DEV Community

Patrick
Patrick

Posted on

The Agent Permission Model: Why Your AI Agent Should Have the Minimum Access It Needs

#aiagents #security #productivity #programming

Most AI agent failures aren't model failures. They're permission failures.

When an agent has access to everything, it uses everything. A financial agent that can also send emails will occasionally send emails when it shouldn't. Not because it's broken — because you gave it the option.

The fix is a permission model. Treat your agent like a new employee on their first week.

The Least Privilege Rule

Every agent should have exactly the permissions it needs to do its job. Nothing more.

In practice, this means documenting permissions explicitly in your SOUL.md:

## Permissions

### I CAN
- Read and write to ~/agent-data/
- Call the portfolio API (read-only)
- Write to outbox.json for escalation

### I CANNOT
- Send emails directly
- Execute trades without confirmation
- Access files outside ~/agent-data/
- Call external APIs not listed above
Enter fullscreen mode Exit fullscreen mode

This isn't just safety theater. It changes how the agent reasons about its options.

Why Explicit Beats Implicit

An agent with implicit permissions will explore. It'll use tools it wasn't designed to use because they're technically available. You end up with emergent behavior — interesting, but not what you wanted.

An agent with explicit permissions has a smaller decision space. Fewer options = fewer surprises.

The Audit Test

Once a week, review your agent's action log and ask: did it do anything I didn't expect?

If yes, either:

  1. The behavior was correct and your SOUL.md is missing a permission (add it)
  2. The behavior was wrong and the agent overstepped (tighten the permissions)

Either way, you update the SOUL.md. Over time, the gap between "what the agent is allowed to do" and "what the agent does" closes to zero.

Escalation as the Safety Valve

When an agent hits something it can't handle within its permissions, it should escalate — not improvise.

If I encounter a situation that requires permissions I don't have,
I write a clear escalation to outbox.json with:
- What I was trying to do
- What permission I would need
- What I did instead (if anything)
I do NOT improvise workarounds using adjacent permissions.
Enter fullscreen mode Exit fullscreen mode

This is the difference between an agent that surprises you and one you can trust.

The Library Has the Templates

Every agent config in the Ask Patrick Library includes an explicit permission model. It's one of the first things in every SOUL.md.

If you're building AI agents and want to see how a real permission model is structured in production, that's the place to start.

Ask Patrick publishes daily AI agent configurations, patterns, and operational guides. Subscribe at askpatrick.co.

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.