Relynt
Back to blog
Featured
Policy Patterns

Why agent write access breaks traditional IAM

12 min read

Traditional IAM was designed for humans and services—not semi-autonomous agents that compile intent into writes across many systems. Here's where IAM fails and what an agent-native control plane must add.

Traditional IAM was designed for two dominant actors:

  1. Humans using interactive sessions (SSO + MFA + short-lived sessions)
  2. Services using stable identities (workloads, microservices) with scoped permissions and predictable call paths

Tool-using AI agents are neither. They are semi-autonomous, stateful, and non-deterministic actors that can translate ambiguous instructions into concrete write operations across many systems. When you give an agent write access, you are effectively introducing a new class of principal into your environment, but most IAM stacks do not model or control this principal correctly.

This write-up breaks down where traditional IAM fails, the specific failure modes, and what an "agent-native" control plane must add.

1) The core mismatch: IAM authorizes identity, agents operationalize intent

IAM answers:

"Given this principal, may it call this API?"

Agents introduce a new question:

"Given this intent, is this particular action safe and appropriate right now?"

Agents are intent-to-action compilers. The user says "close the ticket and notify the customer," and the agent decides:

  • which ticket system endpoint to call
  • what fields to modify
  • what message to send
  • whether to create follow-up tasks
  • whether to attach logs, include PII, update a CRM record

Traditional IAM policies typically bind coarse permissions to principals:

  • servicenow.write
  • salesforce.update
  • github:write

This works when the code path is stable and the developer controls what gets called. With agents, the principal is stable but the action surface is not. The agent can find new actions, new parameters, and new sequences you did not anticipate.

The result: IAM becomes a "permit to operate" at the wrong granularity.

2) The "shared bot token" trap: least privilege collapses under delegation

In practice, most agent deployments start like this:

  • One API key or bot account is created for "the agent"
  • That credential is given broad access so the agent "can do its job"
  • The agent acts on behalf of many users, teams, and tasks

This breaks multiple IAM assumptions:

2.1 No per-agent-instance attribution

When something goes wrong, the logs show:

"bot-token-123 updated deal 789"

not:

"deal-update-agent instance run_2026_01_31_19_22Z updated deal 789 due to ticket INC-4451, approved by Alice"

IAM can tell you which identity called the API, but it cannot tell you:

  • which agent instance
  • what prompt/task context caused the action
  • what tool-call payload the agent generated
  • whether a human approved it
  • what policy version was evaluated

2.2 Delegation becomes indistinguishable

An agent often needs to act with delegated authority from a user:

  • "close my ticket"
  • "update my customer record"
  • "approve this refund"

Traditional delegation patterns (OAuth scopes, impersonation, service accounts) were not built for high-frequency, multi-step, tool-chaining automation where the agent is making decisions mid-flight.

So teams either:

  • give the agent broad rights (unsafe), or
  • keep it read-only (limits product), or
  • build a custom patchwork of checks per tool (slow, inconsistent)

3) Coarse scopes are too blunt for agent behavior

IAM permissions tend to be shaped like:

  • system-level scopes (Salesforce: update objects)
  • role-level permissions (Jira: edit issues)
  • API-wide grants (internal service: write access)

Agents need enforcement at the level of:

  • action type
  • resource
  • field-level constraints
  • amount/risk thresholds
  • contextual conditions
  • human approval gates

Example: a CRM update agent.

IAM can express:

allow crm.deal.update

But the real risk boundaries are:

  • allow updating stage only for deals assigned to this rep
  • allow amount changes up to $10k
  • require approval for "Closed Won/Lost"
  • deny edits to "billing_contact_email" or "discount_rate"
  • rate limit changes per hour
  • require ticket reference for certain fields

This is not a "who can access Salesforce" problem. It is a "what is this specific write operation and is it safe" problem.

Traditional IAM does not naturally model this because it was not designed to evaluate arbitrary payload semantics per request.

4) Agents are non-deterministic: permissioning must assume drift

A microservice with write access is deterministic code you control. An agent is a system that can:

  • be updated frequently (model upgrades, prompt changes)
  • change behavior based on context
  • discover new ways to accomplish a goal
  • tool-chain in unexpected sequences

Even if you give it the same IAM role, its operational behavior can drift.

That drift creates a governance gap:

  • The permission set remains constant.
  • The agent's behavior changes.

This breaks the safety model most IAM programs rely on: stable code + stable scopes.

5) "Write access" is a high-stakes boundary, and IAM is missing an approval plane

In many organizations, the most sensitive operations are gated by human approvals:

  • closing a major incident
  • changing production config
  • refunding above a threshold
  • merging to main
  • provisioning access

IAM can enforce "only users with role X can do Y," but it does not provide:

  • interactive approvals for a specific action attempt
  • a durable record that "Alice approved this agent action"
  • a policy-driven routing system ("send approval to #security-approvals if risk=high")

Without an approval plane, teams fall back to:

  • manual processes outside the system (Slack messages, tickets)
  • brittle internal approval workflows tied to one tool
  • "just let the agent do it" and hope logging is enough

Agents need approvals as a first-class authorization outcome:

  • allow
  • deny
  • require_approval

Classic IAM typically has only:

  • allow
  • deny

6) Audit and compliance requirements are stronger than "logs exist"

Security teams do not just need "we logged it." They need:

  • integrity: logs cannot be tampered with
  • non-repudiation: you can prove the system made the decision
  • traceability: who/what/why for each write
  • policy evidence: what policy was applied at that time
  • context evidence: request and response hashes, risk score

Traditional IAM logs often:

  • live inside each tool (Salesforce logs, Jira logs, GitHub audit logs)
  • have inconsistent schemas
  • do not include agent reasoning or tool payload
  • cannot be cryptographically verified end-to-end

As soon as an agent can write to multiple tools, your audit trail fragments across systems. The risk posture is governed by the weakest logging surface.

Agents require a single canonical action ledger with tamper-evident receipts.

7) The real failure mode: IAM "authorizes the agent," but does not control the write

A concise way to put it:

IAM can authorize an identity to call an API, but it cannot reliably authorize each agent-generated write in a way that is least-privilege, approval-aware, and audit-grade.

That is why "agent write access breaks IAM." Not because IAM is bad, but because the object being controlled has changed.

8) What an agent-native authorization layer must add

If you want an actionable checklist, the missing pieces are:

8.1 Agent and instance identity

  • Agents are first-class principals
  • Each runtime instance has its own identity and credentials
  • Credentials are revocable and time-bound

8.2 Action-level policies (not just API scopes)

  • policy evaluates: action + resource + payload constraints + context
  • field-level and threshold constraints
  • rate limiting and anomaly hooks

8.3 Approvals as an authorization outcome

  • policy can return pending approval
  • approvals have approver identity + timestamp + rationale
  • approvals are bound to the exact request hash

8.4 Signed receipts (tamper-evident audit)

  • every allow/deny/approval decision emits a receipt
  • receipts include: identity, policy version, hashes, outcome
  • receipts are verifiable (HMAC or signatures) and append-only

8.5 Central gateway between agents and tools

  • agents never call tools directly
  • gateway is the enforcement and logging point
  • connectors handle tool auth centrally

This is the shift from "IAM for systems" to "authorization for agent actions."

9) Concrete example: same IAM role, different outcomes

Assume an agent has crm.write.

Scenario A: low risk

  • update deal notes
  • amount change: $500
  • stage unchanged

Outcome: allow, auto-execute.

Scenario B: high risk

  • move deal to Closed Won
  • amount change: $50,000
  • updates discount_rate

Outcome: require approval or deny.

IAM sees both as crm.write. Agent-native authorization distinguishes them.

10) Summary

Agents break traditional IAM because IAM is built around stable principals and coarse-grained permissions, while agents generate diverse, high-impact write operations that require:

  • action-level least privilege
  • contextual constraints
  • approvals for high-risk writes
  • strong, verifiable audit trails
  • per-agent-instance attribution

If you are letting agents write into production systems, you need a control plane that sits between agents and tools and treats "each write" as the unit of authorization.

All posts