[Bug][cyber] Safety filter blocked routine cloud IAM policy review/configuration request (req_011Ccn3fyJzr74vV5BBGw6tv)

Open 💬 0 comments Opened Jul 7, 2026 by sworrl

Triage: kind cyber · domain cloud-iam · flagging model Sonnet 5 · severity session-halted (blocked authorized work) · reproducible: yes — server-side via the Request ID(s) below

Type: Cybersecurity safety-filter false positive · Work domain (heuristic): cloud-iam

Why this is a false positive

The message described legitimate cloud identity-and-access-management work — reviewing or adjusting IAM roles, policies, or permission grants — a standard administrative task with no exploit, intrusion, or offensive-security intent. The cybersecurity-topic safeguard triggered on IAM-related terminology alone, halting the session and requiring a workaround (new session or model change) for ordinary account-management work. This is a false positive that blocks in-scope defensive/administrative cloud work rather than any malicious use case.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code. Filing as a false positive. Recurred 18× across 18 session(s); first seen 2026-07-06T16:45:20.657Z.

Request IDs (lookup-able server-side)

  • req_011Ccn3fyJzr74vV5BBGw6tv (2026-07-07T04:13:50.368Z)
  • req_011CcnFb4zKb4mLSs2aPbUhT (2026-07-07T06:50:06.488Z)
  • req_011Ccm9AiYP35wZYvf5jbWtw (2026-07-06T16:45:20.657Z)
  • req_011CcmDpirWbuqQSD8woYr6J (2026-07-06T17:46:22.373Z)
  • req_011CcmDqYaA7dS2mnrWKwjTZ (2026-07-06T17:46:32.818Z)
  • req_011CcmE1uuL7A4c3XhpU1uzk (2026-07-06T17:48:53.952Z)
  • req_011CcmE2oJErQsvpDUQRm7Pv (2026-07-06T17:49:05.875Z)
  • req_011CcmE4FfXezTY3RFbZ4YqF (2026-07-06T17:49:25.538Z)
  • req_011CcmE8ZhMTLK7csiLLbXWF (2026-07-06T17:50:23.913Z)
  • req_011Ccmawi23mqca2FKyA4cc2 (2026-07-06T22:23:19.677Z)
  • req_011CcmbBXkYfG7KFVEDgwGmW (2026-07-06T22:26:27.613Z)
  • req_011Ccmc2SJVfixYddipLpkpt (2026-07-06T22:37:31.006Z)
  • req_011Ccmch5wj1PZhgDLgPCZgE (2026-07-06T22:46:14.852Z)
  • req_011Ccmchtb8bctVc8fuCfJfn (2026-07-06T22:46:25.871Z)
  • req_011Ccmdt7rk5di1NvF3Zfcuf (2026-07-06T23:01:51.885Z)
  • req_011CcmdtsJfRzMP2aVr6iXNm (2026-07-06T23:02:01.551Z)
  • req_011CcmdugzL1avkUGuL38CV5 (2026-07-06T23:02:12.630Z)
  • req_011Ccme6oeEZBg3k6gEpgdH4 (2026-07-06T23:04:44.416Z)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

API Error: Sonnet 5's safeguards flagged this message for a cybersecurity topic. If your work requires this access, you can apply for an exemption: https://claude.com/form/cyber-use-case?token=[SCRUBBED]

Try rephrasing the request in a new session or change your model.

Learn more: https://support.claude.com/en/articles/8106465

Request ID: req_011Ccn3fyJzr74vV5BBGw6tv

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.105 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗