H
Howardismvol. 03 · quiet corner of the web
Plate IIArchitectureHOWARDISM

Least Agency

PublishedMay 28, 2026FiledConceptTopicArchitectureTagsSecurityLeast PrivilegeAccess ControlOwaspReading4 minSourceAI-synthesised

OWASP term extending least privilege to agents: constrain not just what an agent can access but what each tool can do, how often, and where; deny-by-default, per-agent credentials, scope limits

Illustration for Least Agency

Sources#

Summary#

Least agency is a term coined by OWASP that extends the classic least-privilege principle to agentic applications. Where least privilege constrains what users and systems can access, least agency goes further: it restricts what each agent tool can do, how often, and where. It is the authorization principle at the center of Zero Trust for AI Agents — the practical answer to "even a perfectly authenticated agent causes damage when granted excessive permissions."

The distinction from least privilege#

Traditional least privilege is about access scope (which resources an identity can touch). Least agency adds the action and frequency dimensions that matter once an identity can autonomously chain operations:

  • a database tool gets read-only queries (not write/delete)
  • an email summarizer gets no send/delete rights
  • an API integration gets minimal CRUD operations

The shift matters because an agent operates within its granted permissions while still being manipulable into misusing them — the tool-misuse and tool-chaining threats that traditional access controls can't prevent (see Agentic Prompt Injection and Agent Supply Chain Risk for the attack side). Least agency shrinks the set of harmful actions reachable even with valid credentials.

How the framework enforces it#

Least agency is enforced through the access-control tier ladder and Phase 3/5 of the implementation workflow:

  • Deny-by-default — block all access not explicitly granted; treat it as a starting posture, not a destination.
  • Permission models — RBAC (Foundation) → ABAC with context-aware policies (Enterprise) → continuous authorization re-evaluated per action (Advanced).
  • Privilege scoping — static least-privilege roles (Foundation) → dynamic elevation per task with return-to-baseline (Enterprise) → JIT/JEA with automatic expiration (Advanced). "When in doubt, prefer a control that removes a capability over one that throttles it."
  • Capability restrictions — an email tool restricted to reading, with send requiring separate authorization; a database tool that queries but can't change schema.
  • Compartmentalization — splitting an agent's functions across multiple agents, each with its own unique identity and credentials, so attackers must compromise several agents to reach more resources. "If you break it into multiple agents and provide them all the same credentials, you have failed to compartmentalize the risk."

Relation to blast radius#

Least agency is the input control; Blast Radius (Agentic) is the outcome metric. Constraining agency (actions × frequency × scope) is precisely how you shrink the blast radius an "assume breach" posture expects to be tested. The two are read together: scope an agent's account to read-only on exactly the data it needs, and a stolen credential's blast radius is "severely limited."

Connections#

  • Zero Trust for AI Agents — the framework that adopts least agency as its authorization principle (hub)
  • Blast Radius (Agentic) — least agency is how you constrain it; agency-in, blast-radius-out
  • Agent Identity and Authentication — least agency is unenforceable without distinct per-agent identity (the "attribution gap" makes enforcement impossible)
  • OWASP — coined the term
  • Claude Code Best Practices — Claude Code's deny-by-default permissions and write-access restrictions are the cited reference implementation
  • Agentic Prompt Injection — the attack that least agency contains: manipulated agents misusing tools within authorized privileges
  • Impossible, Not Tedious (Design Test) — "prefer removing a capability over throttling it" is least agency expressed as a design heuristic
  • MCP and Computer Use — capability restrictions per MCP tool (read-only, no-send) are least agency at the tool-interface level
  • Autonomous Defense — least agency applied inward on defensive agents: scoped automated-response actions with clear boundaries
  • Agent Supply Chain Risk — scoping what a (possibly poisoned) tool can do limits the damage a compromised dependency can cause

Open Questions#

  • Least agency adds a frequency dimension ("how often"), but the framework also says rate limits are friction, not barriers (Impossible, Not Tedious (Design Test)). How is frequency-limiting both a least-agency control and a friction-only one — context-dependent?
  • Dynamic privilege elevation (Enterprise) reintroduces an elevation path; how is the elevation request itself authenticated against a manipulated agent?

Sources#

  • Zero Trust for AI Agents — least agency defined in Part I; enforced across Part III access-control tiers and Part IV Phases 3 & 5
§ end
About this piece

Articles in this journal are synthesised by AI agents from a curated wiki and are refreshed automatically as new concepts arrive. Topics, framing, and editorial direction are curated by Howardism.

Cited by 11
  • Agent Identity and Authentication

    The foundation control for agentic Zero Trust: cryptographically-rooted per-agent identity (→X.509→hardware attestation…

  • Agent Supply Chain Risk

    Runtime-composed agent ecosystems expand the supply-chain attack surface: model poisoning (250 docs backdoor a 13B mode…

  • Agentic Prompt Injection

    Direct and indirect injection of malicious instructions into an agent; LLMs cannot reliably distinguish information fro…

  • Autonomous Defense

    Running security operations at the speed of AI-accelerated threats: put a model at the front of the alert queue, automa…

  • Blast Radius (Agentic)

    The potential damage if an agent is compromised; the unit Zero Trust's 'assume breach' posture is built to contain via…

  • Claude Code

    Anthropic's agentic coding product; created by Boris Cherny late 2024; TypeScript/React; CLI/desktop/web/mobile/IDE sur…

  • Impossible, Not Tedious (Design Test)

    Zero Trust design test for agentic security: does a control make the attack impossible, or just tedious? Friction-only…

  • MCP and Computer Use

    Anthropic's two complementary connector mechanisms: MCP for structured programmatic access (Salesforce/Drive/Gmail/Slac…

  • MOC — AI Engineering & Agent Tooling

    <!-- BEGIN GENERATED: moc -->

  • OWASP

    Open Worldwide Application Security Project; source of the agentic threat taxonomy cited throughout Anthropic's Zero Tr…

  • Zero Trust for AI Agents

    Anthropic's security framework for deploying autonomous agents: trust nothing / verify everything / assume breach, appl…

Related articles
  • Zero Trust for AI Agents

    Anthropic's security framework for deploying autonomous agents: trust nothing / verify everything / assume breach, appl…

  • Agent Identity and Authentication

    The foundation control for agentic Zero Trust: cryptographically-rooted per-agent identity (→X.509→hardware attestation…

  • Blast Radius (Agentic)

    The potential damage if an agent is compromised; the unit Zero Trust's 'assume breach' posture is built to contain via…

  • AI-Accelerated Offense

    Frontier models compress the vulnerability-to-exploit timeline from months to hours at marginal dollar cost; both attac…

  • MCP and Computer Use

    Anthropic's two complementary connector mechanisms: MCP for structured programmatic access (Salesforce/Drive/Gmail/Slac…