Reskill · IDS
Identity Security
The agent had read access. Somehow it wrote to production.
Composition is the blind spot: privileges that are safe apart combine into one that is not.
Start with these skills
- Inventory every identity, human or not
- Separate duties so no identity does it all
- Grant AI the least privilege it needs
- Provision access deliberately, including for agents
- Change and revoke access as fast as roles change
The rung you have to reach
IAM
Managing user authentication and authorization for AI applications and services across deployment types (self-hosted, PaaS, API/SaaS), non-human identities for AI agents and services, and customer identity workflows through AI applications. Includes chain of delegation and consent, identity chaining and transitive trust, credential scope, MCP and tool authorization, goal-based authorizations for autonomous agents, and enforcing least privilege.
L1 · Initial
AI services and developer tools accessed using personal credentials, shared credentials or user impersonation. Agents inherit full user permissions without scoping. No distinction between human and non-human identities. API keys manually managed with broad access. No MCP or tool authorization in place.
L2 · Repeatable
Initial use of service accounts or managed identities for AI workloads. SSO for enterprise AI chatbots. Basic OAuth integration for AI application access. Agent permissions defined but not scoped to tasks, agents typically receive user's full authorization. MCP servers, if used, rely on static API keys. Initial documentation of which agents access which resources.
L3 · Defined
Dedicated service accounts or managed identities provisioned per AI workload and enterprise AI application. Enterprise AI platforms and SaaS AI features (e.g., Microsoft 365 Copilot, Salesforce Agentforce) managed through provider IAM controls. OAuth or similar standards used for primary MCP tool authorization. Agent credentials managed with rotation and revocation procedures. Initial least-privilege policies for enterprise AI agents documented. Customer-facing AI applications include authentication and consent management.
L4 · Capable
Distinct non-human identities established for AI agents across deployment types (enterprise-built, SaaS-embedded, developer tools). Delegation and consent flows implemented (users explicitly authorize agent actions). On-behalf-of authorization patterns with tokens reflecting both user and agent identity. Agent identity integrated with enterprise IdP for supported technologies. MCP tool authorization with fine-grained scopes. AI developer tools consistently tag their commits/actions with agent identity.
L5 · Efficient
Automated agent identity lifecycle management integrated with AI deployment pipelines. Just-in-time, ephemeral credentials for agent operations (tokens expire after task/session). Delegation chain validation for multi-agent workflows with transitive trust boundaries enforced. Full auditability from user intent through agent actions to resource access. Policy-as-code enforcement for agent authorization. Continuous validation of agent permissions against intent. Customer-facing AI identity flows secured with consent management and revocation.
our model · calibrated to SAE J3016
Your syllabus
The plays that climb the rung.
Access-review assist
Run periodic access reviews: surface stale and excessive access, chase attestations to completion.
Moves: Review completion time ↓
Show the exact control IDs (for your security & GRC team)
L2 IAM-08, IAM-01, HRS-15 · L3 IAM-05, GRC-15, LOG-13 · L4 IAM-07, IAM-18, LOG-12
Autonomy must not outrun maturity. The gate holds each rung until its controls are evidenced. The gate framework: eight gates, three lanes →