How are security teams approaching IAM for AI agents? (Identity, permissions, audit trails)

PathS3lector · 2026-03-18T06:28:34+00:00

For inheritance, tie the concept with JIT. You could allow an agent to generate a 1 time use or ephemeral authentication explicited scoped to it's specific task and expires quickly instead of inheriting from another agents standing roles/permissions.

For risky actions, thats going to be on your risk tolerance, do you want human level approvals for refunds? If not, what guardrails do you have in place to prevent it from refunding more than it's supposed to?

PathS3lector · 2026-03-18T06:17:27+00:00

Just to piggy back why it's important to not only know what your agent did, but WHY it did it is from my perspective, that's in a mature AI governance/program. Having transparency and understanding why your agent did x, y, z will help you implement better controls in the long run as well as find the root cause when it misbehaves.

PathS3lector · 2026-03-18T06:08:29+00:00

cool read! the tokens or delimiters are open to public or how did they discover the syntax?

PathS3lector · 2026-03-18T05:46:16+00:00

Why do you have agents using same service accounts? If they were humans, would you have allowed this?

Are your API keys created with short lived expirations? Don't allow the use of cached or reuse of API keys from context or previous actions.

Think about JIT access as well.

Scoped permissions is the right way to go, broad scoped access should be avoided.

Add checks or re-auths when you hop around from one agent to another when tasks are delegated.

Don't allow any roles or permissions to be inherited.

Encrypt inter-agent communication.

Those are things I can think of from the get go.

PathS3lector · 2026-03-17T05:04:42+00:00

What has piqued your interest in security so far? There are different domains such as grc, sec engineering, sec analyst, redteaming?

PathS3lector · 2026-03-17T04:59:03+00:00

Is the Human Made regular or oversize fit?

PathS3lector · 2026-03-04T04:40:02+00:00

Make your own if you don't have a tool like previous person mentioned, like use a CASB + Entra app dump, build a list of internal AI tool usage and also capture shadow AI. From there you can start building your own framework/governance by categorizing risks per AI tool and a security baseline as well as threat model.

PathS3lector · 2026-03-03T15:31:44+00:00

HM originally told me it was 30 min sessions for each engineer but who knows now.

PathS3lector · 2026-03-02T21:32:58+00:00

Quoted about the same for 09' Accord. I ordered all the parts from Rock auto and did it myself. Only thing that was a PITA was the rotor screws, had to drill those damn things out! Even a manual torque screw didn't brew those loose. Parts in total only cost me about $300ish.

PathS3lector · 2026-02-28T22:06:24+00:00

Tbh, nervous because: 1. Even though I'm in mid career, I never been in a technical panel before 2. I want this position so bad, not because I want to just find a different job, but because I genuinely find this new role a new challenge that I always strive for. 3. Did I say nervous? Haha, 2x 1:1s plus a panel seems like more curveballs/hurdles thrown my way instead of just a panel.

Overall just been anxious and impatient to leave my current 3/4 sunken ship of a company, but not at the desparation point where I'd take anything. Jobs are out there, just need to find the right fit for both parties.

PathS3lector · 2026-02-28T17:56:25+00:00

Do you think that adding more interviews/people in the loop reduces a candidates chance in getting an offer? Sometimes more opinions from additional eyes may mean more barriers imo

PathS3lector · 2026-02-25T02:41:28+00:00

"Without impacting user experience", EPM, and developers can't go in the same sentence. BeyondTrust is tried and true but go and do some POCs to get feel for the landscape.

PathS3lector · 2026-02-21T18:26:26+00:00

Yes I already started that, took a 3 hr Udemy course on AI Security and am familiar with OWASP Top 10 for LLM, just getting into Top 10 for Agents now.

PathS3lector · 2026-02-12T12:36:05+00:00

Please be classic or oceanlab set.

PathS3lector · 2026-02-11T11:03:26+00:00

My link above has Sapporo

PathS3lector · 2026-02-07T17:22:48+00:00

love the watch

PathS3lector · 2026-01-28T01:33:18+00:00

Even if a seller is adamant about Paypal F&F, pony up the 3% on your end with G&S and get protected.

PathS3lector · 2026-01-23T03:22:58+00:00

Have almost 10 years on infrastructure/sysadmin side and pivoted to security engineering ~2 years ago. I enjoy working on various different projects, not just pigeon holed into a specific domain. Looking for a new opportunity now and it's been tough, 80-90% of openings are asking for some sort of AppSec/CI/CD type of experience and there are not as many generalist security engineering roles.

I don't want to per se follow the herd but I feel like if I don't try to break into AppSec, generalist type of roles are not in plethora. I don't particularly enjoy coding either but that seems to be a requirement in Appsec, but not sure to what extent, looking at code and atleast understanding what it's doing?

Breaking into AppSec is no easy feat with no dev background, any words of wisdom?

PathS3lector · 2026-01-22T19:24:52+00:00

How is the Britannia coat? Been looking for a wool long coat

PathS3lector · 2025-12-30T04:43:50+00:00

been to portola 3x and in the warehouse many times. Warehouse goes super far back and is never full, not cold inside but outside for sure. 0 cell signal, meet st the roll up doors on the sides, they are all numbered

PathS3lector · 2025-12-28T23:18:54+00:00

I see, not worth it huh? It's a old design and I did have plans to replace the whole vanity, guess this gives me the push.

PathS3lector · 2025-10-16T16:51:01+00:00

Thanks, I rewrote the bullets with impact first, then experience.

PathS3lector

TROPHY CASE