惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
B
Blog RSS Feed
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
Recent Announcements
Recent Announcements
A
About on SuperTechFans
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Google DeepMind News
Google DeepMind News
S
Schneier on Security
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
Martin Fowler
Martin Fowler
P
Proofpoint News Feed
Security Latest
Security Latest
Jina AI
Jina AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Recorded Future
Recorded Future
T
Tor Project blog
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Last Week in AI
Last Week in AI
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
Forbes - Security
Forbes - Security
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
C
Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
IT之家
IT之家
T
Threatpost
Cyberwarzone
Cyberwarzone
O
OpenAI News
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
月光博客
月光博客
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
Apple Machine Learning Research
Apple Machine Learning Research

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Enterprise AI: Guardrails to Governance | CSA
Rethinking Authorization for the Age of Agentic AI | CSA
2026-03-17 · via Cloud Security Alliance

Written by Tuhin Banerjee, Senior Practice Director, Saviynt Inc.

Why “Mean Time to Understand (MTU)” should become a core service level objective (SLO) for identity governance

Abstract

AI agents now operate at speeds and patterns fundamentally different from human users. They generate plans, select tools dynamically, and change course mid‑execution. All are faster than traditional authorization systems can evaluate. This article introduces Mean Time to Understand (MTU), a new metric for identity and access governance. MTU measures the time required to interpret an agent’s intent, plan, toolchain, and data flows well enough to make a safe, compliant authorization decision. MTU reframes authorization from permission checks to intent comprehension, offering a practical engineering lens for building safe and scalable agentic systems. This MTU should become a foundational SLO for identity teams, like how MTTD and MTTR transformed SOC maturity.

The Authorization Gap No Enterprise Has Prepared For

For two decades, identity programs have been optimized for human actors, strong authentication, privileged access, role engineering, certification campaigns, and Zero Trust segmentation. These controls are useful and necessary, but they all rely on the assumption that requests are mostly human, predictable, and slow. Agentic AI breaks that assumption entirely. It rewrites its plans continuously, switches tools on the fly, pulls in external context, and generates downstream effects at machine speed. In other words, by the time a traditional policy engine evaluates Request #1, the agent may already have modified its goal, discovered new tools, and spawned additional dependencies. That means the first bottleneck is not enforcement, it is understanding.

Thesis: Authorization in agentic environments must become Understand → Align → Authorize. Only then can policies, controls, and logs keep pace with real‑time autonomy.

Authorization’s New Bottleneck: Understanding Intent

The Classic authorization is a crisp triple: Who? What? Allowed?, where Agentic workloads add a fourth dimension: Why (intent/plan)?

Agents do not “call an API” so much as they orchestrate:

  • Multi‑step workflows and task trees
  • Retrieval‑augmented reasoning (RAR)
  • Dynamic capability selection
  • Emergent tool patterns and side‑effects

This makes static scopes and request‑by‑request decisions increasingly brittle. It also aligns with CSA’s own trajectory, Security Guidance v5 emphasizes modern identity, security monitoring, and the need to align controls with cloud‑native architectures and AI, precisely the context where agentic behavior emerges.

Introducing MTU: Mean Time to Understand

Definition: MTU is the time your system needs to build a usable semantic model of what an agent is trying to do, its intent, plan graph, toolchain, and data paths. All these needs to be well enough to make a safe, compliant authorization decision.

MTU Parsing Components

Figure 1: MTU Parsing Components

If you cannot understand the plan, you cannot enforce least privilege. This is why MTU should be treated as a governance SLO, much like MTTD/MTTR in SOC programs.

A simple model for MTU

Let assume the system’s “understanding pipeline” include Plan Parsing (P), Evidence Gathering (E), Risk Context Join (R), and Human‑in‑the‑Loop (H) when required:

MTUp95Pp95+Ep95+Rp95+Hp95

  • P: time to transform agent‑emitted metadata into a plan graph
  • E: time to fetch provenance, sensitivity, and posture signals
  • R: time to evaluate risk policies/patterns on the plan
  • H: optional review time for sensitive steps

Governance criterion: if MTU exceeds the agent’s decision cadence, controls will trail behavior. Reduce MTU until it consistently beats that cadence.

MTU vs. Traditional Authorization: Why Old Models Fail

Traditional authorization models begin to break down the moment they encounter agentic behavior. Static scopes assume intent remains steady, yet agents constantly adjust their objectives as latest information comes in. Even mature frameworks like RBAC and ABAC show their limits. They can map users to resources, but they cannot interpret the goals, plans, or decision paths that drive an agent’s behavior. Session context suffers the same fate, going stale almost immediately as agents shift course. Most importantly, real safety now depends on understanding an agent’s plan; without that visibility, prompt injection, tool misuse, and unexpected action sequences slip through unseen. To operate safely in this new landscape, authorization must move beyond endpoint checks and toward understanding the plan behind every action.

The New Control Loop: Understand → Align → Authorize

AI Authorization New Control Loop

Figure 2: AI Authorization New Control Loop

In my own experience working with early agentic systems, the biggest shift was not in how we enforced access, but how we learned to understand what the system was trying to do. That is why the new control loop begins with “Understand,” not Authorize. Before making any decision, you must interpret what the agent emits, the intent behind its request, the structure of the plan it has assembled, the tools it intends to use, the sensitivity of the data it may touch, and the provenance signals that indicate whether the plan is something trustworthy.

Once that clarity exists, the next step “Align” is where the real engineering discipline comes in. I have had to reshape agent workflows more times than I can count, mainly trimming unnecessary capabilities, swapping out high‑risk tools for safer ones, enforcing data‑class boundaries, or inserting human approval checkpoints when a step simply carries too much operational or regulatory weight. Sometimes you must place circuit breakers or concurrency limits to keep an agent from overwhelming a system. In particular cases you must rewrite or cancel sub‑plans that drift into unsafe territory. Alignment is where intent meets reality, transforming a raw, unconstrained plan into something the organization can tolerate.

Only after the plan is truly understood and aligned, then the last step “Authorize”, . Authorization becomes almost mechanical, issuing short‑lived, plan-scoped capabilities, enforcing them at the right enforcement points, logging the agent’s reasoning for auditability, and continuously watching for drift, revocation triggers, or posture shifts. What became obvious to me over time is that without the first two steps, without genuine understanding and thoughtful alignment, authorization is essentially blind. But with this new loop in place, authorization evolves from a static gatekeeper into a living, responsive part of the agent’s operating environment.

KPIs for Agentic Authorization

In agentic environments, these KPIs carry far more weight than traditional IAM metrics. MTU and MTA reveal how quickly the system can understand and shape the agent’s plan, while MTDA, CAR, and GSR show whether the live‑signal governance layer is functioning in real time. PRVS exposes the integrity of the information an agent relies on, and RAR confirms that corrective actions take hold before the agent can continue down an unsafe path.

KPI

Definition / What It Measures

Target / SLO Guidance

MTU:  Mean Time to Understand

How fast the system can interpret an agent’s plan, intent, tools, and data paths.

p95 ≤ 300 ms

MTA : Mean Time to Align

How quickly unsafe or non‑compliant plan elements can be constrained or rewritten.

p95 ≤ 400–500 ms

MTDA: Mean Time to Detect Misalignment

How fast does the system identifies drift from the approved or expected plan.

(Org‑specific, typically ≤ 1–2s)

CAR: Continuous Authorization Rate

How consistently real‑time signals are incorporated into authorization decisions.

≥ 95%

PRVS: Provenance Strength

How trustworthy and authoritative the agent’s data sources are.

(Tiered: Low / Medium / High)

GSR: Guardrail Success Rate

How effectively guardrails prevent unsafe or unintended actions.

≥ 99%

RAR: Revocation Action Rate

How quickly revoked permissions or signals take effect after detection.

≥ 99% within 5 seconds

Table 1: Agentic Authorization KPI

The Real Risk: Agents Acting Faster Than IAM Can Think

Agentic systems do not fail IAM because they are malicious, but they fail it because they move faster than IAM can think. A well‑meaning agent can complete an unsafe plan with valid credentials long before traditional controls even realize what it is doing. The risks outlined in the table show how easily agents outrun policies designed for humans, exposing the gap between agent speed and IAM comprehension.

Risk Factor

What Actually Happens

Why It Breaks IAM

Unsafe plan completion

An agent conducts a harmful or non‑compliant sequence of steps—often exactly as written.

IAM never understood the intent or plan structure, so it could not intervene.

Use of valid credentials

The agent uses legitimate, approved access.

Traditional IAM assumes “valid credentials = safe action.” That assumption fails here.

Agent speed exceeding IAM speed

Agents move faster than policy engines can interpret or evaluate.

IAM evaluates discrete requests; agents generate continuous flows.

Human‑oriented policies

Controls were designed for human pace, judgment, and predictability.

Policies do not map to agentic reasoning, chaining, or emergent plans.

Stale context & static scopes

Agents operate with rapidly shifting inputs, while IAM relies on slow or periodic updates.

Static scopes cannot represent dynamic intent, changing data paths, or tool selection.

Table 2: Why Agentic Systems Outrun Traditional IAM

Below conditions capture the core dynamic of governing agentic systems. IAM can understand an agent’s intent quickly enough to stay ahead of its actions. When MTU lags at agent speed, control slips away because the system cannot interpret or react to what the agent is doing. But when MTU stays ahead, governance holds, authorization decisions remain aligned with intent, and oversight stays intact.

Condition

Outcome

MTU > Agent Speed

IAM loses visibility, control, and the ability to prevent unsafe behavior.

MTU < Agent Speed

Governance is maintained; authorization decisions stay aligned with agent intent.

Table 3: MTU as the Control Boundary

Who Owns MTU: the IAM Team or the AI Team?

In practice, MTU does not belong exclusively to either IAM or the AI team. It sits in the space between them. IAM owns the policies, controls, and risk boundaries that determine what “safe” looks like. The AI team owns the agents, their metadata, and the plan‑emission patterns that make MTU measurable in the first place. MTU becomes effective only when both groups treat plan understanding as a shared responsibility. The AI team ensures agents are transparent and predictable, and the IAM team ensures the organization can interpret and govern those plans in real time. In that sense, MTU is jointly owned, but IAM is ultimately accountable for making sure it works at the speed agents now operate.

The Future: Authorization Becomes Understanding

To operate safely in an agentic environment, IAM must evolve beyond static permissions and begin governing the full lifecycle of an agent’s reasoning and behavior. The capabilities in this table represent the foundational building blocks of that shift—from understanding an agent’s intent in real time to constraining its actions, validating its plans, and ensuring every decision is both explainable and bounded. Together, they outline what modern IAM must look like when intelligence, not humans, is driving the workflow.

New Requirement

Purpose in Agentic Systems

MTU Pipeline

Rapidly interprets intent, plans, tools, and data flows.

Semantic Policy Engine

Evaluates goals, dependencies, and risk signals rather than static entitlements.

Plan‑scoped capabilities

Grants access only for the duration and scope of a specific plan segment.

Explainable reasoning logs

Captures why the agent acted, not just what it accessed.

Continuous behavioral constraint

Prevents drift, unsafe branches, and unexpected tool usage.

Plans as first‑class security objects

Treats agent plans like code: inspected, versioned, validated, and bounded.

Table 4: Capabilities Required for Agent Safe IAM

Conclusion

AI agents are already influencing enterprise systems. Within the next 24 months, they will dominate them. IAM teams can no longer rely on role definitions, entitlement matrices, or static policy checks to manage risk. Authorization must transform into a semantic, continuous, comprehension-driven discipline. MTU is the metric that will define whether enterprises successfully govern AI or chase it from behind.

Identity leadership must begin investing in MTU pipelines, semantic policy engines, plan-aware guardrails, and short-lived capability models. The future of identity governance is not permission-based. It is intent-based.


References

[1] Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing v5, 2024.

[2] NIST, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” Jan. 2023. Available: DOI 10.6028/NIST.AI.100-1.

[3] ISO/IEC 42001:2023, Information technology , Artificial intelligence, Management system.

[4] OpenID Foundation, “OpenID Continuous Access Evaluation Profile (CAEP) 1.0,” Aug. 2025.

[5] IETF, RFC 9635 “Grant Negotiation and Authorization Protocol (GNAP),” Oct. 2024.

[6] MITRE, ATLAS™ (Adversarial Threat Landscape for AI Systems)