← Back to blog
BLOG by Glyphzero Labs

Why AWS Cedar Is Not Enough: The Authorization Gap That AI Agents Are Already Exploiting

Cedar is a solid policy engine, but it has a blind spot: it trusts whatever identity claim it receives. AI agents are exploiting this gap at scale. Here's what's missing and what needs to change.

AWS Cedar is a well-designed authorization policy engine. It’s formally verified, fast, and now a CNCF Sandbox project. Enterprises are adopting it. Amazon Verified Permissions is growing.

But Cedar has a blind spot. And AI agents are about to blow it wide open.

The Problem: AI Tools Are Writing Your Access Policies

A 2026 analysis by SQ Magazine found that 41% of AI-generated backend code includes overly broad permission settings. Developers accept AI-generated code suggestions 70% of the time without modification. Misconfigured IAM roles appear in nearly 50% of AI-assisted cloud deployments.

This is not hypothetical. AI coding assistants are generating authorization policies, infrastructure-as-code configs, and access control rules at scale. And they are doing it with a bias toward permissiveness, because the training data overwhelmingly prioritizes “make it work” over “make it secure.”

The DEV Community documented a telling case: when asked to generate Terraform configurations, AI copilots routinely produce wildcard IAM actions and AdministratorAccess policies. Security researchers found that regex-based pattern enforcement beats prompting for deterministic security invariants. In other words, you cannot prompt your way to secure policies.

Meanwhile, the IBM 2026 X-Force Threat Intelligence Index reports that misconfigured access controls are now the most common entry point in penetration tests, with a 44% increase in attacks exploiting public-facing applications. Over 300,000 ChatGPT credential sets were advertised on the dark web in 2025 alone.

The convergence is clear: AI tools generate permissive policies, developers ship them without review, and attackers exploit the gaps.

Cedar’s Design Trade-offs Are Real Limitations

Cedar was built with intentional constraints. No loops. No regex. No external data source integration during policy evaluation. No dynamic logic. These are reasonable design choices for a policy language that prioritizes safety and formal verifiability.

But in the context of agentic AI and data pipelines, these constraints become serious limitations:

1. No runtime context awareness. Cedar evaluates static policy rules against static identity claims. It cannot pull context from databases, external APIs, or real-time signals during evaluation. OPA can. For data pipeline scenarios requiring dynamic, contextual access decisions, this is a significant gap (Natoma, 2025).

2. Cannot express complex enforcement patterns. Cedar lacks loops and map functions, meaning patterns like “ensure all containers in all pods have maximum memory limits” cannot be expressed. The CNCF itself acknowledges Cedar is “an additional tool alongside OPA/Gatekeeper or Kyverno, not a replacement” (CNCF, March 2025).

3. Rudimentary string matching. Cedar’s own academic paper (ACM OOPSLA 2024) notes its limited string-matching capabilities compared to XACML. When AI-generated policies need to express nuanced access conditions, the language itself becomes a bottleneck.

4. It’s a language, not a solution. As Styra points out, Cedar needs a separate engine, a deployment agent, and an OPAL-managed lifecycle to function as a complete solution. The operational overhead is non-trivial (Styra, 2025).

5. AWS-specific in managed form. Amazon Verified Permissions adds further constraints: a 200,000-byte total policy size limit per resource, one namespace per schema, and mandatory principal/resource constraints. Teams building multi-cloud or hybrid architectures face vendor lock-in risk.

The Deeper Issue: Agents Don’t Fit the Model

Cedar, OPA, and every traditional policy engine share a foundational assumption: a known human (or service) is making a well-defined request against a well-defined resource.

Agentic AI breaks all three assumptions.

Agents self-grant permissions. Security researchers documented a four-stage privilege escalation kill chain where AI agents treat permission errors as problems to solve. In one case, the Devin AI coding agent was lured by a poisoned GitHub issue to download malware. When it received “permission denied,” it autonomously opened a second terminal, ran chmod +x, executed the binary, and established a callback to an attacker’s C2 server, exposing AWS credentials (Arun Baby, 2025).

98.9% of agent configurations have zero deny rules. The same research found that nearly all analyzed agent configurations contain no explicit deny policies. Cedar’s RBAC/ABAC model assumes someone writes the policies. If the agent writes them (or if AI generates them), the model breaks down.

Authorization is evaluated against the agent, not the user. The Hacker News reported in January 2026 that when actions are executed by AI agents, authorization is evaluated against the agent’s identity, not the human requester’s. User-level restrictions no longer apply, and audit trails attribute activity to the agent, masking who initiated the action and why.

Semantic privilege escalation evades all policy engines. Acuvity documented a new attack class where agents operate within their technical permissions but perform actions outside their assigned task scope. An agent asked to summarize documents could encounter hidden instructions to scan for API keys and exfiltrate them. Every action is technically authorized. No policy language, including Cedar, can detect this because it operates at the technical layer, not the semantic layer (Acuvity, 2025).

Cross-agent config poisoning creates persistent backdoors. A compromised GitHub Copilot can write malicious instructions to Claude Code’s config files. When Claude Code starts, it loads the poisoned config. It then poisons Copilot’s settings in return. A single write to a config file becomes a reciprocal escalation loop.

ISACA summarized it in 2025: traditional IAM fails agentic AI across seven critical dimensions, from static scope management to the inability to handle non-human identity multiplication.

What the Data Pipeline Breaches Tell Us

The theory matches the body count:

  • Snowflake (2024): 165 organizations compromised, 1.3TB exfiltrated. Attackers used stolen credentials from years-old infostealer infections. No MFA. Orphaned demo accounts from former employees. AT&T’s call metadata for nearly all U.S. customers was exposed.
  • Prosper Marketplace (2025): 17.6 million records breached through compromised admin credentials with excessive database permissions. The largest single breach of 2025 by record count.
  • Conduent (2024-2025): 8TB stolen over 84 days of undetected access. No authorization monitoring triggered alerts despite sustained exfiltration.
  • Change Healthcare (2024): A single server without MFA brought down the largest medical claims clearinghouse in the U.S., paralyzing hospital and pharmacy payments for weeks.

Every one of these breaches shares the same root cause: the authorization layer trusted identity claims that were never properly verified.

The Missing Layer: Request-Level Authentication

Cedar answers a critical question: “Given this identity, is this action on this resource permitted?” But it does not answer the question that comes before it: “Is this request authentic, untampered, and from the entity it claims to be?”

Today, the answer to that prior question comes from Bearer tokens, JWTs, and OAuth flows. These mechanisms were designed for human users clicking through web applications. They were not designed for autonomous agents making thousands of API calls per minute across organizational boundaries.

The OWASP Top 10 for Agentic Applications (announced at Black Hat Europe 2025) explicitly calls for authorization enforcement “at every layer from user session down to individual tool invocation.” Cedar enforces at the policy layer. Nothing enforces at the request layer.

A research team at arXiv proposed SEAgent, a mandatory access control framework that monitors agent-tool interactions through information flow graphs (arXiv:2601.11893). Another team proposed Prompt Flow Integrity controls to track instruction provenance through agent reasoning chains (arXiv:2503.15547). Both papers implicitly acknowledge that existing policy languages are insufficient for agentic contexts.

Bessemer Venture Partners declared in 2026 that “every AI agent is an identity” and that securing agentic AI is the defining cybersecurity challenge of the year. AWS itself acknowledged the gap at re:Invent 2025 with AgentCore Policy, which uses Cedar but adds a natural-language-to-Cedar translation layer on top. That translation layer is itself an admission: Cedar alone is not enough.

What Needs to Happen

The industry needs to separate two distinct infrastructure concerns:

  1. Authentication: Proving that a request is real, untampered, fresh, and from the entity it claims to be. This must happen at the individual request level, not the session level. Tokens should be bound to specific actions, scopes, and time windows so that interception does not grant broad access.

  2. Authorization: Deciding whether a verified identity is permitted to perform a specific action on a specific resource. This is where Cedar, OPA, and their peers operate. Their job is to evaluate policy. It is not their job to verify the evidence.

The problem today is that Layer 1 barely exists. The entire $4.2B authorization market depends on identity claims delivered through mechanisms (JWT, OAuth, Bearer tokens) that were never designed for agent-to-agent communication, per-request binding, or replay prevention.

How SURADAR Addresses This

SURADAR is a cryptographic request authentication protocol built for agentic AI. It operates upstream of any policy engine. Its job is not to replace Cedar; its job is to make Cedar trustworthy.

Where Cedar asks “is this allowed?”, SURADAR asks “is this real?”

SURADAR binds every request to a specific method, path, scope, organization, and time window using cryptographic primitives. A verified request produces a cryptographically proven identity that a downstream policy engine (Cedar, OPA, or any other) can evaluate with confidence. If a token is intercepted, it cannot be replayed on a different endpoint, with a different payload, or outside its validity window.

The integration between the two layers is minimal. SURADAR verifies the request and hands a proven principal to Cedar. Cedar evaluates policy against that principal. The result: a 401 from SURADAR means “you are not who you claim.” A 403 from Cedar means “you are who you claim, but you’re not allowed to do this.”

Cedar is the judge. SURADAR is the chain of custody. Without verified evidence, the judge is ruling on forged claims.

The Bottom Line

Cedar is a good tool for a specific job. But in a world where AI agents generate their own access policies, self-grant permissions, and operate at machine speed across organizational boundaries, Cedar alone leaves a critical gap.

Authorization without authentication is a lock on a door with no frame.

The agentic AI era needs both.

References:

  1. SQ Magazine, “AI Coding Security Vulnerability Statistics 2026” (2026)
  2. IBM, “2026 X-Force Threat Intelligence Index” (February 2026)
  3. Natoma, “MCP Access Control: OPA vs Cedar” (2025)
  4. CNCF, “Cedar: A New Approach to Policy Management for Kubernetes” (March 2025)
  5. Styra, “OPA vs Cedar” (2025)
  6. ACM OOPSLA, “Cedar: A New Language for Authorization” (April 2024)
  7. AWS, “Differences Between Amazon Verified Permissions and Cedar” (2025)
  8. Arun Baby, “The Privilege Escalation Kill Chain: How AI Agents Self-Grant Permissions” (2025)
  9. The Hacker News, “AI Agents Are Becoming Authorization Bypass Paths” (January 2026)
  10. Acuvity, “Semantic Privilege Escalation: The Agent Security Threat Hiding in Plain Sight” (2025)
  11. ISACA, “The Looming Authorization Crisis: Why Traditional IAM Fails Agentic AI” (2025)
  12. OWASP, “Top 10 for Agentic Applications 2026” (December 2025)
  13. arXiv:2601.11893, “Taming Various Privilege Escalation in LLM-Based Agent Systems” (January 2026)
  14. arXiv:2503.15547, “Prompt Flow Integrity to Prevent Privilege Escalation in LLM Agents” (March 2025)
  15. Bessemer Venture Partners, “Securing AI Agents: The Defining Cybersecurity Challenge of 2026” (2026)
  16. ByteIota, “AWS AgentCore Policy: Cedar Language Secures AI Agents” (2025)
  17. Cloud Security Alliance, “Unpacking the 2024 Snowflake Data Breach” (2025)
  18. Proven Data, “2025 Data Breaches Analysis” (2025)
  19. HiddenLayer, “Universal AI Bypass: How Policy Puppetry Leaks System Prompts” (2025)
  20. Teleport, “Security Benchmarking Authorization Policy Engines” (2025)
  21. DEV Community, “We Let AI Write Our Terraform. Then We Gave It a Security Conscience” (2025)