Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control
Summary
Large Language Models (LLMs) can inadvertently compromise organizational access control by generating incorrect or incomplete authorization code. A single oversight in LLM-generated Rego or Cedar code can weaken an organization's least-privilege security model.
IFF Assessment
FOE
The article describes a new way that LLMs can weaken existing security controls, posing a threat to defenders.
Defender Context
Defenders need to be aware of the potential for LLMs to introduce subtle but critical errors into access control policies. Thorough human review and validation of any LLM-generated security code are essential to prevent 'silent drift' that undermines security posture.