Are Your AI Agents Secure? Defending the Privileged Agent

Transcript

1. Are Your AI Agents Secure? Defending the Privileged Agent Daizen

   Ikehara Principal Developer Advocate, Auth0

2. AI Agents and the Pitfalls of "User Delegated Authority"

3. AI Agents as "Autonomous Colleagues" Integrating Reasoning & Action Automate

   non-routine tasks: LLMs interpret, plan Planning), and dynamically select tools APIs to achieve complex goals. Scaling beyond system boundaries Seamlessly executing across multiple SaaS platforms and internal systems to bridge functional silos. Acting as a "Proxy" for the user Holding goals and privileges delegated by the user, making independent judgments to scale the user's impact.

4. The Challenges ! Passing user tokens directly Giving full user

   privileges to AI creates an "impersonation" state where the AI acts as the user without knowing what actually required for the task. Structural limits of static scopes Scopes like drive.read cannot distinguish the task's specific purpose. An "expense settlement" request might grant access to unrelated confidential files because the scope covers the whole drive. Chain of damage from persistent privileges Compromised session tokens or long-lived keys become long-term access routes for attackers if the agent platform is breached.

5. OWASP Warnings on "Excessive Agency" and "Identity & Privilege Abuse"

   https://owasp.org/

6. 2025 Top 10 Risk & Mitigations for LLMs and Gen

   AI Apps LLM01 Prompt Injection LLM02 Sensitive Information Disclosure LLM03 Supply Chain Vulnerabilities LLM04 Data and Model Poisoning LLM05 Improper Output Handling LLM06 Excessive Agency LLM07 System Prompt Leakage LLM08 Vector Weaknesses LLM09 Misinformation LLM10 Unbounded Consumption https://genai.owasp.org/llm-top-10/

7. LLM06 Excessive Agency Unexpected LLM outputs translate into real harm

   via excessive privileges. Excessive Permissions: Agent holds broader access Read/Write) than required for the task. Excessive Functionality: Toolbox contains destructive APIs unnecessary for the use case. Excessive Autonomy: Missing mandatory human verification or "Human-in-the-Loop" processes.

8. OWASP Top 10 for Agentic Applications for 2026 ASI01 Agent

   Goal Hijack ASI02 Tool Misuse and Exploitation ASI03 Identity and Privilege Abuse ASI04 Agentic Supply Chain Vulnerabilities ASI05 Unexpected Code Execution RCE ASI06 Memory & Context Poisoning ASI07 Insecure Inter-Agent Communication ASI08 Cascading Failures ASI09 Human-Agent Trust Exploitation ASI10 Rogue Agents https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

9. ASI03 Identity & Privilege Abuse Uncontrolled spread of privileges Static

   tokens propagate to sub-agents without scope reduction, causing broad, unintended access across subsystems. Lack of trust boundaries Agent-to-Agent A2A) communication often lacks strict mutual authentication, creating "blind spots" for attackers. Lack of independent IDs Agents acting as "human impersonations" makes tracking breach impact, attribution, and damage containment nearly impossible.

10. Dynamic Agent Authorization and Human-in-the-Loop Approval

11. RBAC and Granularity Issues Traditional Approach • Authorization based on

    groups/roles (e.g., "Approver") • Effective for broad application/API level management The Challenge Difficult to control at the individual resource level. Example: An agent can approve ALL expenses instead of just a specific assigned request. app.post('/expense/approve', claimIncludes('role', 'approver'), (req, res) => { ... }); app.post('/expense/approve', claimIncludes('permissions', 'approve:expenses'), (req, res) => { ... });

12. Introducing ReBAC Example Google Zanzibar Relationship-based Access Control ReBAC ✓

    Access permissions are dynamically determined by "Relationships". ✓ Q Does the agent have a sufficient relationship with the specific object?

13. https://www.zanzibar.academy

14. Query Search related info Retrieval) Generate response Generation) Response Documents

    related to query Augment context Augmentation) Dynamically check relationships (access permissions) for "individual" documents using ReBAC Secure RAG Dynamically check access rights

15. Dynamic Authorization of Actions API / DB AI Agent Authorized

    Action result Document is passed) // Check relationship graph check( user: 'agent:alice', relation: 'can_read', object: 'doc:secret' ); Action: read ‘doc:secretʼ check: NG check: OK ReBAC Authorization Engine

16. Human Approval in "Appropriate Scenarios" Human-in-the-loop) API / DB Refund

    AI Agent Action Result Notify outcome of refund process) Action: Refund $5,000 rejected approved User Notification & Approval/Rejection Human as the "Last Line of Defense" Does manual approval for every action make sense? Implement Risk-Based Decisioning) Approval Logic
17. None

18. Summary AI Agents are autonomous colleagues, but their excessive privileges

    can lead to devastating damage. Move from static permissions to relationship-based dynamic authorization to ensure least privilege. For high-risk operations, always include Human-in-the-Loop as the final safeguard.

19. OpenFGA openfga.dev OpenFGA and Authorization for Agents Authorization for Agents

20. © Okta, Inc. and/or its affiliates. All rights reserved. Auth0

    for AI Agents a0.to/ai-event

21. Thank you! Daizen Ikehara Principal Developer Advocate X Twitter): Neri78

    Bluesky: neri78.bsky.social LinkedIn: daizenikehara GitHub: github.com/neri78