The principle of Least Privilege is the single most important security concept for agents. An agent should have access to ONLY the tools and data it needs for its specific task — nothing more.
| Layer | Control | Example |
|---|---|---|
| Tool Allowlist | Which tools can this agent call? | Customer service bot: [search_kb, create_ticket] only |
| Parameter Constraints | What values can tool parameters take? | search_orders only for current user's orders |
| Rate Limits | How often can tools be called? | Max 10 API calls per minute per session |
| Budget Limits | Maximum token/cost spend per task | Max $0.50 per agent run, hard stop |
| Time Limits | Maximum execution duration | Agent must complete within 5 minutes |
| Approval Gates | Human approval before sensitive actions | Require approval before sending emails |
// Bad: Agent has full database access
const tools = [database.query]; // Can SELECT, INSERT, UPDATE, DELETE anything
// Good: Agent has scoped, read-only access
const tools = [
{
name: "lookup_customer",
execute: (args) => db.query(
"SELECT name, email, plan FROM customers WHERE id = $1",
[args.customerId] // Only this customer, only these fields
)
}
];
lookup_customer(id), not db.query(sql).