Which practices reflect the principle of least privilege applied to an agent's tool set?
Least privilege for agents means scoping tools to the task, sandboxing what tools can touch, and gating irreversible actions. More tools or a bigger model do not shrink the perimeter.
Imagine hiring a contractor to fix one window. You would not hand them keys to every room, the safe, and the company bank account just in case. You give them the one key they need, you stay nearby while they work on anything that cannot be undone, and you make sure the room they are in does not connect to places they should never reach. An AI agent is the contractor, and its tools are the keys. Least privilege means giving the agent only the keys the current job requires, fencing off everything else with locked doors, and standing by to approve anything permanent like deleting files or sending money. Handing over the whole keyring because the agent seems smart does not make the building safer. It just means a mistake or a trick can reach more rooms.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Define least privilege for agents, separate which tools can be called from what a called tool can touch, classify the three correct controls, explain why a bigger model and over registration fail, and close with the prompt injection threat model plus production layers like egress allowlists and output filtering.
Real products, models, and research that use this idea.
- Anthropic's Claude computer use ships behind a sandboxed container and recommends human confirmation before consequential actions, since the desktop tool can click anything on screen.
- Model Context Protocol servers expose typed, explicitly registered tools per session, so a client like Claude Desktop grants an agent only the tool surface a given workflow declares.
- Code execution sandboxes like e2b microVMs and Modal containers run untrusted agent generated code with restricted filesystem and network egress, containing what a hijacked tool can reach.
- GitHub Copilot's coding agent and Cursor route irreversible operations such as branch pushes or destructive shell commands through explicit user approval rather than running them silently.
What an interviewer would ask next. Try answering before peeking at the approach.
QWhy does prompt injection make capability based defences like a smarter model fundamentally insufficient?
QHow would you design the reversible versus irreversible classification so it stays correct as tools evolve?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating a smarter or larger model as a security control. Reasoning quality does not shrink the blast radius. An over permissioned agent stays dangerous no matter how capable the underlying model is.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.