Skip to content

Least Privilege for AI Agents: What It Bounds, and What It Can't

TL;DR

  • Least privilege for an AI agent grants the agent's identity only the tools, scopes, resources, and lifetime a task needs — so a tricked agent can do as little harm as possible. It is the action-layer answer to credential misuse, distinct from the secret-wrapper defenses that address theft.
  • Enforce it where the model can't talk its way around it: at the tool-invocation boundary, via a policy decision point (OPA, Cedar, Cerbos) that authorizes each call. Add short-lived/JIT credentials to shrink the misuse window, and human approval on consequential actions.
  • Every one of these bounds the blast radius of a tricked agent. None of them decides intent. A policy engine authorizes the action, not the purpose; an authorized, in-scope call can itself be the attack.
  • That is the confused-deputy ceiling. Capability-based least privilege solves the classic 1988 confused deputy; it cannot solve the semantic one, where the agent legitimately holds the authority and is tricked into abusing it — demonstrated against production by Anthropic's Files-API exfiltration.

Least privilege for an AI agent limits the actions an authorized credential may perform. It does not decide whether the agent should perform them. That gap — between may and should — is the whole subject of this article.

Least privilege is not controversial advice. Every identity vendor, every security guide, every cloud provider says the same four things: give an agent its own identity, scope its permissions to the task, make its credentials short-lived, and grant no standing privilege. That advice is correct, and this article assumes you will follow it.

The honest question is what it buys you. Least privilege is a containment control: it decides how much damage a compromised agent can do, not whether the agent gets compromised. For an AI agent — a program that acts on natural-language instructions it cannot reliably separate from data — that distinction is the whole game. This piece walks the layers of least privilege an agent actually needs, and then names the ceiling that every layer shares: the point where a correctly-scoped, correctly-authorized action is itself the attack.

What is least privilege for an AI agent?

Least privilege for an AI agent means granting the agent's identity only the permissions a task requires — the narrowest set of tools, scopes, resources, and lifetime — so that a compromised or tricked agent can do as little damage as possible. It is the same principle that governs any account, applied to a new kind of principal: an autonomous program whose next action is chosen by a language model.

The reason it matters more for agents than for ordinary software is that an agent's control flow is steerable by its input. A traditional service does what its code says. An agent does what its context tells it — and its context includes web pages, documents, tool outputs, and emails it was asked to process. Least privilege is how you make sure that when that steering goes wrong, the agent is holding as little power as possible.

Least privilege bounds misuse, not theft

Two failure modes must be kept apart. Credential theft means an attacker obtains the secret the agent uses. Credential misuse means the agent, holding a valid credential, is induced to use it for the wrong action. They call for different defenses, and confusing them is how security stories go wrong.

The cluster's trust-model spectrum maps the theft side: vaults, short-lived identity, confidential computing, and never-in-context resolution each raise the bar against an attacker reading the key. Least privilege answers the other side. It assumes the agent will hold and use a credential, and it bounds what that credential can do. The two compose — you want both — but only least privilege touches misuse, and misuse is the failure mode an agent's steerable control flow makes routine.

OWASP names the split at the standards level. NHI2:2025 "Secret Leakage" is the theft item; NHI5:2025 "Overprivileged NHI" is the misuse item, and it uses the phrase verbatim: excessive privileges "beyond their functional requirements" unnecessarily expand "the potential blast radius" (OWASP NHI Top 10, 2025). Agents are non-human identities, and non-human identities are systematically over-permissioned.

How do you enforce least privilege on an agent's actions?

The wrong place to enforce it is inside the model. A system prompt that says "never delete production data" is a request, not a control — and, as Cerbos puts it after the Meta AI incident, "guardrails written in natural language can be dismantled in natural language" (Cerbos, 2026-06-03).

The right place is the tool-invocation boundary. An agent affects the outside world only by calling tools through an orchestrator; AWS, describing its Cedar-based enforcement in Bedrock AgentCore, puts the point bluntly: "The LLM can't affect the external world directly: it has to go through an orchestrator that invokes tools… This is precisely where the controls must be applied," because controls at the LLM layer "can be bypassed by prompt injection or hallucination" (AWS, 2026-05-20).

Mechanically, this is the decades-old policy decision point / policy enforcement point (PDP/PEP) pattern, now mapped onto agent tool calls. A PEP — a gateway, a sidecar, or the MCP server itself — intercepts each call and asks a PDP for an allow/deny on the specific principal, action, resource, and context. "The MCP server simply becomes a policy enforcement point: it asks [the PDP] for a decision and abides by it" (Cerbos, 2025-09-28).

Those four inputs are all a policy sees. A decision request for a single MCP tool call looks roughly like this:

yaml
principal: agent-session-123
action: call_tool
resource: crm.search_contacts
context:
  user_role: support_rep
  ticket_id: T-9182
  approved: false

The engine returns allow or deny on that record — and on nothing else.

OPA/Rego vs Cedar

The dominant PDP engines all externalize authorization from application code. OPA (Open Policy Agent), a graduated CNCF project, uses the Rego language and is among the most general-purpose, spanning infrastructure-wide authorization. AWS Cedar is application-level, human-readable, deny-by-default, and formally analyzable (Oso, 2025-10-28). Cerbos (YAML + CEL) ships first-class MCP patterns; Permit.io and OpenFGA cover authorization-as-a-service and relationship-based (Zanzibar-style) models. Cedar is a leading choice for agent and MCP authorization, alongside those — not the only one.

Cedar's formal analysis is real, not marketing: it was built with verification-guided development, Dafny-based automated reasoning, and differential testing (Amazon Science, 2023). But it proves policy equivalence — that a policy means what it says — not completeness. A provably-correct policy still authorizes any action the policy author anticipated and allowed. Hold that thought; it is where the ceiling begins.

The concrete blast-radius mechanism underneath all of this is per-tool, per-skill scoping: an agent session should start with no tools enabled and enable them selectively by role and context, with a narrow token per resource. That rung is correct and commodity. The value is not in restating it; it is in the enforcement boundary above and the ceiling below.

Least privilege in time: JIT and short-lived credentials

Scoping bounds what a credential can do; short lifetime bounds how long. Just-in-time and short-lived credentials — AWS STS temporary credentials, GCP service-account impersonation, SPIFFE/SPIRE SVIDs, per-request injection — are short-lived: seconds to about an hour by default, though some (AWS STS, GCP impersonation) are configurable up to 12 hours. Short lifetime collapses the value of a stolen credential and shrinks the window in which a compromised agent operates.

There is a trap, and it is worth stating because vendors rarely do. A short-lived token that silently auto-renews needs a refresh credential, and that refresh credential is long-lived. As Cequence's CTO writes in a section titled "Short-Lived Tokens Do Not Solve This": "The refresh token becomes a long-lived credential by another name. It still needs to be stored somewhere, and that somewhere is the exact surface area that attackers are already targeting" (Cequence, 2026-04-16). Short-lived is only real if the thing that renews the credential is not sitting next to the agent. GCP's impersonation flow, which issues a one-hour token with no refresh token at all, is the counter-pattern.

Sender-constrained tokens harden the same seam against theft: DPoP (RFC 9449, 2023-09) binds a token to a client key, mTLS-bound tokens (RFC 8705, 2020-02) bind it to a certificate, and Resource Indicators (RFC 8707, 2020-02) restrict its audience — the MCP authorization spec makes RFC 8707 mandatory (MCP, 2025-06-18). All of these answer "who can use this token," not "what should this identity do." They stop replay and theft; they are orthogonal to whether the legitimate holder's call is malicious.

What is an overprivileged non-human identity?

An overprivileged non-human identity is a machine principal — a service account, an API key, an agent — that holds more permission than its function requires. It is the default state, not the exception: credentials accumulate scopes, rarely lose them, and often outlive the workload that needed them. That is why least privilege is a reduction exercise, and why OWASP treats over-privilege (NHI5) as its own top-ten risk distinct from leakage (NHI2).

For agents, the structural problem is sharper: agents frequently don't get their own identities at all — they inherit a human's or a service's broad credential and act under it. Fixing that — a distinct identity per agent, scoped to the agent's job — is the precondition for every other control on this page. You cannot apply least privilege to a principal that doesn't exist.

Does least privilege stop prompt injection?

No — and this is the honest hinge of the article. Least privilege limits the damage an injected instruction can cause. It does not prevent the injection, and it does not decide the agent's intent.

The governing frameworks point the same way. OWASP's prompt-injection guidance recommends "human-in-the-loop controls for privileged operations" while conceding "it is unclear if there are fool-proof methods of prevention for prompt injection" (OWASP LLM01:2025). MITRE ATLAS lists human-in-the-loop approval as a mitigation for exfiltration via tool invocation (AML.M0029): requiring user confirmation of an agent's tool calls can stop them executing automatically (MITRE ATLAS, AML.T0086). A mitigation, by definition, reduces the risk rather than removing it. And OWASP's Excessive Agency entry states the boundary in our exact terms: its mitigations "limit the level of damage caused" rather than prevent it (OWASP LLM06:2025).

"Reduces the damage" is the correct claim for every least-privilege control. "Prevents the attack" is not.

The confused-deputy ceiling: what least privilege can't cross

Here is the distinction a careful reader — and a careful attacker — will hold you to. A confused deputy is a trusted program tricked into misusing authority it legitimately holds (Hardy, 1988). The classic confused deputy has a known fix: capability-based least privilege resolves it — where the system can actually remove ambient authority — by bundling designation with permission, so the deputy cannot be confused about whose authority it is exercising. If you take one thing from this article's sourcing, it is that least privilege genuinely solves that case — so do not claim it fails there.

The ceiling is the semantic variant, and it is specific to agents. The agent is not confused about whose authority applies; it holds its own, correctly-scoped authority. It is confused about what it should do with it, because it cannot distinguish an instruction hidden in the content it processes from a legitimate one. A policy engine authorizes the action — this principal, this tool, this resource — and can only block what its policy can express and anticipate. It cannot authorize intent, because intent is not one of its inputs. As the Cloud Security Alliance puts it, in a confused-deputy prompt injection "there is no exploitation of a memory safety flaw or authentication bypass — the agent is simply doing what it was designed to do" (CSA, 2026-03-23).

The clearest proof is Anthropic's own. An indirect prompt injection made Claude upload workspace files to an attacker's account through the allowlisted api.anthropic.com endpoint, using an attacker-supplied key — an authorized, in-scope, least-privileged network call that was itself the exfiltration. Anthropic's conclusion: "every function reachable through any domain on an allowlist is now an attack surface" (Anthropic, May 2026). The independent researcher who first demonstrated it noted the upload "will not happen to the user's Anthropic account, but to the attackers," and that it "worked at the very first try" (Embrace The Red, 2025-10-28). Tellingly, the fix was more least privilege — a proxy that forwards only requests bearing the sandbox's own session token — not an escape from the ceiling. An in-scope call within the tightened boundary is still not intent-checked.

There is a deeper reason a policy language cannot close this. Its decisions are made on principal, action, and resource; the attack lives in data flow those attributes don't capture — an allowed read plus an allowed write, each fine alone, that together exfiltrate. Whether engines like Cedar or OPA can express cross-call, taint-tracking policy today is unresolved, and largely they cannot. The strongest research direction, CaMeL, enforces capabilities on data flow itself and still trades utility for the guarantee — 77% of tasks solved with provable security against 84% undefended (arXiv:2503.18813) — while the design-patterns survey concludes it is "unlikely that general-purpose agents can provide meaningful and reliable safety guarantees" with today's models (Beurer-Kellner et al., 2025). Google's security team lands in the same place: least privilege is "a traditional 1980s-style security control [that] delivers high value for securing 2020s AI agents," yet no single layer, including the model's own judgment, is sufficient (Google Cloud, 2025-06-13).

The ceiling is not a failure of implementation; it is a limit of the authorization model. Least privilege is necessary, and it is the strongest action-layer control you have. It bounds the blast radius. It does not decide intent. Build it fully — and design as if the in-scope call can still be the attack, because it can.

Where Mnemoverse fits

Least privilege governs an agent's actions. The other half of the confused-deputy problem is the content that steers those actions — the poisoned document or memory that carries the injected instruction. Mnemoverse is building persistence for agents with provenance on what it stores, so a downstream agent can weigh "the user asked for this" against "a source with unknown input provenance asked for this." It does not decide intent either; nothing does. It is a content-layer complement to the action-layer controls here, available to evaluate alongside the authorization and scoping every agent deployment already needs.

Common questions

What is least privilege for an AI agent?

Least privilege for an AI agent means granting the agent's identity only the permissions a task actually requires — the narrowest tools, scopes, resources, and lifetime — so that a compromised or tricked agent can do as little damage as possible. It is an action-layer control: it bounds what a valid, authorized credential is allowed to do, which is a different problem from stopping the credential being stolen.

How do you enforce least privilege on an agent's actions?

Enforce it at the tool-invocation boundary, not inside the model. The agent reaches the outside world only by calling tools through an orchestrator, so a policy enforcement point (PEP) intercepts each call and asks a policy decision point (PDP) — OPA/Rego, AWS Cedar, Cerbos, or similar — for an allow/deny on the specific principal, action, resource, and context. Controls written into the system prompt can be undone by prompt injection; a policy engine outside the model cannot be talked out of its decision.

OPA vs Cedar for agent authorization — which policy engine?

Both externalize authorization from application code. OPA (Open Policy Agent, CNCF) uses Rego and is among the most general-purpose, spanning infrastructure-wide authorization. AWS Cedar is app-level, human-readable, deny-by-default, and formally analyzable — you can prove two versions of a policy are equivalent, though not that the policy set is complete against an unanticipated action. Cerbos (YAML + CEL) ships first-class MCP patterns. Cedar is a leading choice for agent and MCP authorization, alongside OPA, Cerbos, and OpenFGA — pick on expressiveness, deployment model, and whether you need formal analysis.

Do short-lived or JIT credentials fix an over-privileged agent?

They shrink the window: short-lived and just-in-time credentials (AWS STS, GCP impersonation, SPIFFE SVIDs, per-request injection) reduce a stolen credential's value by expiring it fast. But they do not decide whether an in-flight, still-valid call is legitimate, and they carry a trap — a refresh token that renews them becomes, in Cequence's words, "a long-lived credential by another name," stored on the same surface attackers target. Short-lived is not the same as safe.

Does least privilege stop prompt injection?

No. Least privilege limits the damage an injected instruction can cause; it does not prevent the injection or decide the agent's intent. OWASP and MITRE both frame human-in-the-loop and scope limits as controls that reduce, but do not eliminate, the risk. An agent holding perfectly scoped, short-lived, sender-constrained credentials can still be steered into an authorized, in-scope action that is itself the attack.

What is the confused-deputy ceiling for AI agents?

A confused deputy is a trusted program tricked into misusing authority it legitimately holds. Capability-based least privilege solves the classic 1988 version by removing ambient authority. The ceiling is the semantic variant unique to agents: the agent genuinely holds the capability and is tricked, through natural-language content it can't distinguish from instructions, into an authorized-but-malicious use. No amount of scoping decides whether an allowed action is malicious — that is the limit least privilege cannot cross.

Sources

Standards & foundational

Policy engines & enforcement

JIT / credentials

The ceiling


Mnemoverse Library — persistent memory for AI agents, written for engineers who need memory to be useful, bounded, and verifiable.