BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//fwd-cloudsec-2026//speaker//WD7XXN
BEGIN:VTIMEZONE
TZID:PST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:PST
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:PDT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fwd-cloudsec-2026-RAEUSE@pretalx.com
DTSTART;TZID=PST:20260601T151000
DTEND;TZID=PST:20260601T153000
DESCRIPTION:Most security teams I talk to don't have a dedicated cloud iden
 tity person. IAM cleanup is everyone's side gig and nobody's priority. I d
 ecided to fill the gap by hiring AI agents. \n\nI built a hiring process. 
 Agents submitted applications\, competed in blind skill tournaments scored
  and reviewed by an independent and external AI evaluator. The highest qua
 lified agents got onboarded to a four agent security team\; an IAM agent\,
  a red team agent\, a threat intelligence agent and a UEBA agent. Each age
 nt got its own machine identity via IAM roles Anywhere with X.509 certs ru
 nning on my work machine. Different agents\, different blast radii\, diffe
 rent permission boundaries. \n\nThe IAM agent's first assignment was a rea
 l AWS account with over 500 identities. Day 1 assess - score every identit
 y across four risk dimensions (permissions risk\, usage risk\, exposure ri
 sk\, activity risk). Day 2 surgically reduce risk with a hit list\, rather
  than a backlog of 100k identity findings. Each day I got a summary of wha
 t was completed and a remediation plan for the following day. \n\nThe red 
 team agent consumed attack patterns in AWS IAM from open source intelligen
 ce (sources in Github repo) and passed prioritized recommendations to the 
 IAM agent. IAM applied the surgical controls that gate dangerous api actio
 ns with approval workflows and a permissions firewall. Red team agent then
  validated each control blocked the attack path. \n\n5 days later the risk
  score dropped by 42.7% from critical to moderate\, 11 attack paths addres
 sed\, 8 permission controls across 19 api actions\, 9 identities quarantin
 ed\, and stale keys disabled. The agent also repaired its own bug on the 5
 th day that fixed quarantine operations by reading vendor docs. \n\nThis t
 alk covers how to use roles anywhere for agent identity to get started\, a
  plan/apply approach\, ABAC for agents\, and feedback loops.I'll also show
  what the agents did to the account\, what broke and what auto-remediation
  guardrails should look like when the operator is autonomous.
DTSTAMP:20260531T022553Z
LOCATION:Room 2
SUMMARY:I made AI agents apply for my Security Team. Then I gave the agents
  access to AWS. - Cole Horsman\, Cole Horsman
URL:https://pretalx.com/fwd-cloudsec-2026/talk/RAEUSE/
END:VEVENT
END:VCALENDAR