HomeJournalThis post

AI agents need permission budgets

Permission budgets keep agent tools, data, writes, approvals, production access, and audit evidence aligned with the task.

JP
JP Casabianca
Designer/Engineer · Bogotá

A coding agent should not inherit every permission its operator happens to have.

The useful question is not whether an agent can run shell commands, query a database, open a pull request, or send a message. The useful question is which of those actions this task requires, what data the action may touch, which consequences need approval, and when the access should disappear.

That distinction is becoming operational, not theoretical. The OWASP AI Agent Security Cheat Sheet recommends minimum tool access, per-tool scopes, explicit authorization for sensitive operations, and structured decision evidence for high-risk actions. Those controls are easier to apply when the task begins with a small permission budget instead of a blanket credential.

I think of that budget as part of the product spec for automation. It defines what the agent may inspect, what it may change, what it must ask about, and what receipt remains after the work.

The goal is not to make agents timid. It is to make autonomy legible enough that a teammate can trust where it stops.

01 · TaskName the outcome

The requested result, affected system, expected evidence, and time boundary are explicit.

02 · ScopeGrant the minimum

Tools, resources, environments, commands, and data are limited to what the task needs.

03 · ReceiptRecord consequence

Actions, approvals, results, failures, and revoked access remain inspectable.

Figure 1: An agent permission budget connects task intent to bounded execution.

Begin with the task boundary

Permission design should start with the requested outcome, not with the tools already connected.

I would pressure-test that decision with four questions:

  • What outcome was authorized?
  • Which system is in scope?
  • What is explicitly outside scope?
  • When does the task end?

The failure mode here is treating an authenticated integration as permission to use every action it exposes. In coding-agent workflows where tools can read repositories, edit files, run commands, query production services, send messages, or merge changes with very different consequences, that can hide the exact boundary a reviewer or teammate needs to understand. My working artifact would be a one-paragraph task boundary attached to the agent run. I want it close enough to the implementation that it can change the work, not created afterward to decorate the story.

The result I would look for is automation that stays aligned with the operator's intent. That is a narrower claim than saying the whole system improved, but it is also one I can verify and defend.

In practice, I would put a one-paragraph task boundary attached to the agent run beside the question “What outcome was authorized?” before the first implementation review. The next pass would use “Which system is in scope?” to test the boundary, then “What is explicitly outside scope?” to expose the state most likely to be missed. I would keep “When does the task end?” for the release check because it asks whether the decision still holds outside the ideal path. The work is ready to move when the artifact can explain the choice and the observed result supports automation that stays aligned with the operator's intent.

Separate reading from writing

Read access and write access have different failure modes and should be granted independently.

The practical review starts here:

  • Which sources are needed for orientation?
  • Which writes are necessary?
  • Can a draft satisfy the task first?
  • How is the write reviewed?

Those questions keep granting mutation rights because the task needs context from becoming the default. I would capture the decision in a tool matrix with read, draft, write, and execute scopes, then use it while the work is still cheap to change. For least-privilege AI-assisted engineering, the artifact should make ownership, constraint, and next action visible without requiring a private explanation.

Success would look like more useful exploration with a smaller blast radius. If I cannot point to that evidence, I have a direction, not a finished decision.

The implementation move is to make a tool matrix with read, draft, write, and execute scopes part of the working surface. I would use it to answer “Which sources are needed for orientation?” while scope is still flexible, and “Which writes are necessary?” before code or content becomes expensive to unwind. During QA, “Can a draft satisfy the task first?” and “How is the write reviewed?” become concrete checks rather than discussion prompts. That sequence turns least-privilege AI-assisted engineering into something the team can operate and gives me a specific outcome to report: more useful exploration with a smaller blast radius.

  1. ReadOrient safely

    Inspect code, documentation, logs, schemas, and metadata without changing external state.

  2. WriteChange bounded state

    Edit named files, create a branch, or update a scoped resource with reversible history.

  3. ActCross a trust boundary

    Deploy, merge, delete, pay, publish, or message only with explicit authority and verification.

Figure 2: Permission should expand only when consequence and evidence justify it.

Scope data, not only tools

A safe tool can still expose the wrong customer, repository, environment, or time range.

Before implementation, I would answer:

  • Which resources may be accessed?
  • Is production data required?
  • Can identifiers be minimized?
  • What must never enter context?

The artifact is a resource allowlist and sensitive-data denylist. Its job is to expose the tradeoff early enough that design, engineering, support, or product can disagree with something concrete. The common trap is assuming a named tool automatically has a safe data boundary; it moves uncertainty downstream and makes the final interface carry a problem the system never resolved.

For me, the useful receipt is context that is sufficient without becoming indiscriminate. That connects permission budgets as an explicit contract between an agent, its operator, and the systems it can affect to an observable result instead of a process claim.

I would test this with one typical case and one boundary case. The typical case should make “Which resources may be accessed?” easy to answer. The boundary should force a decision about “Is production data required?” and “Can identifiers be minimized?.” I would record both in a resource allowlist and sensitive-data denylist, including the part that stayed unresolved after the first pass. The final check, “What must never enter context?,” is where the artifact earns its place: it either supports context that is sufficient without becoming indiscriminate, or it shows exactly why another iteration is needed.

Name approval boundaries

High-impact actions should pause at a decision the operator can understand.

I would use these prompts during the working review:

  • Which action changes external state?
  • What consequence is possible?
  • What preview can be shown?
  • Who can approve?

If the team slips into asking for approval with no target, diff, or consequence, the product can still look complete while its operating rule stays ambiguous. I would make an approval table for merge, deploy, delete, payment, permission, and messaging actions the shared reference and keep it small enough to update as evidence changes.

The standard is human decisions made with specific evidence. That tells me whether the decision helped the product, not merely whether the document was completed.

The working sequence is small: draft an approval table for merge, deploy, delete, payment, permission, and messaging actions, review it against “Which action changes external state?,” implement the narrowest useful path, and then return with evidence for “What consequence is possible?.” I would use “What preview can be shown?” to inspect product consequence and “Who can approve?” to decide whether the result is stable enough to ship. This keeps asking for approval with no target, diff, or consequence visible as a known risk and makes human decisions made with specific evidence the release receipt rather than a hopeful conclusion.

SignalDecisionWorking note
LowLocal and reversibleRepository reads, tests, generated drafts, and isolated file edits with a reviewable diff.
MediumShared but recoverableBranches, pull requests, preview deployments, and staging data with clear ownership.
HighExternal or irreversibleProduction writes, secrets, money, permissions, deletion, public messages, and merges.
Figure 3: Risk follows the combination of tool, data, and consequence.

Use temporary credentials

Agent access should expire with the task instead of becoming invisible standing privilege.

I would pressure-test that decision with four questions:

  • Can the token be short-lived?
  • Can access be branch-scoped?
  • When is it revoked?
  • Who can audit it?

The failure mode here is reusing broad personal credentials for recurring automation. In coding-agent workflows where tools can read repositories, edit files, run commands, query production services, send messages, or merge changes with very different consequences, that can hide the exact boundary a reviewer or teammate needs to understand. My working artifact would be a credential lifecycle note beside the task. I want it close enough to the implementation that it can change the work, not created afterward to decorate the story.

The result I would look for is access that disappears when the work is complete. That is a narrower claim than saying the whole system improved, but it is also one I can verify and defend.

In practice, I would put a credential lifecycle note beside the task beside the question “Can the token be short-lived?” before the first implementation review. The next pass would use “Can access be branch-scoped?” to test the boundary, then “When is it revoked?” to expose the state most likely to be missed. I would keep “Who can audit it?” for the release check because it asks whether the decision still holds outside the ideal path. The work is ready to move when the artifact can explain the choice and the observed result supports access that disappears when the work is complete.

Protect against tool chaining

Several individually reasonable actions can combine into an unsafe consequence.

The practical review starts here:

  • Can read data become an outbound message?
  • Can generated text become a shell command?
  • Can one agent delegate authority?
  • Where is the chain interrupted?

Those questions keep reviewing permissions one tool at a time while ignoring the path between them from becoming the default. I would capture the decision in a tool-chain threat map, then use it while the work is still cheap to change. For least-privilege AI-assisted engineering, the artifact should make ownership, constraint, and next action visible without requiring a private explanation.

Success would look like guardrails that cover composed behavior. If I cannot point to that evidence, I have a direction, not a finished decision.

The implementation move is to make a tool-chain threat map part of the working surface. I would use it to answer “Can read data become an outbound message?” while scope is still flexible, and “Can generated text become a shell command?” before code or content becomes expensive to unwind. During QA, “Can one agent delegate authority?” and “Where is the chain interrupted?” become concrete checks rather than discussion prompts. That sequence turns least-privilege AI-assisted engineering into something the team can operate and gives me a specific outcome to report: guardrails that cover composed behavior.

Make production exceptional

Production access should be a narrow escalation with stronger evidence and recovery.

Before implementation, I would answer:

  • Why is production necessary?
  • Can staging reproduce the issue?
  • Is the operation reversible?
  • What live check proves success?

The artifact is a production access addendum with query, mutation, rollback, and verification. Its job is to expose the tradeoff early enough that design, engineering, support, or product can disagree with something concrete. The common trap is letting a local coding task quietly become a production operation; it moves uncertainty downstream and makes the final interface carry a problem the system never resolved.

For me, the useful receipt is production work that is deliberate and recoverable. That connects permission budgets as an explicit contract between an agent, its operator, and the systems it can affect to an observable result instead of a process claim.

I would test this with one typical case and one boundary case. The typical case should make “Why is production necessary?” easy to answer. The boundary should force a decision about “Can staging reproduce the issue?” and “Is the operation reversible?.” I would record both in a production access addendum with query, mutation, rollback, and verification, including the part that stayed unresolved after the first pass. The final check, “What live check proves success?,” is where the artifact earns its place: it either supports production work that is deliberate and recoverable, or it shows exactly why another iteration is needed.

Log decisions, not hidden reasoning

The audit trail needs observable inputs, policies, actions, and outcomes rather than private model deliberation.

I would use these prompts during the working review:

  • Which action was requested?
  • Which policy applied?
  • Was approval present?
  • What result occurred?

If the team slips into storing verbose internal reasoning while omitting the actual authorization record, the product can still look complete while its operating rule stays ambiguous. I would make a structured action receipt with policy version and approval identifier the shared reference and keep it small enough to update as evidence changes.

The standard is evidence a reviewer can use without reconstructing the session. That tells me whether the decision helped the product, not merely whether the document was completed.

The working sequence is small: draft a structured action receipt with policy version and approval identifier, review it against “Which action was requested?,” implement the narrowest useful path, and then return with evidence for “Which policy applied?.” I would use “Was approval present?” to inspect product consequence and “What result occurred?” to decide whether the result is stable enough to ship. This keeps storing verbose internal reasoning while omitting the actual authorization record visible as a known risk and makes evidence a reviewer can use without reconstructing the session the release receipt rather than a hopeful conclusion.

Design failure and revocation

A permission budget needs a stop path for loops, suspicious input, cost growth, and partial execution.

I would pressure-test that decision with four questions:

  • What triggers a stop?
  • How is access revoked?
  • What state may be partial?
  • Who receives the alert?

The failure mode here is designing only for successful agent completion. In coding-agent workflows where tools can read repositories, edit files, run commands, query production services, send messages, or merge changes with very different consequences, that can hide the exact boundary a reviewer or teammate needs to understand. My working artifact would be a kill-switch and partial-state checklist. I want it close enough to the implementation that it can change the work, not created afterward to decorate the story.

The result I would look for is bounded failure that leaves the system understandable. That is a narrower claim than saying the whole system improved, but it is also one I can verify and defend.

In practice, I would put a kill-switch and partial-state checklist beside the question “What triggers a stop?” before the first implementation review. The next pass would use “How is access revoked?” to test the boundary, then “What state may be partial?” to expose the state most likely to be missed. I would keep “Who receives the alert?” for the release check because it asks whether the decision still holds outside the ideal path. The work is ready to move when the artifact can explain the choice and the observed result supports bounded failure that leaves the system understandable.

Show safe autonomy as engineering proof

A portfolio artifact can demonstrate speed and judgment by showing the permission model beside the delivered result.

The practical review starts here:

  • What did the agent accomplish?
  • Which permissions were withheld?
  • Where did approval occur?
  • Which receipt proves the result?

Those questions keep claiming autonomous delivery without explaining its authority from becoming the default. I would capture the decision in a redacted permission budget, diff, and verification receipt, then use it while the work is still cheap to change. For least-privilege AI-assisted engineering, the artifact should make ownership, constraint, and next action visible without requiring a private explanation.

Success would look like credible evidence of secure AI-assisted operation. If I cannot point to that evidence, I have a direction, not a finished decision.

The implementation move is to make a redacted permission budget, diff, and verification receipt part of the working surface. I would use it to answer “What did the agent accomplish?” while scope is still flexible, and “Which permissions were withheld?” before code or content becomes expensive to unwind. During QA, “Where did approval occur?” and “Which receipt proves the result?” become concrete checks rather than discussion prompts. That sequence turns least-privilege AI-assisted engineering into something the team can operate and gives me a specific outcome to report: credible evidence of secure AI-assisted operation.

What I would show in the work

The public version needs evidence from the work itself. For this topic, the first five artifacts I would reach for are:

  • a one-paragraph task boundary attached to the agent run
  • a tool matrix with read, draft, write, and execute scopes
  • a resource allowlist and sensitive-data denylist
  • an approval table for merge, deploy, delete, payment, permission, and messaging actions
  • a credential lifecycle note beside the task

I would not publish all five at equal weight. One should orient the reader, one should reveal the hardest tradeoff, and one should prove the result. The others can live in a downloadable note or appear as supporting frames. That edit matters because permission budgets as an explicit contract between an agent, its operator, and the systems it can affect becomes harder to understand when every process detail is treated as equally important.

I would also show one rejected direction. The useful version is specific: which option looked attractive, which constraint made it wrong, and what evidence supported the narrower choice. That gives an engineering manager something real to question and keeps the case study from reading like the final answer was obvious from the beginning.

agent-permission-budget.md
# allowed
repo:write branch:scoped
Files under the task path; no unrelated staging; no direct writes to main.

# approval deploy:ask merge:ask External state changes require a named operator decision and recorded target.

# evidence diff tests live-check Reviewable patch, validation output, production result, and revoked temporary access.

Figure 4: A useful permission receipt names what was allowed and what happened.

Resource path

The practical follow-up I would build is an agent permission budget with task, allowed tools, data scope, write boundary, approval boundary, time limit, audit evidence, revocation path, and owner. I am treating that as a resource backlog item, not pretending the adjacent downloads below are the same artifact. The related cards cover useful pieces of the workflow today; this specific file should only be published when its examples, fields, and instructions are complete.

The first version should stay concise: context, constraint, decision, evidence, owner, and follow-up. Its value would come from helping someone repeat this exact review, not from adding another generic PDF to the site.

Review checklist

The article-specific review questions are:

  • What outcome was authorized?
  • Which sources are needed for orientation?
  • Which resources may be accessed?
  • Which action changes external state?
  • Can the token be short-lived?
  • Can read data become an outbound message?
  • Why is production necessary?
  • Which action was requested?
  • What triggers a stop?
  • What did the agent accomplish?

I would add two editorial checks before publishing: can a recruiter find the point in the first minute, and can an engineer trace at least one claim to an implementation or production receipt? If either answer is no, the article needs another edit.

Implementation notes

For least-privilege AI-assisted engineering, I would write the implementation note before polish. It would name the changed surface, source of truth, owner, failure boundary, and verification path. Those details prevent the principle from floating above the actual code or operational workflow.

The proof signals I care about are specific to this article:

  • guardrails that cover composed behavior
  • production work that is deliberate and recoverable
  • evidence a reviewer can use without reconstructing the session
  • bounded failure that leaves the system understandable
  • credible evidence of secure AI-assisted operation

I would choose two or three of those signals for the first release rather than instrumenting everything. The strongest pair usually combines one direct behavior check with one operating check: a route and a data query, a keyboard path and a support state, a handler replay and a reconciliation result, or a migration count and a rendered screen.

The follow-up belongs in the note before shipping. It should say what remains temporary, what evidence would trigger another pass, and who owns that decision. That is how the first version stays intentionally narrow without making the boundary invisible.

Case-study packaging

I would structure the case-study version around the four visual lessons already established:

  • An agent permission budget connects task intent to bounded execution.
  • Permission should expand only when consequence and evidence justify it.
  • Risk follows the combination of tool, data, and consequence.
  • A useful permission receipt names what was allowed and what happened.

The opening frame explains the product pressure. The middle two show the decision moving through the system. The last frame is the receipt: what was checked, what held, and what remained unresolved. That order lets the reader move from product judgment into implementation detail without reconstructing the whole project first.

I would include one caveat tied to coding-agent workflows where tools can read repositories, edit files, run commands, query production services, send messages, or merge changes with very different consequences: a data limit, rollout boundary, unsupported state, external dependency, or result that is still directional. A precise caveat makes the evidence easier to trust because it shows where the claim stops.

The final test is whether the page creates a better conversation. If the artifact helps someone ask a sharper question about product judgment, implementation detail, or release proof in a live interview, it belongs in the story.

Interview angle

In an interview, I would explain this through permission budgets as an explicit contract between an agent, its operator, and the systems it can affect. The story should start with the product pressure, then move into the system constraint, the artifact, and the proof. That order keeps the answer grounded. It also gives the interviewer several places to go deeper: data, frontend architecture, design systems, support, migration, accessibility, or release process.

The strongest version of the answer includes a tradeoff. I want to be able to say what I chose, what I left alone, and how I knew the work helped. That is more credible than presenting every project as a clean win.

The hiring signal

A permission budget is a hiring signal because it shows I can use powerful automation without confusing capability with authority. I can move quickly while preserving review, least privilege, and accountability.

That is the level I want this site to communicate. The work should show taste, but it should also show operating judgment. It should make me look like someone who can enter a real product system, understand the messy middle, ship the useful version, and leave enough proof for the next person to trust it.

Companion artifacts

Use this after reading.

Practical downloads and templates that turn the article into something you can bring into a product review, implementation pass, or agent workflow.

DownloadJun 2026

AI Product Sprint Checklist

A practical sprint checklist for using AI across discovery, UX, implementation, and verification without skipping product judgment.

AI workflowProductDelivery
View details
RepoJun 2026

Agent-Ready API Spec Template

An OpenAPI and Postman starter template for APIs that AI agents can discover, call, and recover from safely.

OpenAPIPostmanAI agents
View details
DownloadJun 2026

UI PR Risk Review Checklist

A merge-readiness checklist for product intent, states, accessibility, visual durability, and UI implementation risk.

UI reviewQAFrontend
View details