Least Privilege
definition
The principle of least privilege dictates that agents should be granted only the minimum permissions and access needed to complete their assigned task — no more. This is the foundational security principle for agentic systems because agents are inherently unpredictable: even a well-designed agent can be manipulated through prompt injection, make reasoning errors, or encounter unexpected edge cases that lead to unintended actions.
The principle of least privilege dictates that agents should be granted only the minimum permissions and access needed to complete their assigned task — no more. This is the foundational security principle for agentic systems because agents are inherently unpredictable: even a well-designed agent can be manipulated through prompt injection, make reasoning errors, or encounter unexpected edge cases that lead to unintended actions. In practice, least privilege means giving a code review agent read-only repository access (not write), limiting a database agent to SELECT queries (not DELETE), and ensuring file system agents operate within scoped directories (not root). The key architectural insight is that permissions should be task-scoped, not agent-scoped — the same agent might need different permissions for different tasks, and hardcoding broad permissions because "the agent sometimes needs them" is the fastest path to a security incident. This concept connects to permission models for implementing fine-grained access controls, tool sandboxing for execution-level isolation, human-in-the-loop for approving permission escalation, and MCP client roots for scoping agent access at the protocol level.