We Finally Measured How Broken Permissions Are

TL;DR

• We analyzed 2.4 million workers and 3.6 billion permissions. 96% go unused.
• Agents inherit all of it — the access humans never touch becomes the access agents will.
• This is already causing real incidents at real companies. (We’re tracking them in our Agents Gone Rogue registry.)
• You can start fixing it now: audit, separate human and agent permissions, start read-only.
• The full report is available at www.osohq.com/research

‍

I told my team last year I’d shave my head if I was wrong about something.

My hypothesis: SaaS systems are grossly overpermissioned. Users have way more access than they ever actually use.

No one was impressed by the bet. The security people I know would have been more surprised if I’d bet the opposite. Broken access control has been the #1 item on the OWASP Top 10 for six straight years. Everyone knows permissions are a mess. It’s one of those things the industry just sort of shrugs at, in the same way I imagine dentists shrug at patients not flossing.

I’d wanted to quantify it for years. We build permissions infrastructure at Oso. I figured if we could show customers exactly how overpermissioned their systems were, we could help them tighten things up and ship better products. But there was always something more urgent. It never made it to the top of the list.

Then agents happened. I started watching companies take their employees’ full permission sets and hand them to autonomous systems — systems that don’t sleep, can’t be fired, and have no idea when they’re doing something dangerous. And I thought: okay, now’s the time.

So we did it. Together with our friends at Cyera, we analyzed 2.4 million workers and 3.6 billion application permissions. And the thing that surprised me wasn’t the answer. It was that in fifty years of talking about least privilege, nobody had bothered to measure it.

‍

What we found

• 96% of permissions go unused over a 90-day window.
• Only 4 in 100 workers take any action in most applications. Even the ones who do exercise just 17% of what’s available to them.
• Workers touch 9% of the sensitive data they can reach. They have roughly 10x the access they need.
• 31% of workers can modify or delete sensitive data. 13% can export it. 13 in 100 workers have access to regulated data — PII, financial records, health information.
• And the way access is configured makes this worse: 80%+ of access is still managed through static profiles. In some environments, nearly 30% of users have admin privileges. That’s about 6x what you’d expect.

Why this didn’t used to matter

Before agents, nobody was going to prioritize fixing this. Humans are self-limiting.

We trust employees, probably more than we should, but that’s a separate argument. People apply judgment. They have reputations. They don’t want to get fired. A person with access to 100 things who only touches 17 of them isn’t really a problem. They’re just a person with a messy desk.

There’s also a ceiling on damage. People work business hours. They get tired. They go home. There are only so many files you can exfiltrate before you need to sleep. The sheer slowness of being human puts a cap on how bad things can get.

That was the deal everyone implicitly made: overpermissioning is sloppy, but it’s not worth the cost of cleaning up. Keep the broad roles. Absorb the occasional breach. Move on.

Agents break that deal.

‍

Why agents are different

The two things that made overpermissioning tolerable — judgment and slowness — are exactly what agents don’t have.

They can be tricked. Prompt injection works. They hallucinate. They will confidently do the wrong thing and think they’re being helpful.

And they’re fast. Hundreds of actions per second, around the clock, with no natural stopping point. A human attacker sleeps. An agent doesn’t.

An overpermissioned human is a messy closet. An overpermissioned agent is a fire in that closet.

‍

This is already happening

In December, an AWS engineer used Kiro — AWS’s own coding agent — to fix a minor bug. Kiro decided the most efficient solution was to delete and recreate the environment. Thirteen-hour outage. The agent didn’t hesitate, didn’t ask, didn’t notice what it was about to do. It had no concept of consequences. Only completion.

In November 2025, Anthropic disclosed that a Chinese state-sponsored group had used an AI agent to attack roughly thirty global targets — banks, tech companies, government agencies. Thousands of requests per second, no human in the loop, faster than defenders could detect it. A human attacker sleeps. An agent doesn’t.

A recent security scan found over 40,000 OpenClaw instances exposed to the internet, with community skills designed to exfiltrate data and harvest credentials. The agents had inherited permissions across their users’ entire digital lives.

‍

What to do about it

We’re building infrastructure at Oso to solve this problem via agent permissions posture management.

But regardless of what tools you use, there are things you can do right now:

Audit your permission sprawl. If 96% of access goes unused for humans, that same access should not be handed to an agent. Figure out what the agent actually needs and give it that. Nothing more.

Separate human and agent permissions. Don’t give agents a copy of your users’ permissions. Give them a fraction.

Log every action. You can’t govern what you can’t see.

‍

This is a summary. The full research — methodology, detailed findings, industry breakdowns — is in the complete report. And if you want us to walk you through it and talk about what it means for your systems, we’re happy to do that.

Most agents are still pilots. This is your window.

‍