AI/ ai · security · agentic-ai · enterprise

Least Privilege Is Not Enough for AI Agents, Researchers Argue

A new paper argues that least privilege fails for AI agents that can combine and amplify permissions, and proposes a formal replacement.

A new formal theory argues that the classic security principle of least privilege is too weak for AI agents that can stack and chain permissions on their own.

Researchers posted a preprint proposing "least autonomy" as a successor framing for agentic AI systems. The problem: least privilege assumes a static identity that holds permissions - it was never designed for agents that can combine, approve, and amplify those permissions across workflows and organizational boundaries. The paper introduces three formal tools to measure the exposure. A "compositional blast radius" metric captures structural separation between actions in an enterprise hierarchy. A directed agent influence graph tracks how one agent can shape another's behavior. A "collusion predicate" then detects three specific failure modes: authorization composition, decision manipulation, and cross-domain capability stacking.

Enterprise AI deployments already hand agents access to email, calendars, code repositories, and finance systems - often simultaneously. Classic access control assumes an identity that holds permissions but does not reason about combining them; an agent that autonomously chains those permissions cuts straight through that model. This paper gives security architects a formal vocabulary to define, measure, and audit blast radius before regulators or attackers define it for them.

Whether organizations will adopt a framework built on ultrametric trees, lattice-valued labels, and directed influence graphs before their next incident report is, to put it mildly, an open question.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →