Ambient Authority Confusion : Why AI Agents break our authorization assumptions

Modern app security models assume that authorization decisions implicitly capture user intent. This assumption has held for decades because the traditional systems are deterministic, and execution paths are tightly bound to the initiating principal.

AI agents quietly invalidate this assumption.

My talk introduces Ambient Authority Confusion (AAC), an architecture gap in which an AI agent executes actions it is fully authorized to perform, yet violates user intent because authority is no longer bound to the intent at runtime. Crucially, this occurs without any policy violation, misconfiguration, or exploit.

AAC is not an IAM bug, not a role design issue, and not a prompting failure. Instead, it emerges when systems allow agents to operate under broad ambient authority while making contextual decisions on behalf of specific users. This pattern first surfaced during a security review of an agent workflow that passed every access control check, yet repeatedly produced outcomes users could not explain or predict.

Through a simplified User -> Agent -> System Model and a live local demo, this session shows how AI agents amplify the classic confused deputy problem - not by escalating privileges, but by dissolving the runtime binding between authority and intent.

AAC does not replace the confused deputy problem; it formalizes a distinct failure mode that arises when delegation is continuous, decisions are non-deterministic, and authority is ambient rather than explicitly invoked.

This talk concludes with concrete takeaways AppSec teams can look for during agent reviews, questions security architects should begin asking platform owners, and why tightening RBAC, ABAC, or tool permissions alone cannot address this class of risk.