One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A system of the service may be used to detect the occurrence of an event associated with a principal that has assumed a role to obtain a token that enables access to a computing resource. The system may prevent one or more principals from use of the token for future access to the resource, and may update permissions associated with the role to prevent one or more principals from assuming the role.