SNOW-20.2: Role Masking Not Configured for Dynamic User Agent
๐จ Critical ยท Excessive Agency
Validates that AI Agents using Dynamic User identity mode have Role Masking properly configured. Without Role Masking, the agent inherits the FULL permissions of the invoking user โ if a system administrator interacts with the agent, it temporarily acquires root-level access, creating a catastrophic prompt injection surface.
Detailsโ
| Field | Value |
|---|---|
| Rule ID | SNOW-20.2 |
| Severity | Critical |
| Category | Excessive Agency |
| Platforms | servicenow |
| Compliance | SOC2_CC6, NIST_AI_RMF, EU_AI_ACT_HIGH_RISK |
Remediationโ
Refer to the SquireX documentation for
remediation guidance specific to SNOW-20.2.