Skip to content
Back to Blog
Agent security engineering series
July 19, 2026
·by ·14 min read

The AI Agent Access Graph: What CISOs Need to See

Share:XBSMRedditHNEmail
The AI Agent Access Graph: What CISOs Need to See illustration

Your AI agent probably does not run as Unix root.

It does not need to.

If it can read the executive inbox, query the customer database, retrieve files, inherit a user’s OAuth scopes, call cloud APIs, run code, and send data to the internet, it has something more difficult to govern than one privileged account: composite authority across systems.

No individual permission says root. The path through the permissions behaves like root.

The identity provider sees an application or service principal. The model platform sees prompts and tool calls. The API gateway sees requests. The SaaS audit log sees a user or integration. The agent framework sees a run. Each control plane has a piece. The CISO rarely has the graph that connects them.

So the security team cannot answer five basic questions quickly:

  1. Which agents are active in production?
  2. Who owns each one?
  3. What can each agent effectively reach right now?
  4. Which untrusted sources can influence high-impact sinks?
  5. Can we revoke one agent and stop every active path in minutes?

That is the missing dashboard.

The fix is not another list of agent names. It is an AI Agent Access Graph: a live map from agent identity and delegated principal through data, tools, credentials, policy, approval, and external effects.

“Root access” is a path, not a role

The headline is intentionally provocative, so the definition must be precise.

Most enterprise agents do not have literal operating-system root privileges. The dangerous condition is root-like effective authority: several individually legitimate permissions compose into a path that can read sensitive data, change important state, or move information outside its intended boundary.

Consider a security-remediation agent that can:

  • read incident tickets and vendor advisories;
  • inspect production configuration;
  • query a secrets-management broker for approved references;
  • execute a bounded cloud change;
  • write to the incident channel;
  • create a case in an external support portal.

Each capability has a business justification. Together they connect attacker-influenced content, production context, mutation authority, and an external network sink.

That path—not the longest individual permission string—is the blast radius.

A prompt filter might stop that exact instruction. It does not remove the access path. The durable controls are narrower context, scoped credentials, destination binding, argument policy, meaningful approval, and a revocation path that closes the run.

Why the existing dashboards miss the risk

Enterprise security tooling was built around users, workloads, applications, and network flows. Agents overlap all four.

Existing viewWhat it seesWhat it usually misses
IAMuser, app, service principal, roles, token issuanceagent version, task, tool surface, evidence, and run-level delegation
PAMprivileged credentials and sessionswhich agent reasoning path requested the privilege
API gatewaycaller, route, latency, responsemodel context, parent/child agents, and why the call was proposed
SaaS audit logaccount and application activityoriginal agent subject and cross-system principal chain
Model observabilityprompts, responses, token and tool eventsreal downstream credential, effective scope, and mutation receipt
Agent registryagent name, owner, manifest, lifecyclelive permissions and reachable source-to-sink paths across vendors

This is why “we already have IAM” is not a sufficient answer. IAM remains essential, but the unit of risk is no longer just an account. It is a governed run that joins:

agent subject
+ workload identity
+ delegated principal
+ current task
+ compiled tool surface
+ per-call credential
+ data classification
+ policy and approval
+ destination and effect

NIST’s 2026 concept paper on software and AI agent identity frames the problem around identification, authorization, auditing, non-repudiation, and prompt-injection controls. The OWASP Top 10 for Agentic Applications separately names tool misuse and identity and privilege abuse as agent-specific risk categories.

The industry response is already moving from generic service accounts toward first-class agent identities. Microsoft Entra Agent ID, for example, exposes agent status, owners, sponsors, permissions, sign-in logs, risk signals, and controls to disable individual agents or blueprints. That is useful progress.

But no identity product can infer the entire runtime path by itself. The agent harness still has to contribute task, context, tool, approval, trace, and effect facts.

The effective-authority equation

An agent’s theoretical permissions are not the same as its effective authority on a run.

In ContextOS, effective authority should be the intersection of deterministic ceilings:

effective_authority(run) =
  agent_manifest
  ∩ workload_identity
  ∩ delegated_user_scopes
  ∩ tenant_and_resource_audience
  ∩ compiled_tool_manifest
  ∩ policy_decision
  ∩ approval_mode
  ∩ run_budget

An intersection is important because authority should narrow at each boundary. A child agent never gets more scope than its parent. A tool credential never gets more scope than the current run. A policy rule cannot make a capability more powerful than its registered ceiling.

But intersection alone does not reveal composition risk. The dashboard also needs reachability:

dangerous_path =
  attacker_influenced_source
  -> agent context
  -> sensitive data or privileged tool
  -> external or irreversible sink

The first expression answers what is allowed. The second answers what harmful path remains reachable even when every individual permission looks legitimate.

That distinction is the center of the CISO view.

Build one Agent Access Graph

The graph does not replace IAM, PAM, SIEM, the agent registry, or traces. It joins their identifiers.

The graph needs stable keys. sales-helper is a label. agent:contextos/sales-helper@2.4.1 is a subject. agent-platform-prod is an application. A run claim that binds subject, workload, user delegation, tenant, audience, scope, and expiry is an authorization fact.

The minimum nodes and edges are:

Graph objectRequired facts
Agentversioned subject, blueprint or package, environment, lifecycle
Accountabilitytechnical owner, business sponsor, security reviewer, escalation route
Workloadruntime identity, cluster or service, attestation, key id
Principal chainuser, service, parent agent, child agent, tenant
Credentialissuer, audience, scopes, issued time, expiry, claim hash—not the secret
Contextintent, task, source provenance, data classification, memory reads
Capabilitytool, operation, argument constraints, destination class, approval-mode ceiling
Decisionpolicy rule, effective approval mode, evaluator verdict, approval
Effecttarget, mutation ref, idempotency key, reversal status, receipt
Tracerun id, trace id, parent/child links, replay status

Do not place bearer tokens, secrets, raw regulated payloads, or full prompts in the graph. Store hashes, references, classifications, and bounded summaries. The graph is a security control surface; it must not become a new secrets dump.

The twelve dashboard questions

A CISO dashboard should lead with questions, not telemetry exhaust.

Dashboard questionSignalAlert condition
How many production agents exist?registered subjects joined to runtime-observed subjectsobserved agent has no registry entry
Who is accountable?owner and business sponsor coverageactive agent has no current sponsor
Which agents act through generic accounts?agent subject to downstream actor mappingseveral agents collapse into one unexplained service principal
Which agents have the most authority?reachable tools, data classes, destinations, and approval modesdestructive or delegated path has no narrow task boundary
Which agents combine untrusted sources and sensitive sinks?source-to-sink reachabilityexternal content can influence sensitive read plus external write
Where did privilege drift?current versus approved manifest, scopes, tools, and destinationsauthority expanded without a reviewed version change
Are child agents narrower?parent and child claim comparisonchild scope, budget, tool set, or expiry is broader
Are credentials bounded?issuer, audience, scope, TTL, token-exchange pathtoken passthrough, wildcard audience, or long-lived static secret
Are approvals meaningful?approval time, evidence snapshot, overrides, post-effect resultdestructive approval lacks frozen evidence or is consistently rubber-stamped
Can actions be explained?trace completeness and DecisionRecord coveragemutation has no identity claim, policy decision, or receipt
Can incidents be replayed?retained inputs and replay resulthigh-risk run cannot be reproduced without live effects
Can the agent be stopped?last revocation drill and time-to-containmentkill path exceeds the declared SLO or leaves child runs active

This is not a daily executive wall of twelve charts. It is the query contract behind three views:

  • Posture: inventory, ownership, authority, drift, and readiness.
  • Live risk: risky agents, unusual tool use, denied calls, new destinations, and destructive activity.
  • Incident: principal chain, active runs, reachable tools, mutations, revocation state, and replay.

Detect the paths that ordinary IAM queries miss

The most useful queries join systems.

The following examples are pseudo-SQL over an illustrative access-graph projection, not a ContextOS runtime schema:

-- Production agents without accountable humans
SELECT agent_subject, environment, last_seen_at
FROM agent_posture
WHERE environment = 'production'
  AND (owner_id IS NULL OR sponsor_id IS NULL);
 
-- High-impact agents that cannot be replayed
SELECT agent_subject, capability, approval_mode, last_mutation_at
FROM effective_capabilities
WHERE approval_mode = 'destructive'
  AND replay_coverage_30d < 1.0;
 
-- Reachable exfiltration paths
SELECT agent_subject, source_class, data_class, sink_destination
FROM source_sink_paths
WHERE source_trust = 'untrusted'
  AND data_class IN ('CONFIDENTIAL', 'RESTRICTED')
  AND sink_class = 'external_network';
 
-- Delegation that widened instead of narrowed
SELECT parent_subject, child_subject, widened_dimension
FROM delegation_diffs
WHERE is_strict_subset = false;

A SIEM can execute these queries once the harness emits the joinable facts. The hard part is not the chart. It is ensuring that agent, identity, context, tool, policy, and effect events share stable identifiers.

Privilege drift needs a baseline

Human access reviews compare current entitlement with role and business need. Agents need the same discipline, with more dimensions.

An approved agent release should pin:

  • agent subject and version;
  • workload identities and environments;
  • maximum delegated scopes;
  • tool manifest and argument constraints;
  • allowed data classes and destinations;
  • canonical approval-mode ceilings;
  • parent/child delegation rules;
  • model and Context Pack versions;
  • policy and evaluator bundles;
  • run budgets and rate limits.

Privilege drift is any observed expansion outside that approved tuple.

DriftExampleResponse
Identity driftagent starts using a generic app registrationdeny claim minting and investigate deployment path
Scope driftnew OAuth scope appears after connector re-consentquarantine capability until access review
Tool driftMCP server advertises a new write capabilitykeep it undiscoverable until manifest admission
Destination driftsupport connector begins sending to a new hostdeny egress and require destination review
Delegation driftspecialist child inherits the parent tokenblock dispatch and mint a narrower child claim
Mode driftdestructive-call share rises after a pack changepin prior release tuple and replay affected runs
Ownership driftsponsor leaves or team is dissolveddemote or disable until accountability is restored

Microsoft’s agent-identity model includes sponsors, lifecycle, risk signals, permissions, sign-in logs, and individual or blueprint-level disable controls. Those are exactly the IAM-side facts the graph should consume. The runtime still has to add tool, task, evidence, effect, and replay facts.

Token passthrough destroys the dashboard

An access graph is only as good as its principal transitions.

If an MCP server accepts a token minted for another resource and forwards it downstream, the graph loses the boundary between the client, the MCP server, and the downstream API. The official MCP security guidance forbids token passthrough and requires resource-specific audience validation for this reason, among others: control circumvention, ambiguous audit trails, and confused-deputy risk.

The safer sequence is:

agent run claim
  -> gateway verifies subject, delegation, tenant, scope, and audience
  -> token broker mints a short-lived credential for one resource
  -> tool executes one bounded operation
  -> receipt records claim hash, policy decision, and mutation

The model never receives the token. The trace never stores the token. The graph records the credential’s issuer, audience, scope set, expiry, and claim hash.

That is enough to answer who could do what without creating a second credential leak.

The kill switch is a graph operation

Disabling an identity is necessary. It may not be sufficient.

The agent can have active tokens, queued tasks, child agents, open browser sessions, pending approvals, retries, and already-created external effects. A serious revocation drill closes the graph from the subject outward.

Revocation stepControl-plane actionProof
Stop new workremove agent from discovery and block dispatchnew invocation returns typed denial
Stop new authoritydisable claim minting and token exchangebroker rejects subject and blueprint
Stop tool useTool Gateway denies the subject and child claim hashesattempted calls produce policy denials
Stop active workcancel running and queued parent/child sessionssession registry shows terminal state
Contain effectsfreeze pending mutations and approvalsno new mutation receipts after cutoff
Remove persistencequarantine memory proposals and scheduled taskspromotion and scheduler queues are empty
Recoverrotate exposed credentials, replay affected traces, reverse compensable effectsincident record names scope, actions, and residual risk

Make time to effective revocation an SLO. The clock starts when the security operator declares the subject compromised. It stops only when new credentials, tools, active sessions, children, and pending effects are all closed.

Avoid the theatrical version of a kill switch: a red button that changes registry status while existing tokens and workers continue.

Also avoid indiscriminate shutdown as the default response. Microsoft warns that globally disabling agent identities can degrade services and push teams toward less transparent service principals. Prefer targeted subject, blueprint, capability, tenant, or destination containment—with a rehearsed global option for real emergencies.

The 20-point CISO readiness scorecard

Score each control 0, 1, or 2:

  • 0 — absent or based on manual discovery;
  • 1 — partially covered, delayed, or limited to one platform;
  • 2 — continuously measured across identity, runtime, tools, and effects.
Control2-point evidence
Discovery coverageRuntime-observed production agents reconcile to a governed registry.
Identity separationEvery action preserves agent subject, workload, and delegated principal separately.
AccountabilityEvery production agent has a current technical owner and business sponsor.
Effective-authority graphSecurity can query reachable tools, data, destinations, and approval modes by subject.
Credential boundariesCredentials are short-lived, audience-bound, scope-minimized, and never passed through the model.
Source-to-sink analysisUntrusted-source paths to sensitive reads, writes, and egress are enumerated and tested.
Privilege-drift detectionManifest, scope, tool, destination, mode, delegation, and owner drift alert automatically.
Decision evidenceHigh-impact effects bind identity claim, policy, approval, trace, and mutation receipt.
Replay coverageHigh-risk runs replay from pinned inputs without repeating external effects.
Revocation SLOTargeted kill drills stop new and active authority inside a measured objective.
ScorePosture
0–7The organization has agent activity, not agent governance.
8–13Inventory exists, but effective authority and incident containment remain fragmented.
14–17High-risk agents can enter production under monitored, narrow authority.
18–20The control plane is measurable, reviewable, replayable, and revocable.

Four conditions stop a high-authority launch regardless of score:

  1. Production activity cannot be attributed to a versioned agent subject.
  2. A generic service account hides multiple agents with different owners or tasks.
  3. The agent can combine untrusted input, sensitive data, and an external or destructive sink without an independent boundary.
  4. The revocation drill cannot stop active parent and child runs.

Download the Agent Authority Register starter. It turns the graph, dashboard questions, drift baselines, and revocation SLO into a reviewable implementation artifact. The YAML is illustrative configuration, not a new normative ContextOS runtime schema.

What the board should ask

The board does not need a tool-call waterfall. It needs four accountable answers:

  1. Coverage: What percentage of production agent activity maps to a registered subject, owner, and sponsor?
  2. Exposure: Which agents can reach money, production, regulated data, customer communications, or public systems?
  3. Control: Which deterministic boundary prevents a compromised model from turning a proposal into an effect?
  4. Recovery: When did we last revoke a real agent path, how long did it take, and what remained reachable?

The wrong answer is “our vendor has guardrails.”

The right answer is a live access graph, a trace id, a policy decision, a replay result, and a measured revocation time.

That is what turns an AI agent from an invisible privileged actor into a governable workload.

Research base

Found this useful? Share it.

Share:XBSMRedditHNEmail

Continue through the same topic without returning to the index.

View the series