Agent Permission Boundaries
What This Requires
Define and enforce permission boundaries for AI agents with tool access: least privilege, explicit tool allowlists, file system restrictions, network egress controls, and mandatory approval for privileged operations.
Why It Matters
Agents with unrestricted tool access can be hijacked via prompt injection to execute arbitrary commands, exfiltrate data, or pivot through network. Boundaries contain blast radius.
How To Implement
Least Privilege
Grant only tools required for agent's purpose. Read-only tools preferred. For write operations, limit scope (e.g., can write to /tmp but not /etc).
Explicit Allowlists
Enumerate allowed tools in agent config. Reject tool calls not on allowlist. Example: "tools: [search_docs, read_file, send_email]". Deny: execute_code, network_request.
File System Restrictions
If agent has file access, jail it to specific directories (e.g., /workspace). Block access to system paths (/etc, /root).
Network Egress Controls
Proxy agent network requests through allowlist (permitted domains/IPs). Block private IPs (SSRF prevention).
Evidence & Audit
- Agent permission policy document
- Tool allowlist configurations per agent
- File system restriction implementation (chroot, path validation)
- Network egress controls (proxy config, firewall rules)
- Sample agent logs showing permission enforcement