What is the right permission model for an agent with read-docs, run-SQL, and Slack-send tools?
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Per-tool scoped credentials, never a shared admin token, with human approval on irreversible or broadcasting actions. The credential bounds damage, not the prompt.
Imagine an intern on day one. You do not hand them the master key to the office, the company credit card, and the all hands email account at the same time. You hand them a key to the supply closet for the supply task, a read-only badge for the records task, and you ask before they email the whole company. An agent is the same. You decide what it can do by what you hand it, not by hoping it will be careful. Read tools get a read-only key. Database tools get a key that cannot delete anything. Slack tools get a key for one channel, not all of them. The big, scary, hard to undo actions are gated behind a human checking first.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Lead with the framing that the credential is the security boundary, not the prompt. Map each of the three tools to a specific scoped credential. Explain why Slack-send earns a human gate and SELECT-only does not. Cover audit logs, egress allowlists, and short-lived rotated credentials as additional layers. Close on the junior-employee versus service-account mental model.
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Using one shared admin token across tools so a single injected call inherits the full authority of every tool the agent holds.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.