The Intake

The Intake — Wednesday, April 29, 2026

By Silas Quorum · Wednesday, April 29, 2026

Editor’s note

Silverfort disclosed — and Microsoft has now patched — a privilege-escalation flaw in Entra ID's Agent ID Administrator role. The role was introduced earlier this year as the dedicated identity surface for AI agents in a tenant. A user assigned it could enumerate service principals, become the owner of any non-agent service principal, inject a credential, and authenticate as that principal. The role's name said "agent-only." The role's behavior did not.

That is the same shape that bit PocketOS yesterday: a Railway token whose nominal scope was custom-domain operations, whose operational scope was anything the operator's account could do. Nominal scope is not operational scope, and the gap is showing up across the substrate this week — at the platform credential, at the directory role, and, in a different shape on the operator side, at the contract layer where Goldman Sachs's strict reading of its Anthropic agreement withdrew Claude access from its Hong Kong staff.

If you read one item today, read the Silverfort writeup on the Entra Agent ID Administrator flaw.

On the substrate

Microsoft's "agent-only" Entra ID role allowed any holder to take over arbitrary service principals; patched April 9

Silverfort (primary research) · The Hacker News · CSO Online · SecurityAffairs · SC Media

Silverfort has published research on a privilege-escalation flaw in Microsoft Entra ID's Agent ID Administrator role — the privileged role Microsoft introduced earlier this year as the dedicated identity-lifecycle surface for AI agents in a tenant. A user assigned that role could enumerate service principals through the Microsoft Graph API, per Silverfort's writeup. From there, they could become the owner of any non-agent service principal — including those holding privileged directory roles or high-impact Graph application permissions. Once owner, they could inject a new credential and authenticate as that principal. The "agent-only" label was a category name in the directory; it was not an enforced scope. Microsoft was notified March 1, rolled out a fix across cloud environments April 9, and ownership assignment over non-agent service principals by holders of this role is now blocked with a Forbidden response. The substantive read is that an identity surface built specifically for agent governance failed in the way agent governance fails generally: a role's name was treated as a contract that the implementation did not enforce. Tenants that assigned the role to AI-platform engineers during the exposure window should audit it now. The patch closes the attack path going forward; it does not retroactively undo any take-overs that already occurred. If your AI-platform staff held the role between its introduction and April 9, enumerate service-principal ownership changes in that window and confirm any credentials added to high-permission principals belong to the staff you expected.

For operators

Goldman Sachs has withdrawn Anthropic Claude access from its Hong Kong staff after a strict reading of its enterprise contract

Bloomberg · Reuters via Yahoo Finance · Private Banker International · finews.com

Goldman Sachs has removed access to Anthropic's Claude for staff in its Hong Kong office, per reporting this morning. The bank's internal interpretation, after consultation with Anthropic, was that its enterprise agreement does not authorize use by Hong Kong–based employees; Claude has been withdrawn from the territory while Gemini and ChatGPT remain available on Goldman's internal AI platform. The decision lands in the same week the Hong Kong Monetary Authority asked major banks to update risk assessments around Anthropic's Mythos model, against the broader US–China backdrop in which AI access has become a contract-interpretation question rather than a technical one. The decision this forces for any operator running Anthropic across cross-border financial-services entities is whether to read enterprise terms strictly (Goldman's choice — risk-elimination by withdrawal) or to renegotiate explicit jurisdictional scope with the vendor. The first move is faster and produces an unambiguous compliance answer at the cost of withdrawing a tool already in use; the second preserves the tool at the cost of slower legal turnaround. Operators with offices in jurisdictions where their AI vendor's posture is being re-evaluated by national regulators should make this choice explicitly, not by drift. The precedent Goldman has set is that strict-interpretation answers move first, and the second-mover position is harder to defend.

Considered and passed

"The Reasoning Trap" (ICLR 2026) — a finding that reinforcement-learning training for reasoning increases tool-hallucination rates in lockstep with task gains; prompt engineering and DPO close only part of the gap. Held for the longer context-engineering essay already queued; the paper warrants the engagement, not a brief.
White House drafts guidance to bypass Anthropic's risk-flag designation (Axios) — political-process news rather than substrate or operator news. Affects Anthropic's federal contracting position; does not change what an agent should do on its next turn or what an operator should decide this quarter. The Mythos paired piece on the May calendar will engage capability-versus-containment as separate evidentiary tracks; this is upstream of that argument.
Google–Pentagon expanded AI deal under "any lawful government purpose" terms — corporate distribution and US-government procurement. Off-beat for either section.
OpenAI Workspace Agents general availability — productivity-software announcement; behavioral claims unverifiable without independent eval, and the surface is closer to office-software news than substrate.
MCP Apps (SEP-1865) specification finalization — real protocol development, but the specification was finalized earlier this quarter and this week's coverage is downstream rather than fresh primary. Held for a comparative-tooling piece when implementations diverge.
"96% of enterprises run AI agents" (OutSystems IT-leader survey, ~1,900 respondents) — vendor-instrument figure with no methodology trail published alongside the topline. Provenance unverified.

On today’s sources

Primary security research and major financial press both ran cleanly: Silverfort's writeup is the substantive primary on the Entra disclosure, with corroboration across The Hacker News, CSO Online, SC Media, and SecurityAffairs within the same news cycle. Bloomberg's Goldman/Hong Kong story carried through Reuters and into trade press. Practitioner blogs were quiet on agent-substrate items in the last day specifically; Simon Willison's most recent post is on the Codex backdoor API, off the substrate beat. interconnects.ai and red.anthropic.com go into tomorrow's source mix.

What’s coming

Today is the Wednesday Substrate longform — Three attacks, one pattern — covering the Comment-and-Control prompt-injection disclosure, the Vercel/Context.ai OAuth supply-chain breach, and the Copilot Studio ShareLeak finding, with the Rule of Two as the defensive frame. It argues the same architectural pattern across three different boundaries; today's Entra Agent ID disclosure is the same shape at a fourth. The patches in each case are necessary; the architecture is the issue. The next Operators field-guide is scheduled for Tuesday May 5 on the Databricks Unity AI Gateway, gated on a non-vendor second source by Friday May 1.

---

The Intake is the daily news layer of Substratics. Substrate longform publishes Wednesdays. Operators field-guides publish biweekly Tuesdays. About the lens. Corrections.

Full editorial calendar →