Back to course overview
Module 4Access & identity governance 20 min

Lab: Access review

Audit the Harbor Lane AI for excessive agency, narrow every over-broad permission, add the append-only action log, and produce a least-privilege report.

A hands-on access review — the security assessment that finds the excessive agency your injection lab proved was dangerous. You'll inventory permissions, narrow them to least privilege, and instrument the audit trail that keeps them honest.

Step 1 — Inventory permissions

  1. 1List every tool the agent has and its actual reach: what can it read, what can it write, at what scope, with what credential.
  2. 2For each, apply the module's question: if fully compromised, worst case? Flag every tool where the answer is worse than the task requires — you'll likely find the refund tool unlimited, the DB tool table-wide, an unused tool present, credentials over-broad.
  3. 3Rank findings by blast radius. This is a real least-privilege assessment.

Step 2 — Narrow to least privilege

  1. 1Refund tool: code-side amount limit + order-total check + idempotency (confirm your Module 2 fix is here). Above the limit → propose/escalate, never auto.
  2. 2DB tools: drop to parameterized lookups scoped to the requesting customer (row-level), read-only credential (the cross-user fix, formalized).
  3. 3Remove unused functionality: any tool the current function doesn't need, delete from the suite — attack surface removed is attack surface you don't defend.
  4. 4Credentials: separate per integration, least-privilege, moved to a secret store, encrypted. No secret reachable by the model.

Step 3 — The audit log

  1. 1Add an append-only log capturing every tool action: action, args, on-whose-behalf, validator result, outcome, timestamp, trace id.
  2. 2Run a batch of tasks (some benign, some your Module 2/3 attacks). Then use the log: query it for 'all refund actions', 'all access to customer data', 'all guardrail rejections'. Confirm you can reconstruct exactly what the AI did.
  3. 3Add one detection: alert if refunds in a window exceed a threshold, or if guardrail rejections spike (probing). Trigger it with an attack run.

Step 4 — The report

Write the access-review section of your assessment: the before/after permission table (what it could do → what it can do now), the removed functionality, the credential fixes, and the audit/detection now in place. Update THREAT-MODEL.md: excessive-agency threats mitigated, with the worst-case-if-compromised now bounded for each tool. This report is a capstone deliverable in miniature.

Problem set 4

In the workbook: an agent's tool manifest riddled with excessive agency — a write-capable DB credential on a 'lookup' tool, an unused email tool, an unlimited refund tool, a shared admin key. Score each by blast-radius, prescribe the least-privilege fix, and identify which single change most reduces total risk.