The blast-radius formula

You can write the formula for blast radius on a napkin: it's the scope of a credential multiplied by its lifetime. Two variables. Everything else — rotation discipline, vault hygiene, audit completeness — falls out of these two.

What's surprising is which one the industry has spent its breath on.

The scope conversation

Most authorization conversations are about scope. RBAC, ABAC, policy languages, attribute-based decisions. The literature is decades deep: Sandhu et al. 1996 on task-based authorization, NIST's RBAC standardization, Google's Zanzibar paper on relationship-based access.

These are real and they matter, but they have a property that makes them hard: they're authored. Someone has to write the rules. Someone has to keep them current. Someone has to imagine the bad case in advance.

When an agent picks its own tools at runtime, "imagine the bad case in advance" stops being a viable practice. You can't pre-author for an agent that hasn't decided what it's doing yet.

The lifetime conversation

Lifetime is different. Lifetime is a number. You change a 7d TTL to a 5m TTL and the math changes immediately — by a factor of 2000.

That same change requires zero new policy work, zero new attribute graph, zero new auditor education. It's a knob.

And it's the highest-leverage knob in the system. A wide scope held for 5 minutes is almost always less dangerous than a narrow scope held for a week. A leak from a 5-minute token expires before anyone notices. A leak from a 7-day token is a real bad day, regardless of how narrow the scope was.

Why scope still gets the attention

Two reasons.

First, scope is intellectually interesting. There's a whole field of access-control academia about it. There are conferences. Lifetime is just an integer, and integers don't generate research papers.

Second, scope is what auditors ask about. They want to see the access matrix. They want to see who has access to what. Lifetime is implicit in the answer — for how long? — but it's not what shows up in the headline.

The result is that organizations invest enormous effort in scope minimization while leaving lifetime at default. Which means the formula stays large.

Receipts from the field

A few public datapoints worth keeping in mind:

• GitHub published their new token formats in 2021 specifically to make leak detection faster and to push everyone toward short-lived equivalents.
• AWS STS exists precisely because the right answer for cross-account access is short-lived role assumption, not long-lived keys. The STS documentation treats session tokens as the default; long-term keys are increasingly second-class.
• The Verizon Data Breach Investigations Report has, for several years running, listed "use of stolen credentials" as the most common initial-access vector. The credentials in those incidents are nearly always long-lived.

The trend across all three: the industry has been quietly moving toward shorter lifetimes for a decade. The agent shift just accelerates it.

The two-knob recommendation

If you're auditing your own posture this quarter, run the formula.

For every class of credential in your environment, write down the scope (rows in the access matrix) and the lifetime (default TTL or rotation cadence). Multiply.

The numbers will tell you where to spend.

For most teams I've seen, the answer is: scope is roughly defensible; lifetime is multiple orders of magnitude too generous. That's the lever.