Privilege Risk Evolution for Non-Human Identities: A Temporal Fiber Model for Cloud IAM
2026-06-02 • Cryptography and Security
Cryptography and Security
AI summaryⓘ
The authors explain that cloud permission equivalence for non-human identities (like automated accounts) isn’t just a fixed comparison. They identify two parts: structural equivalence, which looks at identical permissions at a single time using graph theory, and temporal equivalence, which tracks how permissions repeat over time using special graph components called strongly connected components. They propose a three-step method to study these permission patterns over time and show it works on real cloud data from Microsoft Azure. Their tests also show that early detection of certain recurring permission patterns can predict stable permission configurations in the future.
cloud permission governancenon-human identitiesstructural equivalencetemporal equivalencegraph fibrationstrongly connected componentsfiber transition graphprivilege circuitsAzure tenantgraph theory
Authors
Christophe Parisel
Abstract
Cloud permission governance implicitly treats permission equivalence as a static relation. We show that for non-human identities (NHIs), equivalence has two irreducible components: structural equivalence, capturing identical permission profiles at a snapshot via graph fibration, and temporal equivalence, capturing recurring permission states via strongly connected components (SCCs) in a fiber transition graph. We call the equivalence classes under temporal equivalence privilege circuits. We formalize a three-layer framework: (1) a spatial quotient of the permission graph via fibration, (2) a lineage partition organizing stable transition compartments, (3) windowed SCC analysis as a temporal quotient within lineages. Empirical evaluation on a large Azure tenant supports the framework. Backtesting demonstrates that early observation of ratchet-type privilege circuits predicts long-term structural stability.