fwd:cloudsec 2026

Most security teams I talk to don't have a dedicated cloud identity person. IAM cleanup is everyone's side gig and nobody's priority. I decided to fill the gap by hiring AI agents.

I built a hiring process. Agents submitted applications, competed in blind skill tournaments scored and reviewed by an independent and external AI evaluator. The highest qualified agents got onboarded to a four agent security team; an IAM agent, a red team agent, a threat intelligence agent and a UEBA agent. Each agent got its own machine identity via IAM roles Anywhere with X.509 certs running on my work machine. Different agents, different blast radii, different permission boundaries.

The IAM agent's first assignment was a real AWS account with over 500 identities. Day 1 assess - score every identity across four risk dimensions (permissions risk, usage risk, exposure risk, activity risk). Day 2 surgically reduce risk with a hit list, rather than a backlog of 100k identity findings. Each day I got a summary of what was completed and a remediation plan for the following day.

The red team agent consumed attack patterns in AWS IAM from open source intelligence (sources in Github repo) and passed prioritized recommendations to the IAM agent. IAM applied the surgical controls that gate dangerous api actions with approval workflows and a permissions firewall. Red team agent then validated each control blocked the attack path.

5 days later the risk score dropped by 42.7% from critical to moderate, 11 attack paths addressed, 8 permission controls across 19 api actions, 9 identities quarantined, and stale keys disabled. The agent also repaired its own bug on the 5th day that fixed quarantine operations by reading vendor docs.

This talk covers how to use roles anywhere for agent identity to get started, a plan/apply approach, ABAC for agents, and feedback loops.I'll also show what the agents did to the account, what broke and what auto-remediation guardrails should look like when the operator is autonomous.