Let me tell you the story of three weeks of my life I will never get back. We were building an AI agent on AMAZON Bedrock — an autonomous system that manages infrastructure lifecycle operations. The agent worked perfectly in our sandbox. Time to deploy it to the enterprise environment. Should take an afternoon, right? It took three weeks. The Setup To deploy a Bedrock Agent, you need to attach an IAM role — the execution role that the agent assumes when it invokes foundation models. This requires the iam:PassRole permission. Simple enough. In our enterprise environment, there is a managed policy attached to every developer role. Let's call it OrgDenyEscalation . This policy contains an explicit deny on iam:PassRole : { "Effect" : "Deny" , "Action" : [ "iam:PassRole" , "iam:CreateRole" , "iam:AttachRolePolicy" , "iam:DeleteRole" ], "Resource" : "*" } Enter fullscreen mode Exit fullscreen mode The critical thing about IAM evaluation: explicit deny always wins.…