惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
aimingoo的专栏
aimingoo的专栏
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
GbyAI
GbyAI
阮一峰的网络日志
阮一峰的网络日志
Engineering at Meta
Engineering at Meta
IT之家
IT之家
V
Visual Studio Blog
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
A
About on SuperTechFans
博客园 - 聂微东
Blog — PlanetScale
Blog — PlanetScale
N
News and Events Feed by Topic
A
Arctic Wolf
WordPress大学
WordPress大学
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Darknet – Hacking Tools, Hacker News & Cyber Security
F
Fortinet All Blogs
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Y
Y Combinator Blog
T
Threat Research - Cisco Blogs
Latest news
Latest news
Simon Willison's Weblog
Simon Willison's Weblog
Cyberwarzone
Cyberwarzone
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
Lohrmann on Cybersecurity
Stack Overflow Blog
Stack Overflow Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Privacy International News Feed
J
Java Code Geeks
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
I
Intezer
L
LangChain Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
G
GRAHAM CLULEY
博客园 - 叶小钗
博客园 - 三生石上(FineUI控件)
The GitHub Blog
The GitHub Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
Security Archives - TechRepublic
Security Archives - TechRepublic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
Identity as the OS for AI Security | CSA
2026-04-22 · via Cloud Security Alliance

Written by Kundan Kolhe.

This is the seventh and final blog in a seven-part series on identity security as AI security.

A Replit coding agent erased 1,206 customer records in seconds. In the Salesloft Drift breach, OAuth tokens sat active for months after workflows ended, compromising 700+ organizations. A breach crossed four trust domains before anyone noticed. In Unit 42’s Agent Session Smuggling disclosure, a sub-agent embedded a silent stock trade inside a routine response. Chinese state actors weaponized Claude Code for the first documented large-scale autonomous cyberattack, targeting chemical manufacturing among other sectors. Four CVSS 9.3+ vulnerabilities hit Anthropic MCP, Microsoft Copilot, ServiceNow, and Salesforce, all exposing the same gap: agents that retrieve data under one user’s permissions and broadcast it to audiences that should never see it.

Six different failures. One root cause. Identity and authorization systems that still treat agents like users.

Among the 3,235 enterprise leaders surveyed in Deloitte’s 2026 State of AI report, 73% cite data privacy and security as their top AI risk, yet only 21% have a mature governance model for autonomous agents. Shadow AI adds $670,000 to average breach costs.

The answer is not another security layer bolted on after deployment. It is identity and authorization rebuilt as the operating system for autonomous trust.

The Pattern Hiding in Plain Sight

Read individually, each failure in this series looks like a specific gap. An expired token here, a missing scope check there. Read together, a different picture emerges.

A Replit agent deleted 1,206 records in seconds. At 5,000 operations per minute, per-action consent collapsed into consent fatigue.

The Salesloft Drift breach exploited OAuth tokens that sat active months past business justification. With non-human identities outnumbering humans 144 to 1, durable delegated authority without lifecycle controls is the default vulnerability.

Then it got worse. A breach crossed four trust domains because no interoperable trust fabric could verify and revoke access across all of them in real time.

Delegation chains became attack channels. Unit 42’s Agent Session Smuggling, Rehberger’s Cross-Agent Privilege Escalation, and EchoLeak (CVE-2025-32711, CVSS 9.3) all exploited the same gap: no scope attenuation across multi-hop delegation chains. 

Authorization became a safety case. Chinese state actors weaponized Claude Code for what Anthropic described as the first documented large-scale autonomous cyberattack. A poisoned calendar invite hijacked Gemini to control smart home actuators. JLR’s credential compromise shut down factories for five weeks at £1.9 billion.

Finally, four CVSS 9.3+ vulnerabilities hit Anthropic MCP, Microsoft Copilot, ServiceNow, and Salesforce. Same pattern: agents acting on behalf of multiple users with no method for enforcing permission intersections across the output channel.

Strip away the details and the pattern is obvious. Every agent security problem is an identity and authorization problem wearing a different mask. The OpenID Foundation’s Identity Management for Agentic AI whitepaper established the core use cases for agent authorization challenges. This series mapped those challenges to real-world breaches and production security architecture.

Why Six Tools Cannot Do the Job of One Layer

Most organizations are approaching agent security the way they approached cloud a decade ago. Token vault here, API gateway there, governance dashboard somewhere else. Each tool solves its own problem. None solves the system.

The gap between deployment and governance is stark. 91% of organizations already use AI agents, but only 10% have a strategy for managing non-human identities. 80% have already encountered risky agent behaviors, per McKinsey. The gap is not awareness. It is architecture.

Now picture the compound failure. Agent Session Smuggling (Blog 4) crosses trust domains (Blog 3) in a long-running workflow with drifting credentials (Blog 2) serving a shared channel with mixed permissions (Blog 6) at 5,000 operations per minute (Blog 1) while controlling physical infrastructure (Blog 5). Six tools that share no context cannot secure interconnected failures. No token vault sees the delegation lineage. No API gateway knows the original human intent. No governance dashboard tracks scope expansion across hops.

The real risk is not shadow AI. It is sanctioned AI with no identity. Shadow agents at least trigger alarms. The agents you officially deployed, connected to production systems, running on shared credentials with no lifecycle management? Those will breach you.

What Happens When Identity and Authorization Become the Substrate

The solution is not more tools. It is one layer that all tools share. Agents need to stop being treated like users and start being treated as first-class principals in IAM infrastructure. Not as a best practice. As an architectural requirement.

When every agent action flows through identity and authorization, five properties take hold:

  1. Provenance. Every action traces to an accountable human: through which delegation chain, under what policy, with what scope. This is what broke in Blogs 1 and 4.
  2. Attenuation. When a primary agent delegates to a sub-agent, scope decreases, never increases. Agent Session Smuggling and EchoLeak both exploited the absence of this constraint.
  3. Continuous evaluation. Context shifts, risk changes, intent expires. The Drift breach persisted because authorization was checked once at token issuance and never again.
  4. Lifecycle governance. Employee leaves, their agents get revoked. Workflow completes, credentials expire. The JLR breach turned from an intrusion into a five-week shutdown because none of this happened.
  5. Interoperability. Every solution maps to open standards: OAuth 2.1, OIDC, RFC 8693, CIBA, SCIM, Shared Signals Framework, ID-JAG. The alternative is vendor lock-in at the identity layer, the one lock-in you cannot afford.

Three Questions Before Your Next Audit

  1. Can you trace every agent action to its authorizing human? Not which agent. Who, under what policy, with what scope.
  2. Do credentials expire when the work does? The Drift breach started with tokens that should have been revoked months earlier.
  3. Do multi-user agents enforce permission intersection? If your agents operate under the broadest individual scope instead of the narrowest overlap, data exposure is a when, not an if.

The Cost of Waiting

The regulatory walls are closing in from three directions, and the penalties are not hypothetical.

The EU AI Act’s high-risk system requirements take full effect in August 2026. Article 14 demands demonstrable human oversight of autonomous systems. Article 99 sets fines of up to 35 million euros or 7% of global annual turnover. Without verifiable delegation chains and audit trails, compliance is structurally impossible.

In the US, the SEC’s Cyber and Emerging Technologies Unit (CETU), launched February 2025, explicitly targets fraudulent cybersecurity disclosure and AI-enabled fraud. The cybersecurity disclosure rule requires reporting material cyber incidents within four business days. An agent-driven breach you cannot explain because no delegation lineage exists is not just a security failure. It is a disclosure problem.

And GDPR has generated 7.1 billion euros in cumulative fines since 2018, with enforcement now extending to AI data processing. When agents retrieve and surface personal data across shared workspaces (Blog 6’s exact failure mode), every uncontrolled exposure is a potential violation.

Anthropic’s 2026 Agentic Coding Trends Report identifies “embedding security architecture from the earliest stages” as a top priority. That is the industry signaling what regulators will soon require.

Picture six months of inaction. Orphaned credentials accumulate. Delegation chains grow undocumented. Scope creep compounds across sub-agents. Then the audit comes, or the breach, and you are doing forensic archaeology through decisions no one recorded. Remediation dwarfs prevention. Regulatory penalties dwarf both.

Agent security is identity and authorization security. There is no other kind.

Building Okta’s agentic AI security business from zero to one, a $100M+ opportunity. Leads product strategy and solutioning for Okta’s AI Agents business, a CEO-level initiative defining how enterprises secure AI agents at scale before the market has fully settled. Leads a team of architects and partners with Fortune 500 security and IT executives across financial services, manufacturing, and technology. Shapes the agentic security product roadmap across Okta and Auth0. Brings two decades of experience across product, pre-sales, and marketing at startups and global enterprises across North America, the UK, Australia, and Asia.