Securing CLI Agents: Moving Beyond Borrowed Identity for Robust RBAC

Why agent RBAC is broken in most CLI frameworks (and how to fix it)

A coding agent in a staging environment recently caused unintended config modifications and secret rotations while operating under a human operator’s admin profile. This happened because the CLI framework treated the agent as a script with a borrowed token rather than a distinct entity.

Why This Matters

Current CLI frameworks often rely on human RBAC, where agents inherit broad operator privileges, leading to a lack of least privilege and broken audit trails. In technical reality, this makes it impossible to distinguish between human intent and agent execution, preventing granular revocation and policy enforcement at the execution layer.

Key Insights

• Borrowing AWS_PROFILE admin for agents creates a lack of least privilege where agents receive broad, unmanaged access by default.
• Delegation chains are missing in standard CLI tools, meaning specific permissions like deploy:staging for 30 minutes cannot be encoded.
• Cryptographic identity using Ed25519 keypairs allows agents to stop being anonymous extensions of human sessions, as proposed by the Authora team (2026).
• Short-lived tokens modeled after RFC 8693 can separate the subject (agent) from the actor (human) for precise auditability.
• Policy enforcement engines like OPA can restrict agent actions to specific hours or environments, preventing unauthorized production changes.

Working Examples

Generating an Ed25519 cryptographic identity for a CLI agent using Node.js.

const nacl = require("tweetnacl");
const util = require("tweetnacl-util");
const kp = nacl.sign.keyPair();
const agentId = "release-bot-7";
const pub = util.encodeBase64(kp.publicKey);
console.log({
agentId,
algorithm: "Ed25519",
publicKey: pub
});

Practical Applications

• Staging Resource Management: Use short-lived, scoped tokens to allow agents to clean up temp buckets without permission to rotate secrets or modify global deployment configs.
• Pitfall: Using shared API keys for all agents leads to the inability to revoke access for a single compromised or malfunctioning agent without breaking the entire automation pipeline.
• Audit Logging: Implement actor/subject distinction in logs to identify when a human delegated a narrow capability to a specific agent, ensuring incident reviews are accurate.
• Pitfall: Assigning role names without enforcement, such as agent_admin, provides a false sense of security if the underlying CLI accepts the role without verifying cryptographic identity.

References:

• https://tools.authora.dev
• https://passport.authora.dev
• https://github.com/authora-dev/awesome-agent-security