Deny by default, allow on purpose: the only safe posture for agent permissions

Start the agent with nothing and add exactly what it needs. The alternative is removing dangers one incident at a time.

B

Balagei G Nagarajan

3 MIN READ


An agent starting from an empty permission set with specific actions added to an allow-list
Deny-by-default is the posture under which it simply could not.
— from “Deny by default, allow on purpose: the only safe posture for agent permissions”

Key facts.

  • 53% of organizations reported agent scope violations, the predictable result of permissive defaults (CSA, 2025).
  • OWASP Excessive Agency names broad permissions, functions, and autonomy as a top-10 LLM risk (OWASP, 2025).
  • Deny-by-default with explicit allow-lists makes a dangerous action impossible unless someone deliberately enabled it.
  • Broad access trimmed reactively is how 53% saw violations, OWASP's Excessive Agency, and deny-by-default outlives a stronger model: 57 models, none past 15%. (CSA, 2025)

Why is deny-by-default better than blocking known dangers?

Because you cannot enumerate every danger in advance. A block-list defends against the threats you thought of and leaves the rest open, and agents are creative enough to find the rest. An allow-list inverts the burden: the only actions available are the ones you explicitly approved, so a novel or unexpected dangerous action is denied by default because no one allowed it. The 2025 incidents all involved actions the agent should never have been able to take. Deny-by-default is the posture under which it simply could not.

Matrix contrasting deny-by-default allow-listing against allow-by-default block-listing

Allow-by-default vs. deny-by-default

Allow-by-defaultDeny-by-default
Everything open, dangers removed reactivelyNothing open, actions added deliberately
Unknown dangerous actions allowedUnknown actions denied by default
Scope violations commonOut-of-scope actions impossible

VibeModel's Pattern Intelligence Layer reinforces deny-by-default by flagging when an agent reaches for anything outside its allow-listed pattern, so even a misconfiguration is caught. You start from nothing and allow on purpose; we catch the moment an agent tries to act beyond what you allowed. Secure defaults turn the agent's worst case from a catastrophe into a denied request.

Frequently asked questions

Isn't allow-listing more work to set up?
Up front, a little. It is far less work than chasing scope violations and incidents, and it is the only posture that covers the dangers you did not anticipate.

What do I allow-list first?
The minimal set of tools and actions the task needs. Everything else stays denied until a real requirement justifies adding it.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.