 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Security professionals understand the dangers of internal threats: adversaries or individuals with harmful objectives who operate from within the enterprise, whether as staff members, vetted third-party vendors or partner organizations with elevated permissions.
However, we’re witnessing the emergence of a different category of internal actor that lacks malicious intent but also operates without human consciousness. Autonomous AI systems, despite functioning as proxies for their human operators, are positioned to supplant traditional decision-making processes and reveal vulnerabilities in established access control mechanisms.
AI agents have already shown how they challenge traditional authorization systems. This is one area of security that organizations must reevaluate or risk unleashing chaos within software environments.
Authorization, or AuthZ, is about managing users’ access to resources: ensuring that users can only do what they’re permitted to do.
However, it’s important to note that AuthZ systems don’t necessarily prevent everything users might try to do. Most existing AuthZ systems are threat modeled and built on the assumption that external factors such as laws, social censure risk or habit will limit human misbehavior.
As a result, it isn’t usually a problem when an AuthZ system over-provisions access. Over-provisioning occurs all of the time. For instance, when someone has just joined a company, it’s easier to copy an existing set of roles to their account rather than think carefully about what they need access to. Until now, the external factors mentioned earlier have meant this approach usually hasn’t caused significant problems.
As AI agents seek to accomplish their tasks, they have no such constraints. Consequently, agents acting on behalf of humans may start to expose those users’ over-provisioned access rights and roles.
Security teams can reduce agentic security risk for their AuthZ systems by proactively embracing emerging best practices. Effective governance will make all the difference, and organizations can start by focusing on three areas:
Right now, authentication (AuthN) and AuthZ systems cannot differentiate between human users and AI agents. When AI agents perform actions, they act on behalf of human users or use an identity assigned to them based on a human-centric AuthN and AuthZ system.
That complicates the process of answering formerly simple questions, like: Who authored this code? Who initiated this merge request? Who created this git commit?
It also raises new questions, such as: Who told the AI agent to generate this code? What context did the agent need to build it? What resources did the AI have access to?
Composite identities give you a way to answer these questions by connecting an AI agent’s identity with the human directing it. When an AI agent attempts to access a resource, its request can now be securely authorized and authenticated.
Operations, development and security teams need ways to monitor the activities of AI agents across multiple workflows, processes and systems. It’s not enough to know what an agent is doing in a codebase, for instance. Companies must also track agent activity in staging and production environments, as well as in associated databases and any applications to which it may have access.
Eventually, organizations might even start to use Autonomous Resource Information Systems (ARIS) that parallel existing Human Resource Information Systems (HRIS), enabling teams to maintain profiles of autonomous agents, document their capabilities and specializations and manage their operational boundaries.
With or without sophisticated monitoring frameworks, organizations and their employees need to be transparent about when they deploy AI. They need to establish clear accountability structures for autonomous AI agents. Humans need to regularly review the actions and outputs of agents, and more importantly, someone needs to be accountable should the agent exceed its bounds.
The nondeterministic nature of AI agents will bring remarkable innovations and breakthroughs within software development. They will also certainly push the boundaries of existing AuthZ systems. But they don’t need to become agents of chaos.
Security frameworks typically evolve more slowly than technological capabilities, requiring us to find an equilibrium between progress and protection. An appropriate comparison is the shift to cloud computing over the past decade. Responsible adoption begins with establishing the right governance frameworks now, so agents become trusted partners to software development teams.
