Thanks for pointing out the risk of role separation for AI agents that's a highly valuable observation! I totally agree that consolidating permissions into a single, god-mode AI identity is a major security loophole. If you don't keep the IAM roles distinct for the investigator bot (read-only) and the remediation bot (write/execute), you significantly increase the potential blast radius of a single compromise. Splitting identities early is the most effective way to enforce least privilege and maintain system integrity.