The security industry spent the last decade perfecting a model that AI agents are about to make obsolete.

Static IAM policies. Scoped tokens. Role-based access control. Predefined permission sets attached to identities. This model works beautifully for microservices — a service gets a token, the token has a scope, the gateway checks the scope, done. The boundaries are clear because the service’s capabilities are known at deploy time.

But agents don’t have known capabilities at deploy time. Tool chaining — where an agent combines multiple tools in sequence to accomplish a goal — creates emergent capabilities that bypass static scopes entirely. An agent with permission to read files and permission to make HTTP requests can exfiltrate data. An agent with permission to list repositories and run shell commands can pivot across your infrastructure. Neither of those composite behaviors is encoded in any IAM policy. They emerge from the interaction of individually-scoped primitives.

This isn’t theoretical. Six independent research teams spent nine months breaking AI coding agents in red-team exercises. The results were sobering: every single exploit succeeded in stealing credentials. Not one targeted the model weights or the LLM infrastructure. They all went after the agent’s tools — the very interface that makes agents useful is also what makes them vulnerable.

The path forward isn’t better static policies. It’s dynamic, context-aware authorization. Instead of asking “what can this agent do?” — a question answered once at auth time — the security model must ask “what can this agent do right now, given everything it has done in the last N steps?” Authorization becomes a continuous function, not a one-time gate.

This requires runtime-level instrumentation. Every tool invocation must be evaluated against the agent’s recent action history. Read-file followed by HTTP-post? Flag it. Shell-exec after sudo-escalation attempt? Block it. The authorization engine needs to understand not just individual permissions but permission trajectories — the shape of what the agent is actually doing, not just what it’s theoretically allowed to do.

The agent platforms that win will be the ones that treat authorization as a first-class runtime concern, not a configuration checkbox. Static scopes are dead. Long live the guardrail.