Privilege Risk Evolution for Non-Human Identities: A Temporal Fiber Model for Cloud IAM
For cloud IAM practitioners, the paper provides a novel method to analyze and predict privilege evolution for non-human identities, addressing a known bottleneck in permission governance.
The paper shows that permission equivalence for non-human identities has structural and temporal components, and proposes a three-layer framework to model privilege evolution. Empirical evaluation on a large Azure tenant demonstrates that early observation of ratchet-type privilege circuits predicts long-term structural stability.
Cloud permission governance implicitly treats permission equivalence as a static relation. We show that for non-human identities (NHIs), equivalence has two irreducible components: structural equivalence, capturing identical permission profiles at a snapshot via graph fibration, and temporal equivalence, capturing recurring permission states via strongly connected components (SCCs) in a fiber transition graph. We call the equivalence classes under temporal equivalence privilege circuits. We formalize a three-layer framework: (1) a spatial quotient of the permission graph via fibration, (2) a lineage partition organizing stable transition compartments, (3) windowed SCC analysis as a temporal quotient within lineages. Empirical evaluation on a large Azure tenant supports the framework. Backtesting demonstrates that early observation of ratchet-type privilege circuits predicts long-term structural stability.