When to reach for it
- Tools execute sensitive actions.
- Agents require varying access levels.
- Compliance or auditability is relevant.
/pattern/permission-scoped-tools/
Each tool is provisioned with the minimal permissions its use requires, scoped per agent, task, or run — so the credential a tool call carries, not merely which tools exist, bounds what a compromised or misdirected call can reach.
In practiceA document-processing agent is provisioned with read-only S3 access for the specific input bucket, so even if it calls a delete method the IAM scope denies the action.
Without itWithout scoped permissions, a compromised or misdirected tool call can reach systems it never needed, amplifying a single prompt injection into a broad data breach. See the anti-pattern →
When to reach for it
When it backfires
The tradeoff
Enhanced security is gained against higher administration overhead.
A tool call runs only within its granted scope.
Every time a task fails on a permission boundary, the easy fix is to broaden the scope. After three quarters every tool runs with admin and the original principle is gone.
Fix · Treat permission widening as an architectural change, not a bug fix. Require a reviewer when a scope grows; record the justification in the audit trail.
The agent is instructed not to call the delete method, but the token it holds still permits it. A prompt injection ignores the instruction and the platform happily executes the call.
Fix · Enforce scope at the credential / IAM layer so the action is denied at the boundary; never treat a prompt instruction as a security control.
Keep going
Search patterns, frameworks, and pages.