All posts
Thesis

The Authorization Gap: Why Agent Security Starts After the Login

Your AI agents log in with a human's credentials and inherit everything that identity can do. No one decided what they should be allowed to decide to do. That space — between a permitted action and an authorized one — is where every agent incident is born.

8 min read By Brad McEvilly

The first major reckoning for agentic AI in production did not begin with a breach. It began with an efficiency calculation. In mid-December 2025, Amazon's internal coding agent was given a routine task: fix a minor issue in AWS Cost Explorer. It held operator-level permissions — the same access a human developer on that team would hold. It determined that the most efficient path to completing the task was to delete and recreate the entire production environment. It did exactly that, without asking. The result was a roughly thirteen-hour outage of AWS Cost Explorer across Amazon's China regions.

When the Financial Times reported the incident in February 2026, the finding was devastating in its simplicity: the standard two-person approval process for production changes was effectively optional when the change was being made by an AI agent. The safeguard that governed human engineers did not bind the agent's autonomous actions.

A human developer with the same permissions could also have deleted that environment. The difference is not the permission. The difference is that a human would have paused at the confirmation prompt, weighed the blast radius, and almost certainly stopped. The agent acted faster than any such prompt could be read, on a path it judged efficient, with credentials that said yes.

A Permitted Action Is Not an Authorized One

That is the authorization gap: the space between two questions the industry has spent years treating as one. What is this principal allowed to do? And what should this principal be allowed to decide to do? For human users those questions collapse together, because human judgment sits between the permission and the action. A developer with production access does not delete production every time it would be efficient, because the developer understands consequences the access-control system never encoded. Remove the person, keep the permission, and the gap opens.

This is not a model-safety problem. It is not solved by a better-aligned model, a longer system prompt, or more red-teaming. The agent was not jailbroken. It was not adversarial. It did its job, took the efficient path, and the efficient path was catastrophic because no boundary existed to distinguish a permitted action from an authorized one. The model behaved. The authorization architecture did not exist.

The Principal Changed; the Controls Did Not

For forty years, identity and access management has assumed the principal is a human, or a service a human configured. Authentication established who you were. Authorization established what you could do. Least privilege kept the grant narrow. The audit log recorded what happened so it could be reconstructed later.

Agents break that assumption quietly, because they do not look like a new principal. They log in with a human's credentials, or a service account a human created, and inherit whatever that identity was permitted to do. From the perspective of the systems they touch, nothing unusual is happening — a valid credential is making valid API calls. What changed is that the entity behind the credential is now autonomous: it chooses actions, chains tools, spawns sub-agents, and acts continuously with no human in the moment of decision.

So the controls we have are answering the wrong question. They answer "is this credential allowed to call this API," when the question that now matters is "should this agent, acting on its own initiative, be allowed to take this action — and who decided that, and can we prove it."

What "Authorized" Has to Mean for an Agent

When we say an agent is authorized, we are making four claims, and a production system should be able to substantiate all four. Identity: we know which agent is acting — not which human's token it borrowed, but which agent, distinctly and accountably. Authorization: we know what that agent is permitted to do, scoped as narrowly as its task requires, and the permitted set reflects a decision somebody made on purpose. Delegation: we know who or what conferred that authority — which human, which parent agent, which policy — so the chain of responsibility is reconstructable. Proof: we can demonstrate, after the fact, that the boundary held, and the record is tamper-evident.

Which agent, authorized to do what, delegated by whom, and able to prove it. That sentence is the whole thesis. Everything that follows is the work of making each clause true in a real production environment, for principals that act faster than you can watch them.

Start by Looking: The Agent Environment Review

Before any of that is buildable, you have to see the gap in your own environment, and most teams cannot. As of early 2026, only about one in five executives reported complete visibility into what their agents were permitted to do — their permissions, their tool access, their data reach. Roughly four in five organizations deploying agentic AI reported risky agent behaviors, including unauthorized access and improper data exposure. The deployment ran ahead of the understanding.

The fastest way to close that visibility gap is to look. The Agent Environment Review is exactly that exercise, and it is where DeepSweep opens, deliberately, for free. It answers, in plain terms, the questions a team usually cannot: which agents can write to which repositories; which can run shell commands, and with what reach; which tools each can call over the Model Context Protocol, and what those tools let it do downstream; which data each can read, and where it can send what it reads.

The review does not require uploading your source or your secrets to find this out; it reads the metadata of what your agents are wired to do. The output is not a score. It is a plain inventory of capability set against the boundaries that should exist and do not. The Amazon environment, reviewed honestly the day before the outage, would have shown an agent with operator-level production permissions and no boundary between a permitted deletion and an authorized one. The outage was foreseeable. It was, in the most literal sense, reviewable.

What This Means for Builders

If you ship with agents, this changes the contract between your model and your system. The credential check is no longer the last line of defense — it is the first, and on its own it answers a question that no longer settles anything. The system around the agent owes its users, and itself, an answer to four questions before an action propagates: which agent acted, whether it was authorized, who delegated that authority, and proof that the boundary held.

Read the Full Argument

The Authorized Agent: Identity, Authorization, and Audit for AI Agents in Production is Book One in the DeepSweep.ai Thesis series. It makes the case in full: the incident archaeology, the move from human IAM to agent IAM, the authorization-policy model, and runtime enforcement.

Available now on Amazon: https://www.amazon.com/dp/B0GWV9FGDF

DeepSweep is the productized thesis. The book is where it begins.

See where your AI-generated code stands.

Run a free Agent Environment Review — local, no code upload. Catch what your AI agent got wrong before it reaches a pull request.

Review my agent environment — free