Noel Mouwannes, Director – Middle East at BeyondTrust, discusses an age-old attack method that is regaining popularity in the era of agentic AI. The confused deputy problem involves an application or process (a “deputy”) with high-level privileges being tricked by a less-privileged entity into going outside its job description (acting “confused”). In the article Noel shares tangible steps that organizations can take to mitigate this threat.
As security professionals across the United Arab Emirates are aware, the country is still under constant attack in 2026. A May 2025 report from e&-owned cybersecurity company, Help AG, shows a more than 862% surge in attacks over the previous five years. And CISOs across the country are still contemplating their response to the UAE Cybersecurity Council findings from last February that more than 223,800 vulnerable digital assets are hosted in the UAE, and that half of all their critical vulnerabilities have remained unaddressed for more than five years.
“Privileged access management (PAM) must evolve beyond secrets management and session-brokering if we are to guard against confused deputies in the AI world. At every system level, intent must be gauged, context must be considered, and granular just-in-time (JIT) privileges must be enforced across all identities, be they human, machine, or application-to-application communication.”
Noel Mouwannes, Sales Director – Middle East at BeyondTrust
But as the nation grapples with the pros and cons of AI, an age-old attack method is gaining popularity among our digital adversaries. The confused deputy problem involves an application or process (a “deputy”) with high-level privileges being tricked by a less-privileged entity into going outside its job description (acting “confused”). Trusting the requesting entity, the deputy executes commands without question, leading to a dangerous escalation of privilege. When we think about the access granted to privileged accounts, we think of sensitive systems, other security secrets, and commercial IP. When we think of agentic AI, we can imagine an agent deputizing a key service account; or we might consider Microsoft’s warning about Copilot potentially being manipulated into becoming a confused deputy and serving as the spearhead of a systemic attack.
Deputies can be created by elevating privileges via the command-line utility Sudo, which allows administrators to grant any user the ability to execute any script. Or a system may relax controls on arbitrary, unaudited, or unvalidated commands being executed using vaulted credentials (via a jump host or automation engine); this can lead to lateral movement and greater subsequent damage, including data exfiltration. Additionally, a developer could gain access to the credentials of shared service accounts with privileged, persistent access to secrets, registries, or production APIs; this allows the entire pipeline process to be deputized to inject malicious code or exfiltrate secrets. Another way of creating a confused deputy is through cloud IAM tokens. A misconfiguration of the Security Token Service (STS) means one service could be used to deputize another with higher privileges.
Modern PAM to the rescue
Privileged access management (PAM) must evolve beyond secrets management and session-brokering if we are to guard against confused deputies in the AI world. At every system level, intent must be gauged, context must be considered, and granular just-in-time (JIT) privileges must be enforced across all identities, be they human, machine, or application-to-application communication. This is especially important for AI agents because of the massive potential they possess to create deputies on a colossal scale.
Modernized PAM systems will include facilities for command filtering and validation. They will monitor activity in real time and assess it against a strict list of permitted commands and authorized parameters. They will rigorously check user input to ensure only legitimate processes are occurring. And they will enforce context-aware access that checks the identity of the account owner, the time of day, the owner’s device, and the intended purpose.
At design time, modern PAM platforms allow security teams to ensure identities and accounts are not being used universally across the organization. Service and application accounts must be kept separate to reduce the potential blast radius from a confused deputy’s actions. As always, the principle of least privilege should be implemented consistently so no account has more access than is required to fulfil its function. Modern PAM does all this and more. It allows detailed real-time auditing and monitoring so that in the event of an account’s misuse, forensics is straightforward and can yield actionable insights. Today’s PAM systems should also avoid the practice of standing access. They should enforce regular rotation of secrets and inject them at runtime through just-in-time and ephemeral authentication. Keeping secrets hidden even from the user or process they are protecting makes it harder to manipulate the deputy into doing any real damage.
Standing up to AI: next steps
Because agentic AI has wormed its way into so many business processes, it may come to dominate today’s digital environments. AI agents’ potential role in the confused deputy problem means we must consider this attack method to be a strategic challenge for the enterprise. Privilege must come with context, or it will represent a risk. Agentic AI’s ability to rapidly create millions of confused deputies necessarily places it at the center of any effective PAM strategy. The modernized approach described above arms the organization against confused deputies at every layer – user, process, machine, and application.
AI agents will always function as machine identities. They authenticate commands; they execute commands; they make calls to APIs; they interact with systems. They are therefore vulnerable to the same identity risks, but on a much larger scale. So, reduce standing access while also implementing least privilege, and create a security ecosystem that revalidates intent at every layer. AI adoption’s greatest barrier has always been a lack of trust. Without adequate controls the AI journey could be derailed or, worse, take the business blindly into the crosshairs of threat actors through an AI-made confused deputy.
