Agentic SRE Advanced By Samson Tanimawo, PhD Published May 11, 2026 5 min read

The IAM Permissions Agent: Tightly Scoped Investigations

IAM debugging is plumbing. The agent that walks a request through the permission graph and explains the decision in two paragraphs.

Walk the permission graph

Input: an ARN, an action, a resource. Question: should this combination be allowed; if yes by what path; if no, what is missing.

Walk: identity policy, group policy, role policy, resource policy, SCP. The agent reads each and reports which are involved in the decision.

Output: explicit allow path or explicit deny path; never "unsure." Deterministic walk produces deterministic answer.

Paragraph one: the answer (allowed or denied) and the controlling policy.

Paragraph two: how to change the answer (which policy to modify; which statement to add or remove). The change is always shown as a diff.

SCPs that quietly deny what an identity policy would otherwise allow.

Resource policies that allow access not granted by identity policies.

Permission boundaries that limit max-permission below role.

Implicit deny vs explicit deny: the difference matters for IAM debugging and is often confused.

Read-only by design. The agent never proposes changes; it explains the current state.

The proposed-diff in the explanation is just text; humans implement it. The agent does not have IAM-write capability.

The agent's analysis is logged for audit. "Why was this access granted" should be reproducible from the audit trail.

Standard allow case: identity policy allows; agent confirms.

Standard deny case: no policy grants; agent confirms.

SCP override case: identity policy allows but SCP denies; agent identifies the SCP.

Resource-policy case: identity policy denies but resource policy grants; agent identifies the resource policy.