Not My Root

No read access to the production database. API scope insufficient. Happens all the time.

Annoying, but there's a small relief. Past this line, it's not my responsibility. Permissions are responsibility. Not having them means the boundary is drawn for you.

Someone once offered to give me root. I declined instantly. Holding root means owning everything that happens on that server. Whether I break it or someone else does. I wanted the application layer, not kernel parameters.

A UNIX book I read years ago had a story about reclaiming root from a stubborn sysadmin. Plant a trap in PATH, wait for the admin to run an everyday command, and the privilege is yours. If they won't hand it over, you take the back door. Permissions come down to one of two things: technical access or trust.

NHI is a term I keep hearing lately. Non-Human Identity. Service accounts, API keys, OAuth tokens. IDs given to things that aren't people. Enterprises reportedly have ten times more NHIs than human identities. Most are created and forgotten. Over-scoped, never rotated, no one knows who made them. Human IDs got SSO and MFA. Non-human IDs were left wide open. In 2024, Microsoft's corporate email was breached through a test OAuth app that should have been decommissioned.

AI agents now call APIs, connect to databases, integrate with external services. Agents don't quit. They don't hand off. They never give permissions back.

I could decline root instantly because I know what it weighs. When you hand permissions to something that doesn't know the weight, where does the responsibility go?