Agent Permission Boundary Matrix

Matrix SECURE

Purpose

Documents permission boundaries, tool access, and operational limits for each AI agent.

Related Controls

Agent Permission Boundaries Preventing Excessive AI Agency

OWASP ASI01 OWASP ASI03 OWASP LLM08

1. Purpose

Explain why agent permissions must be documented and controlled.

This document defines the permission boundaries, tool access, and operational limits for all AI agents deployed by [ORGANIZATION NAME]. Every agent must operate under the principle of least privilege — granted only the minimum permissions required to fulfill its purpose.

Document Owner: [ROLE TITLE], [DEPARTMENT]

Last Updated: [DATE]

Review Frequency: Quarterly, or when any agent's scope changes

2. Agent Inventory

List all deployed AI agents with their purpose and ownership.

Agent ID	Agent Name	Purpose	Owner	Environment	Status
AGT-001	[AGENT NAME]	[e.g., Customer support triage and response]	[OWNER]	Production	Active
AGT-002	[AGENT NAME]	[e.g., Code review and security scanning]	[OWNER]	Production	Active
AGT-003	[AGENT NAME]	[e.g., Data analysis and reporting]	[OWNER]	Staging	Testing
AGT-004	[AGENT NAME]	[e.g., Internal documentation search]	[OWNER]	Production	Active

3. Permission Matrix

Define what each agent can and cannot access. Use Allow/Deny/Conditional.

Agent	Tool/API Access	File System	Network/External	Database	Human Approval Required
AGT-001	CRM API (read), Email API (send)	Deny	Deny	CRM (read-only)	Sending emails, escalation
AGT-002	Git API (read), SAST tools	Repository (read-only)	Deny	Deny	Posting review comments
AGT-003	BI API (read), Chart gen	Reports dir (write)	Deny	Analytics (read-only)	Publishing reports
AGT-004	Search API (internal only)	Docs dir (read-only)	Deny	Deny	None

4. Least Privilege Justification

For each permission granted, document the business justification.

Every permission granted to an agent must have a documented justification. Permissions without justification must be revoked.

Template per Agent

Agent: [AGENT NAME] (AGT-[NNN])

|---|---|---|---|

Denied Permissions Rationale:

File system write: Agent does not need to create or modify files
Network egress: Agent should not make external API calls
Database write: Agent should not modify any data directly

5. Iteration & Timeout Limits

Set operational bounds to prevent runaway agent behavior.

Agent	Max Iterations	Timeout (seconds)	Max Token Budget	Escalation Action
AGT-001	10	120	50,000	Transfer to human agent
AGT-002	25	300	100,000	Post partial review, alert owner
AGT-003	15	600	200,000	Save draft report, notify owner
AGT-004	5	30	10,000	Return "no results found"

Circuit Breaker Rules

If an agent exceeds its iteration limit, it must stop immediately and execute its escalation action
If an agent exceeds its timeout, the orchestrator must terminate the agent and log the event
If an agent's error rate exceeds 20% within a 5-minute window, it must be automatically disabled pending human review
All limit violations are logged and reported in the weekly security digest

6. Review Schedule

Define how and when agent permissions are reviewed.

Quarterly Review Process

Inventory audit: Confirm all active agents are listed; identify any shadow agents
Permission review: Verify each permission is still needed and properly justified
Usage analysis: Review agent logs to identify unused permissions (candidates for revocation)
Limit tuning: Adjust iteration/timeout limits based on operational data
Incident review: Check if any agents were involved in security incidents since last review

Trigger-Based Reviews

Agent scope or purpose changes
Security incident involving any agent
New tool or API integration added to an agent
Agent moved to new environment (staging → production)

Next Scheduled Review: [DATE]

Reviewer: [NAME], [ROLE TITLE]

← Back to all templates