrastructure (including water, gas, and electricity) as high-risk under Annex III, triggering human oversight requirements under Article 14. For systems making thousands of decisions per minute, that can't mean humans reviewing each one. It means authorization systems that enforce boundaries programmatically and escalate only genuinely exceptional conditions.

The window is shrinking

Gartner predicts AI agents will reduce the time to exploit account exposures by 50% by 2027. Attacks that took weeks will take days. The Claude Code operation already showed what machine-speed attacks look like.

Organizations that build proper authorization architecture now will be the model when regulations tighten.

The path forward

With 21 billion IoT devices and millions of industrial robots now connected, AI agents have an expanding universe of physical systems they can access and control.

The governance question is simple: for every agent with access to critical systems, can your team articulate its authorization envelope? What credentials it holds, what those credentials permit, and whether those permissions exceed operational need? If the answer is "we don't know," that gap is your attack surface.

But the gap is closable. The same authorization patterns that secure financial transactions can secure water treatment plants, chemical reactors, and robotic arms. Identity tells you who. Authorization controls what they can do at each step, with humans in the loop when it matters. For cyber-physical systems, that's not access management. It's safety infrastructure.

The architecture exists. The question is whether you'll implement it before or after you become a case study.

Next: Blog 6 explores what happens when one agent serves multiple stakeholders with different permissions. When the CFO's agent answers questions in a shared Slack channel, whose access rights govern the response?

Building Okta’s agentic AI security business from zero to one, a $100M+ opportunity. Leads product strategy and solutioning for Okta’s AI Agents business, a CEO-level initiative defining how enterprises secure AI agents at scale before the market has fully settled. Leads a team of architects and partners with Fortune 500 security and IT executives across financial services, manufacturing, and technology. Shapes the agentic security product roadmap across Okta and Auth0. Brings two decades of experience across product, pre-sales, and marketing at startups and global enterprises across North America, the UK, Australia, and Asia.