Your AI agent probably does not run as Unix root.
It does not need to.
If it can read the executive inbox, query the customer database, retrieve files, inherit a user’s OAuth scopes, call cloud APIs, run code, and send data to the internet, it has something more difficult to govern than one privileged account: composite authority across systems.
No individual permission says root. The path through the permissions behaves like root.
The identity provider sees an application or service principal. The model platform sees prompts and tool calls. The API gateway sees requests. The SaaS audit log sees a user or integration. The agent framework sees a run. Each control plane has a piece. The CISO rarely has the graph that connects them.
So the security team cannot answer five basic questions quickly:
- Which agents are active in production?
- Who owns each one?
- What can each agent effectively reach right now?
- Which untrusted sources can influence high-impact sinks?
- Can we revoke one agent and stop every active path in minutes?
That is the missing dashboard.
The fix is not another list of agent names. It is an AI Agent Access Graph: a live map from agent identity and delegated principal through data, tools, credentials, policy, approval, and external effects.
“Root access” is a path, not a role
The headline is intentionally provocative, so the definition must be precise.
Most enterprise agents do not have literal operating-system root privileges. The dangerous condition is root-like effective authority: several individually legitimate permissions compose into a path that can read sensitive data, change important state, or move information outside its intended boundary.
Consider a security-remediation agent that can:
- read incident tickets and vendor advisories;
- inspect production configuration;
- query a secrets-management broker for approved references;
- execute a bounded cloud change;
- write to the incident channel;
- create a case in an external support portal.
Each capability has a business justification. Together they connect attacker-influenced content, production context, mutation authority, and an external network sink.
That path—not the longest individual permission string—is the blast radius.
A prompt filter might stop that exact instruction. It does not remove the access path. The durable controls are narrower context, scoped credentials, destination binding, argument policy, meaningful approval, and a revocation path that closes the run.
Why the existing dashboards miss the risk
Enterprise security tooling was built around users, workloads, applications, and network flows. Agents overlap all four.
| Existing view | What it sees | What it usually misses |
|---|---|---|
| IAM | user, app, service principal, roles, token issuance | agent version, task, tool surface, evidence, and run-level delegation |
| PAM | privileged credentials and sessions | which agent reasoning path requested the privilege |
| API gateway | caller, route, latency, response | model context, parent/child agents, and why the call was proposed |
| SaaS audit log | account and application activity | original agent subject and cross-system principal chain |
| Model observability | prompts, responses, token and tool events | real downstream credential, effective scope, and mutation receipt |
| Agent registry | agent name, owner, manifest, lifecycle | live permissions and reachable source-to-sink paths across vendors |
This is why “we already have IAM” is not a sufficient answer. IAM remains essential, but the unit of risk is no longer just an account. It is a governed run that joins:
agent subject
+ workload identity
+ delegated principal
+ current task
+ compiled tool surface
+ per-call credential
+ data classification
+ policy and approval
+ destination and effectNIST’s 2026 concept paper on software and AI agent identity frames the problem around identification, authorization, auditing, non-repudiation, and prompt-injection controls. The OWASP Top 10 for Agentic Applications separately names tool misuse and identity and privilege abuse as agent-specific risk categories.
The industry response is already moving from generic service accounts toward first-class agent identities. Microsoft Entra Agent ID, for example, exposes agent status, owners, sponsors, permissions, sign-in logs, risk signals, and controls to disable individual agents or blueprints. That is useful progress.
But no identity product can infer the entire runtime path by itself. The agent harness still has to contribute task, context, tool, approval, trace, and effect facts.
The effective-authority equation
An agent’s theoretical permissions are not the same as its effective authority on a run.
In ContextOS, effective authority should be the intersection of deterministic ceilings:
effective_authority(run) =
agent_manifest
∩ workload_identity
∩ delegated_user_scopes
∩ tenant_and_resource_audience
∩ compiled_tool_manifest
∩ policy_decision
∩ approval_mode
∩ run_budgetAn intersection is important because authority should narrow at each boundary. A child agent never gets more scope than its parent. A tool credential never gets more scope than the current run. A policy rule cannot make a capability more powerful than its registered ceiling.
But intersection alone does not reveal composition risk. The dashboard also needs reachability:
dangerous_path =
attacker_influenced_source
-> agent context
-> sensitive data or privileged tool
-> external or irreversible sinkThe first expression answers what is allowed. The second answers what harmful path remains reachable even when every individual permission looks legitimate.
That distinction is the center of the CISO view.
Build one Agent Access Graph
The graph does not replace IAM, PAM, SIEM, the agent registry, or traces. It joins their identifiers.
The graph needs stable keys. sales-helper is a label. agent:contextos/sales-helper@2.4.1 is a subject. agent-platform-prod is an application. A run claim that binds subject, workload, user delegation, tenant, audience, scope, and expiry is an authorization fact.
The minimum nodes and edges are:
| Graph object | Required facts |
|---|---|
| Agent | versioned subject, blueprint or package, environment, lifecycle |
| Accountability | technical owner, business sponsor, security reviewer, escalation route |
| Workload | runtime identity, cluster or service, attestation, key id |
| Principal chain | user, service, parent agent, child agent, tenant |
| Credential | issuer, audience, scopes, issued time, expiry, claim hash—not the secret |
| Context | intent, task, source provenance, data classification, memory reads |
| Capability | tool, operation, argument constraints, destination class, approval-mode ceiling |
| Decision | policy rule, effective approval mode, evaluator verdict, approval |
| Effect | target, mutation ref, idempotency key, reversal status, receipt |
| Trace | run id, trace id, parent/child links, replay status |
Do not place bearer tokens, secrets, raw regulated payloads, or full prompts in the graph. Store hashes, references, classifications, and bounded summaries. The graph is a security control surface; it must not become a new secrets dump.
The twelve dashboard questions
A CISO dashboard should lead with questions, not telemetry exhaust.
| Dashboard question | Signal | Alert condition |
|---|---|---|
| How many production agents exist? | registered subjects joined to runtime-observed subjects | observed agent has no registry entry |
| Who is accountable? | owner and business sponsor coverage | active agent has no current sponsor |
| Which agents act through generic accounts? | agent subject to downstream actor mapping | several agents collapse into one unexplained service principal |
| Which agents have the most authority? | reachable tools, data classes, destinations, and approval modes | destructive or delegated path has no narrow task boundary |
| Which agents combine untrusted sources and sensitive sinks? | source-to-sink reachability | external content can influence sensitive read plus external write |
| Where did privilege drift? | current versus approved manifest, scopes, tools, and destinations | authority expanded without a reviewed version change |
| Are child agents narrower? | parent and child claim comparison | child scope, budget, tool set, or expiry is broader |
| Are credentials bounded? | issuer, audience, scope, TTL, token-exchange path | token passthrough, wildcard audience, or long-lived static secret |
| Are approvals meaningful? | approval time, evidence snapshot, overrides, post-effect result | destructive approval lacks frozen evidence or is consistently rubber-stamped |
| Can actions be explained? | trace completeness and DecisionRecord coverage | mutation has no identity claim, policy decision, or receipt |
| Can incidents be replayed? | retained inputs and replay result | high-risk run cannot be reproduced without live effects |
| Can the agent be stopped? | last revocation drill and time-to-containment | kill path exceeds the declared SLO or leaves child runs active |
This is not a daily executive wall of twelve charts. It is the query contract behind three views:
- Posture: inventory, ownership, authority, drift, and readiness.
- Live risk: risky agents, unusual tool use, denied calls, new destinations, and destructive activity.
- Incident: principal chain, active runs, reachable tools, mutations, revocation state, and replay.
Detect the paths that ordinary IAM queries miss
The most useful queries join systems.
The following examples are pseudo-SQL over an illustrative access-graph projection, not a ContextOS runtime schema:
-- Production agents without accountable humans
SELECT agent_subject, environment, last_seen_at
FROM agent_posture
WHERE environment = 'production'
AND (owner_id IS NULL OR sponsor_id IS NULL);
-- High-impact agents that cannot be replayed
SELECT agent_subject, capability, approval_mode, last_mutation_at
FROM effective_capabilities
WHERE approval_mode = 'destructive'
AND replay_coverage_30d < 1.0;
-- Reachable exfiltration paths
SELECT agent_subject, source_class, data_class, sink_destination
FROM source_sink_paths
WHERE source_trust = 'untrusted'
AND data_class IN ('CONFIDENTIAL', 'RESTRICTED')
AND sink_class = 'external_network';
-- Delegation that widened instead of narrowed
SELECT parent_subject, child_subject, widened_dimension
FROM delegation_diffs
WHERE is_strict_subset = false;A SIEM can execute these queries once the harness emits the joinable facts. The hard part is not the chart. It is ensuring that agent, identity, context, tool, policy, and effect events share stable identifiers.
Privilege drift needs a baseline
Human access reviews compare current entitlement with role and business need. Agents need the same discipline, with more dimensions.
An approved agent release should pin:
- agent subject and version;
- workload identities and environments;
- maximum delegated scopes;
- tool manifest and argument constraints;
- allowed data classes and destinations;
- canonical approval-mode ceilings;
- parent/child delegation rules;
- model and Context Pack versions;
- policy and evaluator bundles;
- run budgets and rate limits.
Privilege drift is any observed expansion outside that approved tuple.
| Drift | Example | Response |
|---|---|---|
| Identity drift | agent starts using a generic app registration | deny claim minting and investigate deployment path |
| Scope drift | new OAuth scope appears after connector re-consent | quarantine capability until access review |
| Tool drift | MCP server advertises a new write capability | keep it undiscoverable until manifest admission |
| Destination drift | support connector begins sending to a new host | deny egress and require destination review |
| Delegation drift | specialist child inherits the parent token | block dispatch and mint a narrower child claim |
| Mode drift | destructive-call share rises after a pack change | pin prior release tuple and replay affected runs |
| Ownership drift | sponsor leaves or team is dissolved | demote or disable until accountability is restored |
Microsoft’s agent-identity model includes sponsors, lifecycle, risk signals, permissions, sign-in logs, and individual or blueprint-level disable controls. Those are exactly the IAM-side facts the graph should consume. The runtime still has to add tool, task, evidence, effect, and replay facts.
Token passthrough destroys the dashboard
An access graph is only as good as its principal transitions.
If an MCP server accepts a token minted for another resource and forwards it downstream, the graph loses the boundary between the client, the MCP server, and the downstream API. The official MCP security guidance forbids token passthrough and requires resource-specific audience validation for this reason, among others: control circumvention, ambiguous audit trails, and confused-deputy risk.
The safer sequence is:
agent run claim
-> gateway verifies subject, delegation, tenant, scope, and audience
-> token broker mints a short-lived credential for one resource
-> tool executes one bounded operation
-> receipt records claim hash, policy decision, and mutationThe model never receives the token. The trace never stores the token. The graph records the credential’s issuer, audience, scope set, expiry, and claim hash.
That is enough to answer who could do what without creating a second credential leak.
The kill switch is a graph operation
Disabling an identity is necessary. It may not be sufficient.
The agent can have active tokens, queued tasks, child agents, open browser sessions, pending approvals, retries, and already-created external effects. A serious revocation drill closes the graph from the subject outward.
| Revocation step | Control-plane action | Proof |
|---|---|---|
| Stop new work | remove agent from discovery and block dispatch | new invocation returns typed denial |
| Stop new authority | disable claim minting and token exchange | broker rejects subject and blueprint |
| Stop tool use | Tool Gateway denies the subject and child claim hashes | attempted calls produce policy denials |
| Stop active work | cancel running and queued parent/child sessions | session registry shows terminal state |
| Contain effects | freeze pending mutations and approvals | no new mutation receipts after cutoff |
| Remove persistence | quarantine memory proposals and scheduled tasks | promotion and scheduler queues are empty |
| Recover | rotate exposed credentials, replay affected traces, reverse compensable effects | incident record names scope, actions, and residual risk |
Make time to effective revocation an SLO. The clock starts when the security operator declares the subject compromised. It stops only when new credentials, tools, active sessions, children, and pending effects are all closed.
Avoid the theatrical version of a kill switch: a red button that changes registry status while existing tokens and workers continue.
Also avoid indiscriminate shutdown as the default response. Microsoft warns that globally disabling agent identities can degrade services and push teams toward less transparent service principals. Prefer targeted subject, blueprint, capability, tenant, or destination containment—with a rehearsed global option for real emergencies.
The 20-point CISO readiness scorecard
Score each control 0, 1, or 2:
0— absent or based on manual discovery;1— partially covered, delayed, or limited to one platform;2— continuously measured across identity, runtime, tools, and effects.
| Control | 2-point evidence |
|---|---|
| Discovery coverage | Runtime-observed production agents reconcile to a governed registry. |
| Identity separation | Every action preserves agent subject, workload, and delegated principal separately. |
| Accountability | Every production agent has a current technical owner and business sponsor. |
| Effective-authority graph | Security can query reachable tools, data, destinations, and approval modes by subject. |
| Credential boundaries | Credentials are short-lived, audience-bound, scope-minimized, and never passed through the model. |
| Source-to-sink analysis | Untrusted-source paths to sensitive reads, writes, and egress are enumerated and tested. |
| Privilege-drift detection | Manifest, scope, tool, destination, mode, delegation, and owner drift alert automatically. |
| Decision evidence | High-impact effects bind identity claim, policy, approval, trace, and mutation receipt. |
| Replay coverage | High-risk runs replay from pinned inputs without repeating external effects. |
| Revocation SLO | Targeted kill drills stop new and active authority inside a measured objective. |
| Score | Posture |
|---|---|
| 0–7 | The organization has agent activity, not agent governance. |
| 8–13 | Inventory exists, but effective authority and incident containment remain fragmented. |
| 14–17 | High-risk agents can enter production under monitored, narrow authority. |
| 18–20 | The control plane is measurable, reviewable, replayable, and revocable. |
Four conditions stop a high-authority launch regardless of score:
- Production activity cannot be attributed to a versioned agent subject.
- A generic service account hides multiple agents with different owners or tasks.
- The agent can combine untrusted input, sensitive data, and an external or destructive sink without an independent boundary.
- The revocation drill cannot stop active parent and child runs.
Download the Agent Authority Register starter. It turns the graph, dashboard questions, drift baselines, and revocation SLO into a reviewable implementation artifact. The YAML is illustrative configuration, not a new normative ContextOS runtime schema.
What the board should ask
The board does not need a tool-call waterfall. It needs four accountable answers:
- Coverage: What percentage of production agent activity maps to a registered subject, owner, and sponsor?
- Exposure: Which agents can reach money, production, regulated data, customer communications, or public systems?
- Control: Which deterministic boundary prevents a compromised model from turning a proposal into an effect?
- Recovery: When did we last revoke a real agent path, how long did it take, and what remained reachable?
The wrong answer is “our vendor has guardrails.”
The right answer is a live access graph, a trace id, a policy decision, a replay result, and a measured revocation time.
That is what turns an AI agent from an invisible privileged actor into a governable workload.
Research base
- NIST: Identity and Authority of Software Agents
- NIST CAISI: Insights from a Large-Scale AI Agent Red-Teaming Competition
- OWASP Top 10 for Agentic Applications 2026
- Microsoft Entra Agent ID: Manage Agent Identities
- MCP Security Best Practices
