From Privilege Enumeration to Lateral Movement: Why AI Agents Weaponize Over-Permissioned Service Accounts
A developer deploys a containerized microservice to a Kubernetes cluster. The service needs to read configuration from a ConfigMap, so the DevOps team grants the pod’s service account permissions to list and get all ConfigMaps across the cluster. Reasonable request. Standard practice. But the ConfigMap contains an API token for accessing the company’s billing system. The deployed service never needs that token. Six months later, an AI agent exploits an unpatched vulnerability in the service, gains code execution, and discovers the Kubernetes service account token automatically mounted in /var/run/secrets/kubernetes.io/serviceaccount/token. From there, the agent enumerates every secret in the cluster. Lateral movement to the billing system takes seconds.
This scenario is not hypothetical. It’s becoming routine. The pattern repeats across cloud architectures: permissions that are technically “correct” in isolation, but cumulatively catastrophic. A Lambda function granted AssumeRole on a Karpenter node role. An ECS task with SecretsManager:GetSecretValue on every secret in the account. A Kubernetes ServiceAccount with cluster-admin privileges meant only for emergency operations but mounted by mistake on a standard workload pod.
Machine identities inherit these permissions and exploit them with mechanical certainty. Unlike human attackers who must plan, execute, and evade detection, AI agents simply enumerate available resources and access whatever permissions allow. There is no intent filtering. There is no social engineering required. Privilege escalation becomes a simple function call.
The solution is agentic identity governance that enforces workload-specific identity policies. Each AI agent should run with the minimal set of permissions necessary for its specific function—not a role designed for flexibility or convenience. This requires a fundamental architectural shift: away from role-based access control (RBAC) and toward attribute-based access control (ABAC) where permissions are bound to specific workload identities, time windows, and expected resource access patterns.
CISOs must audit existing service accounts immediately. For every privileged identity in cloud and on-premises environments, determine: who creates and rotates credentials? What actual permissions are in use versus what was granted? Are any service accounts over-permissioned relative to their operational necessity? The answers will almost certainly reveal lateral movement attack paths that machine identity governance must close.
Source: The IAM Stack Was Built for Humans. AI Agents Are Breaking It.