BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//fwd-cloudsec-2026//speaker//ULEQL3
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fwd-cloudsec-2026-9LRLDS@pretalx.com
DTSTART;TZID=PST:20260601T130000
DTEND;TZID=PST:20260601T132000
DESCRIPTION:"Role engineering" is the ongoing process of refining human IAM
  roles as your organization changes and engineers need new permissions. As
  you ratchet towards least privilege\, you risk breaking workflows. Hey - 
 you might think - what if we watched what people actually do and automatic
 ally built least privilege policies from those logs?\n\nGenerating least p
 rivilege AWS IAM policies based on real-world usage is a cave entrance lit
 tered with bones. Many intrepid projects - from Netflix's RepoKid to AWS's
  IAM Policy Autopilot - have attempted to slay this dragon. Most approache
 s will get you a policy\, but shipping it is an exercise left to the reade
 r. What happens when that new restricted role throws AccessDenied errors d
 uring an incident?\n\nThis talk demonstrates an agentic role engineering p
 ipeline that goes beyond policy generation to handle the full lifecycle:\n
 \n- A coding agent with custom MCP tools for CloudTrail pre-aggregation th
 at drafts precise least privilege updates to Terraform where policies are 
 actually defined\n- A background agent that detects AccessDenied errors\, 
 reaches out via Slack\, and automatically drafts PRs to restore access wit
 h context for security review\n- A validation agent that confirms break-gl
 ass access matched stated intent by comparing user narratives against sess
 ion summaries\n\nYou'll see a live demo of this end-to-end workflow and th
 e CloudTrail analysis tooling that makes it possible. We'll discuss what w
 orks\, what breaks\, and the trust model implications of letting agents pa
 rticipate in your IAM governance loop.
DTSTAMP:20260502T102654Z
LOCATION:Room 2
SUMMARY:Least Privilege is a Conversation: Building an Agentic Role Enginee
 ring Pipeline - Alex Smolen
URL:https://pretalx.com/fwd-cloudsec-2026/talk/9LRLDS/
END:VEVENT
END:VCALENDAR