Identity Security Insights 26.05

• Bedrock guardrails plus knowledge-base lineage to S3 are mapped end-to-end – agent → knowledge base → data source → bucket. A knowledge base grounded in a bucket reachable for write by more principals than the agent – that data-poisoning surface is now visible.
• AgentCore runtimes are first-class, with JWT inbound auth captured. Cross-domain edges connect Okta and Entra ID apps to the runtimes they front.
• Custom-model training-data, multi-agent collaboration, and IAM-policy reach over agents, knowledge bases, and action-group Lambdas are modeled. The principals who can rewrite an agent's Lambda or swap its fine-tuned model are no longer hidden in policy JSON.
• Three new findings:
  • Any GitHub workflow in your org can assume a privileged AWS role: flagged when a role's OIDC trust uses a wildcard like repo:my-org/*. Any contributor with write access to any repo in the org can escalate to that role.
  • A fork PR or any branch can assume a privileged AWS role: flagged when an OIDC trust pins the repository but doesn't restrict the branch or tag.
  • A long-term Bedrock API key is set to expire: flagged so you can verify rotation is happening on schedule.

Where to look: Bedrock agents and AgentCore runtimes on AI Agents; the per-agent side panel surfaces guardrails, knowledge sources, and who can access each agent. Findings on Detections.

• Eight new admin-surface node types: delegate groups, object permissions, named credentials, connected apps, Apex classes, and more, bring Salesforce's full admin surface into the graph. The shadow-admin path (an "IT Helpdesk" delegate group resetting your CFO's password) is now traceable.
• Agentforce paths are end-to-end: plugin functions trace to the Apex they invoke, and permission sets that can modify plugins are explicit edges. A non-owner swapping a plugin is now captured.
• External-integration chains: are modeled end-to-end: External Service → Named Credential → Auth Provider → Apex registration handler.

Where to look: Agentforce paths on AI Agents; Named Credentials on Secrets; the new delegate groups, connected apps, and object permissions on Accounts and Entitlements.

• Copilot Studio agents, tools, knowledge sources, Power Platform system users, and security roles are now graph nodes (built on your existing Azure connector). Each agent's creator, co-authors, and Entra ID app identity are edges.
• Prompt access is mapped through every published channel directly, through Entra ID groups, and via Teams; capturing everyone who can prompt a Copilot, including via Teams channels they happen to be in.
• Escalation from Entra ID directory roles through Power Platform security roles to admin privilege over a Copilot is a continuous chain. A Global Administrator's inherited admin rights over your finance Copilot are traceable, not assumed.

Where to look: Copilot Studio agents on AI Agents; the side panel shows tools, knowledge sources, the Entra ID app identity, and who can prompt. Power Platform system users on Accounts.

• Certificate credentials, client secrets, and OAuth permission grants on Entra ID apps are now graph nodes. The path "user → administer app → add a secret → authenticate as the service principal → inherit its permissions" is traceable end-to-end; a user with administer rights over the wrong app is a service-principal takeover waiting to happen.

Where to look: Escalation paths in Paths to Privilege; certificates and secrets appear on Accounts alongside the apps they belong to.

• Organization groups, project groups, organization roles, and project roles are now graph nodes, with twelve new edges mapping user-account and service-account membership at both scopes. When an org-level group is granted a project owner role, the indirect owners are now visible, not just direct grants.

Where to look: Groups and roles on Entitlements; indirect-ownership paths in Paths to Privilege.

• GitHub App installations, action runner apps, and self-hosted runners (org and repo level) are now graph nodes. Self-hosted runners are tagged as devices and as non-human identities.
• A repository-to-AWS-role path through OIDC is now a graph edge: GitHub repositories connect to the AWS IAM roles their workflows can assume, with entitlement paths for org members and outside collaborators.

Where to look: Installations and runners on Accounts; OIDC paths in Paths to Privilege.

• Roles that can modify Vertex agent tools and data stores are now explicit edges, with new entitlement paths for Vertex agents using their tools and data stores. The silent-modify scenario, a role that can quietly add a tool that exfiltrates data, is now visible.

Where to look: Vertex agents on AI Agents, the side panel shows which GCP roles can modify each agent's tools and data stores. Full paths in Paths to Privilege.