Least privilege for AI agents
Most AI agents are over-permissioned. They inherit the full access of whoever deployed them, then decide at runtime — by model inference — what to do with it. Least privilege is the fix everyone agrees on. The hard part is enforcing it on a system that acts on its own.
The 2026 OWASP AI Agent Security Top 10 names this directly: excessive agency and improper access control are top-tier risks. An agent with read/write access to your systems doesn't need all of it to do one task — but nothing stops it from using all of it.
Why authentication isn't enough
Giving an agent an identity tells you who is acting. It doesn't bound what the action may do. Least privilege for agents means scoping each action to only what its task requires — which tools, which data, which spend, under which conditions — and enforcing that before the action runs, not reviewing it after.
How Keel enforces least privilege per action
Keel sits in the request path and issues a permit before each AI action — a fail-closed authorization decision against the policy you define. An action outside the agent's permitted scope doesn't get a permit, so it never reaches the provider or the tool.
- Task-scoped — permit by tool, model, data scope, and spend, not a blanket grant
- Fail-closed — if the action isn't explicitly allowed, it's denied
- Bounded by policy, not inference — the boundary is your rule, evaluated deterministically, not the agent deciding for itself
- Provable — every allow and deny is recorded as tamper-evident, independently verifiable evidence
That last point is the difference between claiming least privilege and being able to demonstrate it under review.
Frequently asked questions
What is least privilege for AI agents?
Restricting each AI agent's actions — tool access, data scope, and spend — to only what its specific task requires, enforced before each action runs. Keel issues a per-action permit that denies anything outside the agent's permitted scope.
Why are AI agents usually over-permissioned?
Agents typically inherit the full permission set of the human or account that deployed them, then decide at runtime what to do. Without a per-action boundary, nothing restricts them to the minimum their task needs — the OWASP AI Agent Top 10 calls this excessive agency.
How do you prove an AI agent operated under least privilege?
Keel records each permit decision as tamper-evident, independently verifiable evidence, so you can demonstrate to an auditor exactly what each agent was authorized to do and what it actually did — without trusting Keel.