Skip to content
Tiatra, LLCTiatra, LLC
Tiatra, LLC
Information Technology Solutions for Washington, DC Government Agencies
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact
 
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact

Your next insider threat doesn’t have a badge. It has an API token

The threat that I now spend most of my time designing against doesn’t look like a breach at all. At least not at first.

Imagine a team deploys an agent that does exactly what it’s permitted to do: it reads a customer record, summarizes it, then sends the summary to an outside address. Every step in the sequence is authorized. But it turns out that the breach is the sequence itself.

The problem is that each security check only looks at one step at a time. Is this read okay? Yes. Is this summary okay? Yes. Is this email okay? Yes. Each step passes. But nobody is watching the combination of all three steps together. The security tools designed for human-driven workflows assumed a person would be doing this manually, one thing at a time. However, the AI agent bundles it all into a single automated sequence, and that bundling slips through gaps between the checks.

I build authorization for agentic systems, and the gap between “every action was allowed” and “the outcome was a breach” is what I keep coming back to.

An agent is not a user or a file. It is an insider authorized with an API token instead of a badge to act on your behalf. We learned decades ago that perimeters don’t secure against insiders. But in the design reviews I’ve sat in this year, the security conversation still centers on prompt injection and output filtering. That’s one layer below where the exposure has moved.

Two decades of asking the wrong two questions

We spent 20 years getting very good at two questions:

  • Who is allowed in?
  • What data is allowed out?

Identity and access management answered the first question. Data loss prevention the second. Both assume a world of users and files—a human you authenticate at the door and a document you inspect on the way out. But production AI agents make both questions obsolete.

An agent is an actor. It reads context, chains tool calls, invokes connectors and changes systems of record, then hands work to other agents as it goes. The danger isn’t that it does one clearly forbidden thing; it’s that it does a series of small, permitted things that add up to something harmful. And because each individual action looks fine, the standard security tools don’t flag anything. It’s the same reason an employee with legitimate access is harder to catch than an outside hacker.

This is a known failure mode in IT security, sometimes called the confused deputy problem: a program with legitimate authority gets manipulated into misusing it on someone else’s behalf. Now, AI agents have given it initiative. An agent is a confused deputy that doesn’t just hold authority but plans with it. The OWASP community ranks excessive agency—an agent operating with broader capability than its task requires—among the top risks for large language model applications.

The four ways agent authority goes wrong

When I threat-model an agent before it ships, four failure modes do most of the damage, and the governance conversation most teams are having addresses none of them.

  1. Tool-chain abuse. Each tool call is safe on its own, but the chain composes into something no one authorized. The pattern is mundane: an agent permitted to read records, call a summarizer and send mail turns those three benign capabilities into a clean exfiltration path. Content filtering inspects each step and waves all of them through, because no single step is prohibited.
  1. Delegation-chain exploitation. An agent hands a subtask to another agent, and the child ends up with authority it was never meant to have. The mechanism is simple: the parent passes the child a copy of its own credentials, so the child can now do everything the parent can. Most orchestration frameworks pass parent context down by default because they assume the child is trusted. That’s a framework default, not a security decision.
  1. Approval evasion. A human-in-the-loop gate is supposed to catch the consequential action, but the agent reaches the same outcome by a path the rule didn’t anticipate. This isn’t agents being clever; it’s policies written for human workflows. A gate that checks “summarizing customer records” is blind to an agent reaching the same data by another tool path. In other words, it guards the actions humans take, not the outcome it was meant to protect.
  1. The first three are how the breach happens. The fourth is why it becomes a crisis: audit opacity. Even after you discover something went wrong, you can’t piece together the full picture: what exactly the agent did, who authorized it to do those things or whether it went beyond what it was supposed to do. The logs simply show that reads and sends happened. Only in the post-incident review do teams discover their logs were written for debugging, not for proof.

Move the decision to runtime

When these failure modes surface, the instinct is to add another detection layer, such as a better filter or a smarter classifier watching the output. That instinct is wrong. You can’t inspect your way out of a problem of authority. The answer is a runtime policy engine that governs what an agent is allowed to do at the moment it acts.

The concept isn’t new; it’s zero trust, applied inward. We spent years pushing zero trust outward to the perimeter for people and devices. Every request is authenticated and authorized in context, decided centrally rather than assumed at the edge. Agents move the object of that decision inward, from who are you at the door to what will you do in the next call.

A runtime policy engine makes that concrete. It evaluates which tool is being called, which data is being touched and what the downstream effect will be.

Three properties make it real:

  1. Decide before the action fires. Evaluate the agent’s intended action against policy and live context at call time, not afterward in a log review. A policy that isn’t evaluated at the moment of action isn’t a control.
  1. Make delegated authority shrink. Authority should only narrow as it passes from agent to agent, never widen. That way, a compromised agent can’t exceed the narrowest link in its chain, and stopping a parent leaves no orphaned authority downstream. Capability can still be re-requested; a child can ask its parent to escalate, but that escalation is evaluated and logged at call time, not baked into a token handed over once.
  1. Build audit as evidence, not logs. Evidence means a record that ties each action to the policy that authorized it—principal, tool called, inputs, the rule evaluated, the decision and a timestamp—in append-only or signed storage so it can’t be quietly rewritten. It lets a regulator or a board reconstruct who acted, on whose authority and whether that authority was exceeded, instead of relying on a forensic reconstruction weeks later. Most deployments skip this because it’s infrastructure work, not policy work.

One implementation caveat: Evaluating every action at runtime adds latency and demands live policy context. Some friction is unavoidable, so the question is where you add it. Focus on the actions where a mistake is hardest to reverse: Anything touching customer data, financial systems or infrastructure.

The three questions I ask before every deployment

When a team brings me an agent bound for a real system of record, I’ve stopped asking which model it uses. I ask three things instead:

  1. Can every action resolve to a human source of authority, captured at runtime?
  1. Does the agent’s authority shrink as it delegates, or can a subagent do more than its parent?
  1. If this agent did something wrong tomorrow, could we prove what it did? (Not describe it. Prove it.)

The autonomy that makes AI agents so valuable also makes legacy controls insufficient. You can’t add autonomous agents to your existing processes and expect last year’s controls to cover them. When an agentic breach happens, the question the board asks won’t be, “What leaked?” It will be, “What was your agent allowed to do, and can you prove it?”

Get ahead of it before the board has to ask.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?


Read More from This Article: Your next insider threat doesn’t have a badge. It has an API token
Source: News

Category: NewsJuly 10, 2026
Tags: art

Post navigation

PreviousPrevious post:How a Formula 1 IT director balances innovation and stability at 200 mphNextNext post:AI’s potential to infect the hiring process with bias

Related posts

Your service vendors are being rebuilt around AI
July 14, 2026
How do you go from junior to staff engineer when AI writes the code?
July 14, 2026
How AI agents are shaping the future of work
July 14, 2026
Where Meta’s WhatsApp agent can actually win
July 14, 2026
Deluxe Corporation beats the odds with mainframe migration using AI
July 14, 2026
The essence of data management CIOs must embrace
July 14, 2026
Recent Posts
  • Your service vendors are being rebuilt around AI
  • How do you go from junior to staff engineer when AI writes the code?
  • How AI agents are shaping the future of work
  • Where Meta’s WhatsApp agent can actually win
  • Deluxe Corporation beats the odds with mainframe migration using AI
Recent Comments
    Archives
    • July 2026
    • June 2026
    • May 2026
    • April 2026
    • March 2026
    • February 2026
    • January 2026
    • December 2025
    • November 2025
    • October 2025
    • September 2025
    • August 2025
    • July 2025
    • June 2025
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023
    • June 2023
    • May 2023
    • April 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    Categories
    • News
    Meta
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Tiatra LLC.

    Tiatra, LLC, based in the Washington, DC metropolitan area, proudly serves federal government agencies, organizations that work with the government and other commercial businesses and organizations. Tiatra specializes in a broad range of information technology (IT) development and management services incorporating solid engineering, attention to client needs, and meeting or exceeding any security parameters required. Our small yet innovative company is structured with a full complement of the necessary technical experts, working with hands-on management, to provide a high level of service and competitive pricing for your systems and engineering requirements.

    Find us on:

    FacebookTwitterLinkedin

    Submitclear

    Tiatra, LLC
    Copyright 2016. All rights reserved.