A new formal theory argues that the classic security principle of least privilege is too weak for AI agents that can stack and chain permissions on their own.
Researchers posted a preprint proposing "least autonomy" as a successor framing for agentic AI systems. The problem: least privilege assumes a static identity that holds permissions - it was never designed for agents that can combine, approve, and amplify those permissions across workflows and organizational boundaries. The paper introduces three formal tools to measure the exposure. A "compositional blast radius" metric captures structural separation between actions in an enterprise hierarchy. A directed agent influence graph tracks how one agent can shape another's behavior. A "collusion predicate" then detects three specific failure modes: authorization composition, decision manipulation, and cross-domain capability stacking.
Enterprise AI deployments already hand agents access to email, calendars, code repositories, and finance systems - often simultaneously. Classic access control assumes an identity that holds permissions but does not reason about combining them; an agent that autonomously chains those permissions cuts straight through that model. This paper gives security architects a formal vocabulary to define, measure, and audit blast radius before regulators or attackers define it for them.
Whether organizations will adopt a framework built on ultrametric trees, lattice-valued labels, and directed influence graphs before their next incident report is, to put it mildly, an open question.