Per-tool scoped credentials, never a shared admin token, with human approval on irreversible or broadcasting actions. The credential bounds damage, not the prompt.
Imagine an intern on day one. You do not hand them the master key to the office, the company credit card, and the all hands email account at the same time. You hand them a key to the supply closet for the supply task, a read-only badge for the records task, and you ask before they email the whole company. An agent is the same. You decide what it can do by what you hand it, not by hoping it will be careful. Read tools get a read-only key. Database tools get a key that cannot delete anything. Slack tools get a key for one channel, not all of them. The big, scary, hard to undo actions are gated behind a human checking first.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Lead with the framing that the credential is the security boundary, not the prompt. Map each of the three tools to a specific scoped credential. Explain why Slack-send earns a human gate and SELECT-only does not. Cover audit logs, egress allowlists, and short-lived rotated credentials as additional layers. Close on the junior-employee versus service-account mental model.
Real products, models, and research that use this idea.
- Anthropic's Claude computer use and Claude Code both ship with restricted execution environments and gate destructive actions behind explicit user confirmation rather than trusting the model to refuse.
- Model Context Protocol servers expose tools with declared scopes, so a host can register only the specific MCP tools a task needs and revoke the rest between requests.
- GitHub Copilot agent mode scopes shell and file-write tools to the active workspace and surfaces diffs or command approvals before any irreversible edit lands.
- Production deployments at AWS and GCP commonly use IAM roles per Lambda or per service so an agent action runs under a scoped role rather than a shared admin key.
What an interviewer would ask next. Try answering before peeking at the approach.
QSuppose the agent legitimately needs to write to the database for some tasks. How do you scope that without giving it always-on write authority?
QAn injection succeeds and tells the agent to email a customer list to an external address. With the perimeter you described, what stops it?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Using one shared admin token across tools so a single injected call inherits the full authority of every tool the agent holds.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.