§1 · Premise
Identity is the one domain where AI is both tool and subject
An access grant nobody re-tests is a door nobody owns.
The dangerous identity object is the one you cannot see: the over-broad grant, the standing privilege nobody revoked, the service principal with a static secret, the agent acting under a borrowed human identity. AI widens this surface from both sides. It generates access models that are syntactically valid and silently over-permissive, and it instantiates a new population of agent identities that grow faster than anyone can track and arrive over-permissioned by default.
In Terraform and PowerShell, AI is a tool — it generates the artifact, you operate it. In identity, AI is both the tool and the subject: it writes your RBAC roles, Conditional Access policies, and app registrations, and AI agents are now identities you must govern. The industry's own prescription for the agent crisis — treat every actor as a governed identity, eliminate standing privilege, govern continuously rather than quarterly — is the same discipline this catalog has taught all along. The triad keeps the surface visible: Apprentice keeps your model of effective access intact, Defense proves every grant least-privilege before it goes live, Offense re-tests standing access before it is exploited.
§2 · Falsification bet
The bet we are willing to lose
The trust layer of this workshop is not a testimonial — it is a falsifiable claim with a horizon and a check. If it fails, bring the access review that proves it.
Position The triad keeps your access surface visible from both directions Horizon Two quarters from install Checkable Effective-access prediction, wildcard/lockout rate in generated policy, and agent/service-principal over-permissioning, measured
If a team installs all three lenses over its identity practice — a withholding config on its assistant, least-privilege-by-simulation before every grant, and recertification that treats standing access as debt — and after two quarters its admins are no better at predicting effective access, its AI-generated policies still ship wildcard grants and lockout gaps, and its agent and service-principal population is still over-permissioned and untracked, then the triad added ceremony and I was wrong. Bring the access review that proves it.
OPEN · CHECKABLE Effective-access prediction, wildcard/lockout rate in generated policy, and agent/service-principal over-permissioning, measured
§3 · The three lenses
Three lenses, installed in a fixed order
Identity has native predict-and-trace instruments: the Conditional Access What-If tool, IAM policy simulators, and effective-permissions calculations let you predict who a policy admits and what it permits before you apply it. You install the lenses in sequence because the order is load-bearing.
- 01
Apprentice
Predict effective access before you grant it; What-If and simulation first, always.
Operates on Your model of who-can-do-what; the reasoning that atrophies when you apply a policy because it parses. - 02
Defense
Your generated grant is your security boundary. “The model wrote the policy” is not an incident finding.
Operates on Over-permissive grants, escalation paths, lockout, hallucinated roles, exposed secrets — every grant before it goes live. - 03
Offense
Standing access is the default state, and the default state is debt; a grant with no expiry is a permanent hole nobody owns.
Operates on Recertification and privilege drift; agents and non-human identities governed as first-class identities.
Load-bearing rule Apprentice:Mentor → Defense → Offense, never reversed. Install Defense and Offense before you can reason about effective access — the transitive reach of a group, the path a role opens to Global Admin, the difference between disabling an account and revoking its live sessions — and you build access reviews and governance automation around a model you cannot read, certifying grants you do not understand. Install the how of reasoning about access before the what you defend and the where you re-test. If time is short, modules are shortened, not resequenced.
§4 · Who gets what
Where the value lands by archetype
One core program, but its center of gravity shifts with where you operate in the identity lifecycle. Pick your stance to see the emphasis and the recommended tier.
Supporter L1–L2
Builder L3
Orchestrator EM / Director
Architect Principal
Strategist CISO / CTO / VP
§5 · Curriculum
Three modules, then the capstone
Each module is one lens: an objective, the core move, a build exercise you do paper-first in a sandbox tenant, and a checkpoint that names the failure mode. Predict-and-trace is What-If / simulation — predict effective access by hand, run the simulation, trace the divergence.
Objective
Install the predict-effective-access reflex and a withholding config that defaults your assistant to coaching the access reasoning, so you never apply a grant whose true reach you cannot trace.
Core move
Configure the assistant to refuse a finished role, policy, or grant for anything consequential and instead ask the senior questions — who is the principal (human, machine, or agent), what resource and action, what transitive reach, standing or just-in-time, what deprovisioning path, what breaks if over-granted. Predict effective access by hand, run the What-If tool or policy simulator, then trace. Authentication is not authorization; disabling an account is not revoking its sessions; a role's power is its transitive reach, not its name.
Exercise
Read a supplied Conditional Access policy and a nested-group RBAC assignment cold — who is admitted, what is permitted, the highest-privilege path it opens — then run the What-If / simulation and trace. Write your withholding config: senior access questions by default, forbid privileged roles / broad app permissions / tenant-wide CA as finished config, require every grant to state scope, expiry/JIT, and deprovisioning path, re-state least-privilege each session.
Checkpoint
If you could not trace the escalation path in the cold read, the diagnostic worked. If your config lets the model emit a standing privileged grant without an expiry, it has no teeth.
Objective
Install the gate that proves an AI-generated grant least-privilege before it goes live, scored against a fixed taxonomy — and dismantle the most common false sense of security in identity.
Core move
When a generated role ships a wildcard action, an app requests tenant-wide read/write, or a CA policy locks out the only admin who can fix it, the consequence is yours. The myth that has to die: “we have MFA, so we're covered.” Legacy second factors fall to adversary-in-the-middle, push fatigue, and token replay; only phishing-resistant MFA (FIDO2/passkeys, certificate-based) bound to device and origin holds. The defense stack: least privilege by simulation, JIT/PIM, CIEM, phishing-resistant authentication strength, no standing secrets, break-glass discipline.
Exercise
Harden one generated identity change (a Conditional Access policy plus an app registration and a role assignment) through the gate: failure modes present, the highest-privilege grant and its simulation, where any secret lives and its federated/managed-identity fix, whether break-glass survives the policy, and whether “MFA” is specified as phishing-resistant.
Checkpoint
If your policy says “require MFA” without authentication strength, name the gap. If the change excludes no break-glass account, simulate it against your admins before it ships — a lockout is an outage you inflicted.
Objective
Arm your identity rituals so each surfaces privilege drift — and design the gate that governs autonomous identity automation and AI agents as first-class identities.
Core move
Identity drifts when nothing changes: the mover who accumulates entitlements and never sheds the old, the orphaned account, the service principal whose secret outlived its purpose, the agent that holds one-task access forever. Govern every agent and NHI as a first-class identity — unique credential, least privilege, named owner, lifecycle, full attribution. The autonomous-governance trap: a bot auto-revokes break-glass mid-incident because it cannot tell documented access from drift. The fix is the decision record — and here the REVIEW clause and access recertification are the same record. The automation reads open ODRs/recertifications before it revokes, and emits an AgODR per change.
Exercise
Arm one identity ritual with a single offensive move and test it (surfaces standing-access drift? gameable like a rubber-stamped review? adds a meeting or modifies one?). Then design the autonomous-governance gate: what it reads before revoking, the AgODR fields it emits, and the blast-radius tiers — with privileged and break-glass changes always gated.
Checkpoint
If your governance gate has no “check open ODRs/recertifications first” step, you built the automation that revokes break-glass mid-incident. If your recertification is a rubber-stamp, it is sentiment theater wearing a compliance badge — make revocation the default for the unjustified.
Brief
Design the 60-day install of all three lenses over a real (or supplied) identity estate, covering both directions — AI-generated access and AI agents as identities — then defend it before a panel in the CTRL ALT PRESS voice.
Scenario
A regulated enterprise runs Entra ID with on-prem AD and ADFS federation, 1Password for secrets, provisioned via Terraform/Ansible. A recent generated CA policy nearly locked out the admins, and an app secret was pasted into a chat. The org is piloting AI agents that need access to internal systems. Leadership believes “we have MFA, so we're covered.” 60 days, no new headcount, you may not stop the team using AI or deploying agents.
Must contain
- The withholding config (Apprentice) and the predict-What-If-trace drill, with the grant classes it forbids generating.
- The defense stack (Defense): least-privilege-by-simulation, JIT/PIM, CIEM, phishing-resistant authentication strength, no-standing-secrets, break-glass discipline — and the explicit retirement of “MFA = covered.”
- The agent-as-governed-identity model and the autonomous-governance gate that reads ODRs/recertifications and emits AgODRs.
- The recertification program wired to the REVIEW clause, with revocation as the default for unjustified standing access.
- The 60-day behavioral markers, with “we have MFA so we're covered” and “the model wrote the policy” both banned.
Pass line
Pass ≥ 18/30; distinction ≥ 24 with no dimension below 3.
You will leave able to
- Predict the effective access of a policy or grant before applying it, using What-If / simulation as a standing habit, and configure an assistant to withhold the grant and coach the access reasoning instead.
- Detect the failure modes of AI-generated identity config — over-permissive grants, escalation paths, lockout, hallucinated roles/scopes, exposed and long-lived secrets — and run a blast-radius grant gate.
- Govern AI agents and non-human identities as first-class identities: unique credentials, least privilege, named owner, lifecycle, full attribution.
- Re-test standing access through recertification wired to the ODR/AgODR discipline, and design the gate for autonomous identity-governance automation.
- Defend the install against an adversarial panel, including the agentic-era question: who is behind that action — the human or the agent acting as them?
§6 · Failure taxonomy
The failure modes of AI-generated identity config
A working taxonomy to score against. Over-permissioning is not the edge case here — the over-permissioning rates make over-broad the default state of AI-touched identity.
| Failure mode | Counter |
|---|---|
| Over-permissive grants — wildcard actions, Owner/Global Admin where Reader suffices, tenant-wide app scopes. | Least privilege by simulation; RBAC over wildcards; the grant gate. |
| Privilege-escalation paths — a bounded-looking grant that composes with existing roles into a path to higher privilege. | Attack-path reasoning before granting. |
| Lockout — a CA policy that excludes the break-glass account or blocks the admins who would remediate it. | Break-glass excluded from restrictive policies; What-If against the admin set; report-only rollout. |
| Hallucinated roles / scopes / permissions — references to roles or API scopes that do not exist or do not mean what was implied. | Verify against the real directory and the real API permission reference. |
| Secret exposure and long-lived credentials — inlined secrets, static client secrets where a managed/federated identity belongs. | Vaulted credentials; short-lived federated identity; treat any pasted secret as burned. |
§7 · Evidence floor
The research this stands on
No testimonials, no countdown timers. Claims carry provenance; vendor and survey figures are labeled directional, with the direction corroborated across sources.
- 01
Non-human identities outnumber human users roughly 45:1 on average, up to 144:1 in cloud-native environments.
- 02
~97% of non-human identities carry excessive privileges; ~90% of deployed AI agents are over-permissioned relative to their tasks.
- 03
“MFA-enabled” is not “phishing-resistant”: legacy second factors fall to adversary-in-the-middle, push fatigue, and session replay; FIDO2/passkeys and certificate-based auth bound to device and origin hold.
- 04
Agent-identity standards are in active flux: IETF AIMS draft, NIST AI Agent Standards Initiative / NCCoE, CoSAI Agentic IAM imperatives (agents as first-class identities; eliminate standing privilege).
- 05
Borrowed-identity agents break attribution; prompt manipulation can turn an over-permissioned agent into a path to the credentials it holds.
- 06
No partition between an LLM's output and the organization that deploys it; the model is not a separate legal entity.
- 07
Access recertification and the ODR REVIEW clause are the same instrument: a risk acceptance with no expiry is a permanent hole nobody owns.
§8 · Enroll
Choose your delivery tier
Three modalities, same curriculum, all run in a sandbox tenant. Efficacy rises with the live BUILD/BREAK drills on lockouts and grants — the in-person intensive runs against instructor-seeded lockouts and a governance bot.
| Modality | Format | Efficacy | Positioning |
|---|---|---|---|
| Self-paced | 8 modules, sandbox tenant, What-If drills, template pack | Lowest — no live BUILD/BREAK on lockouts and grants | Entry tier; justified by the sandbox tenant and lifetime updates |
| Virtual cohort | 8 weekly live sessions, paper-first access-graph drills, shared sandbox, async capstone | High — accountability + witnessed cold reads | Premium; the cap preserves drill integrity |
| In-person intensive | 2 days, live grants/policies against instructor-seeded lockouts and a governance bot | Maximum — the practice is embodied | Top tier; pairs with the ODR workshop's agent-governance audit |
A domain installment of The Triad of Prompt Lenses; pairs with the agent-governance audit from ODR & AgODR.