A confused deputy attack lets a low-privileged user manipulate a higher-privileged AI agent into using its elevated authority on their behalf. Obsidian Security correlates identity with the credential being exercised so the pattern surfaces before the action completes.

The classic confused deputy is a privileged program tricked into misusing its authority on behalf of an unprivileged caller. The compiler example, originally described by Norm Hardy in 1988, is the textbook case. AI agents have reintroduced the pattern at enterprise scale. An agent built by an admin runs on the admin's credentials. A user with no admin rights invokes the agent. Downstream systems see the admin's API call, not the user's request. The agent does nothing wrong. Your IAM was bypassed.
A confused deputy attack only becomes visible when three things are correlated in real time: who invoked the agent, which credential the agent is exercising, and what the credential is reaching downstream. None of those signals lives in one place. Obsidian Security stitches them together and applies deterministic guardrails to the patterns that matter most.
Maker Mode is the most visceral confused deputy scenario. An agent built by a Salesforce administrator runs on the admin's credentials. A business analyst with no Salesforce license invokes the agent and receives CRM data the analyst has no right to access. IAM sees the maker's identity making authorized calls. SIEM sees normal API activity. SSPM sees that Maker Mode is enabled in configuration but not whether it has been exploited. Obsidian's Identity Graph correlates the three things that exist in separate systems: agent configuration, invoker identity, and SaaS entitlements.


In low-code workflow platforms like n8n, a single agent is often shared among multiple users. Each invoker triggers the same downstream API calls under the same set of credentials. Authority misuse in downstream systems becomes possible because the platform cannot tell which human is responsible for any given action. Obsidian inventories shared agents, surfaces the credential sharing pattern, and applies posture-driven controls to agents whose blast radius justifies tighter access.
Hardcoded secrets in agent configuration turn confused deputy into a lateral movement primitive. An attacker who compromises the agent inherits the embedded credential's authority across every system that credential touches. Obsidian surfaces agents with embedded credentials in configuration or code, where shared responsibility breaks down and any compromise of the agent enables lateral movement to the connected systems. Agent configurations live inside platform consoles like Copilot Studio, Agentforce, and n8n that traditional credential and posture tools were never built to reach.

A confused deputy attack is a privilege escalation pattern where a privileged program is tricked into misusing its authority on behalf of an unprivileged caller. The pattern was first described in computer security literature in the 1980s and applies to any system where a higher-privileged process executes actions requested by a lower-privileged caller without verifying the caller's authority for each action.
I agents are deputies by design. They hold credentials, accept invocations from humans or other systems, and execute actions on behalf of those callers. The pattern shows up most often in two ways. First, Maker Mode: an agent inherits a higher-privileged creator's credentials and runs on them for any user who invokes it. Second, credential sharing: a single agent is shared across multiple users, and downstream systems cannot tell which human is responsible for any given action. Both patterns let a low-privileged user weaponize a higher-privileged agent.
Because the answer requires correlating signals from systems they were not built to connect. IAM sees the agent's credentials making authorized calls but not that a different user invoked the agent. SIEM sees normal API activity but not who asked the agent to do it. SSPM sees that Maker Mode is enabled in configuration but not whether it has been exploited. None of those tools fail individually. They were each built for a different question.
Prompt injection is a manipulation of the agent's reasoning through malicious input. Confused deputy is a manipulation of the agent's authority through legitimate invocation. The two can combine: a prompt injection that triggers a confused deputy action is more dangerous than either alone. Obsidian focuses on the authority dimension: who invoked the agent, what credential the agent exercised, and whether the action was within policy.
Obsidian's Unified Identity Graph correlates three signals that traditionally live in separate systems: agent configuration (which credentials are embedded), the invoker identity (which user or service actually triggered the action), and SaaS entitlements (whether the invoker should have access to what the agent can reach). The graph maps every privileged path end to end, surfaces toxic combinations where confused deputy risk stacks with other factors, and ranks agents by the severity of the resulting blast radius.
Low-code agent platforms produce the highest concentration of confused deputy risk because they make it easy for a non-security business user to build an agent on their own elevated credentials and share it broadly. Salesforce Agentforce, Microsoft Copilot Studio, and n8n are the most common examples. Hyperscale platforms like Bedrock, Vertex AI, and Azure AI Foundry produce the pattern through a different path, typically hardcoded secrets in agent configuration and shared service account credentials.
Yes. The original research case was a benign compiler that misused its authority because of a design flaw. The same applies to AI agents. A non-malicious user can invoke a Maker Mode agent and unknowingly extract data they were never meant to see. The agent did nothing wrong. The user did nothing wrong. The control architecture failed. Detection has to focus on the structural pattern, not the intent of the invoker.
Obsidian offers a free AI agent risk assessment that surfaces confused deputy patterns in your environment. In Week 1, you receive an executive report showing every AI agent, who created it, the SaaS apps it touches, and its privileges, including the agents most exposed to confused deputy risk. In Week 2, you work with an Obsidian security expert for tailored guidance. Get the assessment.