fwd:cloudsec 2026

"Role engineering" is the ongoing process of refining human IAM roles as your organization changes and engineers need new permissions. As you ratchet towards least privilege, you risk breaking workflows. Hey - you might think - what if we watched what people actually do and automatically built least privilege policies from those logs?

Generating least privilege AWS IAM policies based on real-world usage is a cave entrance littered with bones. Many intrepid projects - from Netflix's RepoKid to AWS's IAM Policy Autopilot - have attempted to slay this dragon. Most approaches will get you a policy, but shipping it is an exercise left to the reader. What happens when that new restricted role throws AccessDenied errors during an incident?

This talk demonstrates an agentic role engineering pipeline that goes beyond policy generation to handle the full lifecycle:

• A coding agent with custom MCP tools for CloudTrail pre-aggregation that drafts precise least privilege updates to Terraform where policies are actually defined
• A background agent that detects AccessDenied errors, reaches out via Slack, and automatically drafts PRs to restore access with context for security review
• A validation agent that confirms break-glass access matched stated intent by comparing user narratives against session summaries

You'll see a live demo of this end-to-end workflow and the CloudTrail analysis tooling that makes it possible. We'll discuss what works, what breaks, and the trust model implications of letting agents participate in your IAM governance loop.