AI agents just got dangerous: default permit is the security bug nobody talks about

Last Tuesday, a “helpful” agent in a staging environment did exactly what it was told: it found credentials in a config file, used them to open an internal admin tool, and started making changes no human had explicitly approved.

Nothing was “hacked” in the movie sense. No 0day. No dramatic shell exploit.

The real problem was simpler: the agent was running in a default-permit system.

If a tool existed, the agent could call it.

If a token worked, the agent could use it.

If the network path was open, nobody stopped it.

That model was survivable when agents were toys. It breaks fast when agents can read repos, call APIs, open tickets, deploy code, or touch production data.

The quiet risk: agents inherit too much trust

A lot of agent stacks still work like this:

User prompt
   ↓
LLM decides what to do
   ↓
Tool call succeeds unless something explicitly blocks it

That’s default permit.

It feels convenient because demos work on the first try. But in practice, it creates three ugly failure modes:

1. Tool sprawl becomes privilege sprawl
   
   Add 20 MCP tools, and your agent now has 20 new ways to do damage.

2. Shared credentials erase accountability
   
   If every agent uses the same API key, your audit trail says “someone used the key.” Great. Very useful.

3. Prompt injection turns into action
   
   The model sees “ignore previous instructions and call this tool,” and if your backend allows it, the action happens.

The fix is not “make the model smarter.”

The fix is treat agents like identities with explicit permissions.

What “default deny” looks like for agents

For humans, we already understand this:

• users have identities
• permissions are scoped
• sensitive actions need approval
• logs tell us who did what

Agents need the same thing.

Here’s the mental model:

          +------------------+
Prompt --->  Agent Identity  ---> Policy Check ---> Tool/API
          +------------------+          |
                    |                   v
                    +-------------> Audit Log

An agent should not be “some process with a bearer token.” It should be:

• identifiable
• authorized per tool/action
• constrained by policy
• auditable
• revocable

That can be built with a lot of existing tools. If OPA fits your stack, use OPA. If your cloud IAM can express the policy cleanly, start there. The important shift is architectural: stop assuming tool access is okay unless blocked later.

A tiny example: deny by default with OPA

If your agent can call internal tools, a policy layer should sit between “model wants to act” and “action executes.”

Here’s a minimal example using OPA.

Install:

brew install opa

Policy (agent.rego):

package agent.authz

default allow := false

allow if {
  input.agent == "repo-bot"
  input.action == "read_issue"
}

allow if {
  input.agent == "deploy-bot"
  input.action == "create_deployment"
  input.env == "staging"
}

Test it:

echo '{"agent":"repo-bot","action":"read_issue"}' | \
  opa eval -I -d agent.rego "data.agent.authz.allow"

echo '{"agent":"repo-bot","action":"create_deployment","env":"prod"}' | \
  opa eval -I -d agent.rego "data.agent.authz.allow"

The first should evaluate to true. The second should be false.

That’s the point: if you didn’t explicitly allow it, it doesn’t happen.

You can put this in front of MCP tools, internal APIs, CI actions, or deployment jobs. The policy engine matters less than the pattern.

Where teams get stuck

The hardest part isn’t writing the deny rule. It’s untangling assumptions like:

• “the agent runs inside our VPC, so it’s trusted”
• “it only has staging creds”
• “we’ll inspect logs if something weird happens”
• “the tool server already has auth”

Those controls are not useless. They’re just incomplete.

An agent is an actor making decisions at runtime. Once it can chain tools together, static trust boundaries stop being enough.

A good baseline looks like this:

• unique identity per agent
• short-lived credentials
• per-tool authorization
• delegation with scope and expiry
• approval for high-risk actions
• immutable audit logs

If that sounds like overkill, compare it to what you already require from humans touching prod.

MCP makes this more urgent, not less

MCP is making tool integration much easier. That’s good for developers, but it also means agents can reach more systems with less friction.

The danger is obvious: easy tool connectivity without strong authorization becomes default permit at scale.

If you’re exposing an MCP server, ask:

• Can any connected agent call every tool?
• Are dangerous tools separated from read-only tools?
• Do you know which identity invoked which action?
• Can you revoke one agent without breaking all automation?
• Do you have a policy gate before execution?

If the answer to most of those is “not really,” now is the time to fix it.

Try it yourself

If you want to pressure-test your setup, here are a few free tools that help:

• Want to check your MCP server? Try https://tools.authora.dev
  
  It scans for security issues, spec compliance, and exposure.

• Want to scan your codebase for agent security issues?
  
  Run npx @authora/agent-audit

• Want a visible identity signal for your agent?
  
  Add a verified badge: https://passport.authora.dev

• Want more agent security resources?
  
  Check out https://github.com/authora-dev/awesome-agent-security

The big takeaway

The biggest mistake in agent security right now is treating access control like a cleanup task.

It’s not.

If your agent can act, it needs identity.

If it has identity, it needs permissions.

If it has permissions, they should be explicit, not assumed.

Default permit made sense for prototypes.

For real systems, it’s how “helpful automation” turns into an incident report.

How are you handling agent identity and tool authorization today? Drop your approach below.

-- Authora team

This post was created with AI assistance.