Least privilege
The principle that contains every other failure: minimizing what the AI and its tools can reach, excessive agency as a vulnerability class, and scoping identity to the task.
You've now seen the pattern three times: injection is survivable, leakage is contained, and damage is bounded — all because the AI couldn't reach or do more than its task required. That's least privilege, and it's the single most important idea in AI security, because it's the layer that holds when every model-level defense fails. This module makes it a discipline.
Excessive agency: OWASP's name for too much power
Excessive agency is when an AI system can do more than its function requires — more tools, more permissions, more data reach — so that any compromise (injection, jailbreak, a confused trajectory, a plain bug) escalates into real damage. It has three flavors, all worth hunting:
- Excessive permissions: a tool with write access when the task only reads; a database credential that can touch every table when the task needs one customer's orders. The refund tool that can refund any amount to any order.
- Excessive functionality: tools the agent doesn't need for its job but could be talked into misusing — a general
run_sqlwhen three parameterized lookups would do, an email tool on a read-only assistant. - Excessive autonomy: the agent acts without approval on things that should be gated. The autonomy dial from Agentic AI, left at max.
Applying least privilege to an AI system
- 1Scope every tool to the minimum. Read-only where possible; write tools with code-side limits; the database at the lowest rung of the access ladder that works (parameterized lookups over raw SQL). You built this instinct in Agentic AI M3 — now it's a security requirement, not a nicety.
- 2Scope identity to the request. The agent acting on Customer A's ticket should hold Customer A's data scope and no more — row-level, per-task, so a compromise can't wander the whole dataset. (The cross-user fix from Module 3 was this principle.)
- 3Separate read from write. The read-worker/write-actor split concentrates all dangerous permissions in one small, heavily-guarded component, so the open-ended reasoning happens somewhere that can't act. Architecture as least privilege.
- 4Prefer allowlists to blocklists. Enumerate what's permitted and deny the rest; a blocklist is a bet you thought of every bad thing, and you didn't.
For every capability the AI has, ask: if this were fully compromised right now, what's the worst it could do? If the answer is 'drain an account' or 'read every customer', the privilege is too broad — narrow it until the worst case is survivable. Least privilege is just that question, asked relentlessly, and answered in code.