Least privilege for agents lives at three layers, not one

Scoping the agent is not enough. You scope the agent, the tools it holds, and the individual actions each tool can take.

B

Balagei G Nagarajan

3 MIN READ


Three nested permission rings labeled agent, tool, and action each tightened
Deny-by-default at every layer makes the catastrophic action not just discouraged but impossible.
— from “Least privilege for agents lives at three layers, not one”

Key facts.

  • OWASP Excessive Agency covers excess function, permission, or autonomy at any layer of the agent stack (OWASP, 2025).
  • Replit added automatic dev and prod separation after its incident, least privilege enforced at the resource layer (The Register).
  • Deny-by-default at each layer means an action is impossible unless explicitly allowed, the opposite of an agent that can do anything its tools expose.

Why isn't scoping the agent enough?

Because a narrowly-scoped agent holding a broadly-capable tool still inherits the tool's reach. Give a customer-support agent a database tool that can run any query, and you have scoped the agent but not the action. Real least privilege tightens all three: the agent only has the tools it needs, each tool only exposes the actions it needs, and each action only touches the resources it needs. Deny-by-default at every layer makes the catastrophic action not just discouraged but impossible.

Tree diagram branching from agent to tools to actions with allow-listed leaves only

Single-layer vs. three-layer least privilege

Single-layerThree-layer
Agent scoped, tools broadAgent, tool, and action all scoped
A broad tool re-opens the riskDeny-by-default at every layer
Excessive agency persistsCatastrophic action is impossible

OWASP names Excessive Agency because too much permission at one layer is enough; a stronger model won't fix it: 57 on WildToolBench, none past 15%. (OWASP, 2025)

VibeModel's Pattern Intelligence Layer watches across all three layers and flags when an agent reaches for a tool or action outside its allow-listed pattern, so a gap at any layer is caught. You enforce deny-by-default at agent, tool, and action; we catch the moment something tries to exceed it. Least privilege is only as strong as its weakest layer, so tighten all three.

Frequently asked questions

Which layer is most often missed?
The action layer. Teams scope agents and tools but expose tools that can do far more than the task needs. Lock the actions too.

Is deny-by-default too restrictive?
No. It is the secure default. Start from nothing allowed and add exactly what the task requires, rather than removing dangers one at a time.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.