Most AI agents running in enterprise SaaS environments today hold more access than they need to do their job. That finding alone is striking. But here is the hard truth that makes it structurally different from human over-permissioning: when a human employee accumulates too much access, a quarterly access review can catch it. When an AI agent does, it is already moving data at machine speed across dozens of connected systems, with no manager to flag unusual behavior and no insider risk program watching its actions.
Security teams ask the right question: "How did this agent get so much access?" The answer is almost never malicious intent. It is a combination of platform defaults, builder convenience, and organizational pressure that makes least privilege the exception rather than the rule.
Platform defaults favor broad access. When a developer builds an agent in Copilot Studio, Salesforce Agentforce, or Amazon Bedrock, the platform's default behavior is to request the broadest scope that makes the agent functional. Agentforce agents can run flows and execute Apex in System Mode, which grants admin-level data access regardless of the invoking user's role. Bedrock agents receive IAM roles scoped at the account level during initial setup, and those roles are rarely narrowed after the pilot phase. The platforms are not doing anything wrong. They are optimizing for the builder's experience. Security is the customer's responsibility.
Maker mode turns convenience into a blast radius. Maker mode is the default configuration in many low-code and no-code platforms where the agent executes using the creator's embedded credentials rather than the invoking user's identity. A business analyst builds a Copilot Studio agent using their own Salesforce admin credentials. Every user who invokes that agent, regardless of their own Salesforce access level, effectively executes actions at the admin's privilege level. The agent is working exactly as designed. Your IAM controls were just bypassed. Understanding how AI agents inherit and abuse permissions is the starting point for any serious access control conversation. See the bearer token problem hidden inside your AI agent strategy for the technical foundation.
Business pressure skips security review. Enterprises are deploying agents at rates that far exceed any manual review process. Product teams ship agents to hit quarterly goals. Security reviews are scheduled after go-live, not before. Permissions added to unblock a demo rarely get removed. The pattern repeats: organizations broaden OAuth scopes to get pilots working, and once added, those permissions almost never come back out because no one can confirm what is still needed.
"Just enough access" rarely happens in agentic environments. Static least-privilege models are broken for agents. Human access reviews assume you can define required permissions in advance and leave them fixed. Agents plan and adapt at runtime. You cannot enumerate all permissions an agent might need before it runs. So teams default to broad access to avoid operational friction, and the AI agent overpermissioned baseline becomes the new normal.
Security teams reviewing agent configurations believe they understand the risk. They are looking at theoretical configuration: what the agent's setup page says it can access. That is not the same as effective authority.
Theoretical configuration is what posture-only tools see. It is the list of OAuth scopes granted, the roles assigned in the platform UI, the connectors configured. It tells you what the agent is set up to do on paper.
Effective authority is what the agent can actually execute after all entitlements resolve. Group memberships, delegated permissions, inherited admin credentials from maker mode, and cross-application trust chains all expand what an agent can do well beyond its stated configuration.
A concrete example: A Copilot Studio agent is configured with a SharePoint connector. The configuration shows read access to a specific document library. But the connector runs in maker mode using the creator's credentials. The creator is a member of a security group that has read access to every SharePoint site in the tenant, including sites containing M&A documents and HR records. The theoretical configuration says "SharePoint document library access." The effective authority is "every sensitive file in the tenant." A posture-only review misses this entirely.
This gap is why AI agent monitoring cannot stop at configuration review. Obsidian's approach maps effective authority by correlating agent configuration with actual SaaS entitlements, identity context, and real-time behavior. The question is not what the agent appears to have access to. It is what the agent can actually do inside each connected application. That requires AI agent visibility at the runtime layer, not the configuration layer.
"Configuration is not reality. Effective authority is what determines blast radius."
Overpermissioned agents are a serious risk. Orphaned agents are a serious risk. When the two combine, the result is a critical-severity condition that no existing tool is reliably catching.
An orphaned agent is an agent whose creator account has been disabled. The employee left the company, was offboarded, or had their account deprovisioned. The agent they built continues running. In maker mode environments, the agent continues executing using the disabled creator's embedded credentials. Those credentials do not expire when the account is disabled in the identity provider. The agent keeps its access.
This is the worst-case combination. No active owner means no one receives alerts about the agent's behavior. No one can approve or deny access reviews. No one is accountable if the agent accesses sensitive data. The orphaned account security problem that IAM teams have managed for human users for years now has a machine-speed equivalent with a far larger blast radius.
The maker mode angle makes this critical. If the orphaned creator held admin-level permissions, the agent retains admin-level effective authority indefinitely. A new employee with no Salesforce access can invoke that orphaned agent and extract CRM data the creator's admin credentials could reach. The agent is not malfunctioning. It is doing exactly what it was built to do. The security failure is the absence of lifecycle management for machine identities.
This is a core component of machine insider risk: agents hold credentials like insiders, but no insider risk program covers them. Orphaned agents represent the intersection of the orphaned accounts security problem and the AI agent excessive permissions problem. Neither problem alone triggers a critical alert. Together, they create a persistent, unmonitored, admin-level access path that can persist for months or years after the human who created it is gone.
The AI agent overpermissioned problem is not a configuration error that a policy update will fix. It is a structural condition produced by platform defaults, maker mode credential inheritance, business pressure to ship, and the fundamental mismatch between static least-privilege models and agents that plan and adapt at runtime. A substantial share of organizations already suspect their agents have accessed data beyond intended scope. Few believe their existing controls would actually stop a compromised agent from operating.
The path forward starts with runtime truth: knowing what every agent can actually do, not just what its configuration says it should do. Inventory comes first. Effective authority assessment comes second. Toxic combination triage comes third. Permission tightening with rollback safety comes fourth.
Security teams that treat this as a configuration audit problem will keep ghost chasing. Teams that build a living map of effective authority, with deterministic guardrails enforced at runtime, will have the operational visibility to govern probabilistic agents before the blast radius expands. Runtime guardrail enforcement is generally available on Microsoft Copilot today, with expanded platform coverage on the roadmap.
Your next step: Run an agent inventory across your highest-risk platforms this week. Count how many agents have active maker mode connectors. Count how many have disabled creators. That number is your current exposure. Then decide whether your existing tools can show you effective authority, or whether you are still looking at theoretical configuration.
An AI agent is overpermissioned when it holds more access to data, systems, or actions than its intended workflow actually requires. This includes OAuth scopes broader than needed, admin-level credentials inherited through maker mode, and connections to SaaS applications the agent's workflow never uses. The risk is that any user who invokes the agent, or any attacker who compromises it, can reach data and systems far beyond the agent's stated purpose.
Human over-permissioning is addressed through access reviews tied to human lifecycle events: onboarding, role changes, offboarding. AI agents do not have lifecycle events that trigger reviews. They run continuously, often without an active owner, and their permissions are rarely reassessed after initial setup. Additionally, agents can hold effective authority that significantly exceeds their theoretical configuration due to maker mode credential inheritance and group membership resolution, making standard access review processes structurally inadequate.
An orphaned agent is one whose creator account has been disabled, but the agent continues running with the creator's embedded credentials. When the creator held admin-level permissions, the agent retains admin-level effective authority indefinitely after the creator is offboarded. This is the worst-case combination: no active owner to receive alerts or approve access reviews, plus persistent access to sensitive data at the creator's original privilege level.
Maker mode is the default configuration in many low-code and no-code platforms including Copilot Studio and certain Salesforce Agentforce configurations. In maker mode, the agent's connectors use the creator's credentials rather than the invoking user's identity. You can identify maker mode connectors by checking whether the connector authentication is set to the creator's account rather than per-user OAuth. Most native platform UIs show this, but correlating it with the creator's current privilege level and account status requires an identity-aware assessment layer.
Configuration-based tools show theoretical permissions: what the agent's setup says it can access. Runtime AI security shows effective authority: what the agent can actually execute after all entitlements resolve, including group memberships, delegated permissions, and maker mode credential chains. Detecting overpermissioning accurately requires the runtime layer because the gap between theoretical configuration and effective authority is where the highest-severity risks live.