Bible Network Crypto DeFi Onchain RWA AI Agent Stablecoin Chain SAFU CryptoTax DeFAI AGI Claude Me Claude Skill Claude Design Claude Cowork
Independent Media
Not affiliated with any project
Deconstructing Autonomous Agents in Crypto
aiagent-bible.com
LATEST
How Beginners Should Choose Their First Agent Framework: Stop Asking 'Which Is Strongest,' Ask 'Which Gets Me Running Today'  ·  Prompt Injection Defense for Onchain Agents: Why 'Tell the Model Not to Trust External Instructions' Is the Least Useful Defense, and the Layered Architecture That Actually Works  ·  Agent Retry and Error Handling Strategy Design: Why 'Just Retry on Failure' Is the Default Logic Most Likely to Bankrupt You  ·  Onchain Agent Production Deployment Security Checklist: 35 Security Design Items to Confirm Before Deployment, Organized in Five Categories  ·  AI Agent Business Model Deep Dive: Four Mainstream Monetization Models, Cost Structure Breakdown, and How to Calculate Your Agent's Break-Even Point  ·  How AI Agents Use LLMs for Planning: Four Planning Strategies, Failure Modes, and Dynamic Replanning Design
Glossary · Agent Security & Alignment

Least Privilege

Agent Security & Alignment 初級

30-Second Version · For the impatient
Least Privilege is a security design principle: an Agent should only be granted the minimum permission scope necessary to complete its current task — no more, and never granted extra permissions preemptively just because it 'might need them later.' This way, even if the Agent is hijacked or malfunctions, the damage it can cause is bounded to a minimum.
Full Explanation +
01 · What is this?

Least Privilege is a concept that's long existed in traditional security. What's specific to applying it to AI Agents that traditional system design doesn't need to worry about?

The biggest difference comes from who decides whether to use a permission. In traditional system least-privilege design, when a permission gets used is determined by deterministic program logic — a backend service only executes a database write upon receiving a request matching a specific format, and that judgment logic is hard-coded by engineers, never 'persuaded' by different input content to do something it shouldn't.

AI Agents work completely differently. When an Agent uses its granted permission is determined by LLM reasoning, and that reasoning is influenced by input content (user instructions, tool-returned data, even text on a webpage). This means that even if an Agent's permission design is entirely correct (granted only the minimum scope necessary for the task), if the reasoning process is manipulated by Prompt Injection, the Agent can still be 'persuaded' to use that permission in a situation where it shouldn't — for example, an Agent authorized only for small transactions on a specific DeFi protocol, if it reads page content hiding a malicious instruction, might be tricked into moving funds within its authorized scope to a malicious address instead of the intended protocol address.

This means Agent-context Least Privilege design must layer on, beyond the traditional 'permission scope should be small,' an additional defense of 'even if the permission is misused, the resulting damage must be bounded.' In other words, permission scope design can't only consider 'sufficient for normal circumstances' — it must also consider 'worst case, if this permission were tricked into misuse via Prompt Injection, how much damage could it cause.' These are different-tier problems; traditional system design usually doesn't need to specifically consider the latter, since traditional systems' execution logic can't be 'persuaded' by input content to misbehave.

02 · Why does it exist?

When designing an Agent's least privilege, how specifically should separating 'query-type' from 'execution-type' permissions be implemented? Is splitting into two API keys enough?

Splitting API keys is a necessary first step but not a sufficient implementation — simply splitting keys, if the underlying account permissions those two keys map to aren't actually restricted, can still cause problems. A complete implementation needs three layers.

Layer one: account-level permission isolation. The query credential should correspond to a 'read-only' account or API key that's already configured server-side (at the exchange or wallet provider) as incapable of signing transactions — not just an application-layer assumption that 'this key will only be used for queries.' This is critical: if the query key technically retains the ability to sign transactions and the application logic simply 'doesn't' call the signing function, a bug in that application layer (e.g., tricked by Prompt Injection into calling a function it shouldn't) can still cause damage with that key. Real least privilege must be enforced at the credential's own capability boundary, not relied upon through application-layer 'we just won't use it that way.'

Layer two: fine-grained control of execution-type permissions. Even an execution-type credential shouldn't be an all-purpose 'can do anything' permission — it should be further partitioned by task type. A credential 'can only trade on Protocol A' and one 'can operate across multiple protocols' are different permission tiers and shouldn't be covered by the same key.

Layer three: time-bound restriction. Execution credentials should have an explicit expiration, invalidated or revoked immediately upon task completion, rather than staying valid long-term with only application logic deciding 'this time we won't call it.' This bounds the exploitable window even if the credential itself is leaked.

Splitting into two keys without actually restricting the underlying permission scope is a common trap of 'formally doing least privilege but not substantively.'

03 · How does it affect your decisions?

If an Agent task inherently needs a relatively large permission scope (e.g., an asset management Agent whose whole job is to freely allocate a user's funds), does least privilege still apply?

Yes, and this is exactly the scenario where least privilege delivers the most value — 'the task needs broad permission' and 'broad permission should be granted without limits' are two different things. Least privilege doesn't mean 'never grant broad permission' — it means 'permission scope should precisely match task scope, no more and no less,' even when that task's scope is inherently large.

Three concrete directions: decompose 'broad permission' into composable granular permissions rather than one blanket 'full control' permission. An asset management Agent might need 'operate only within a pre-approved protocol list,' 'per-transaction limit not exceeding a user-set cap,' and 'daily cumulative volume not exceeding a threshold' — specific, verifiable sub-permissions combined together, rather than an all-purpose 'do anything with this wallet' permission. Even though these sub-permissions add up to cover a large operational scope, decomposing into independently verifiable, individually revocable grains is still far safer than one blanket broad permission — because if any single sub-permission has a problem, the damage is bounded to that sub-permission alone, not spilling into others. Introduce tiered authorization rather than one-time full authorization: routine small-value operations completed by the Agent's autonomous authority, operations beyond a certain threshold trigger human confirmation (e.g., pushing a notification requiring manual user approval before execution). This separates 'the task needs broad operational capability' from 'every single operation needs no human involvement' — broad capability can exist, while high-risk individual operations still retain a human gatekeeping line. Dynamically adjust permission scope rather than fixed authorization: adjust trust levels dynamically based on the Agent's past behavior record — an Agent whose operations over the past 30 days all matched expectations without triggering anomaly alerts can have its per-transaction cap modestly relaxed; the moment an anomalous behavior pattern is detected (a burst of small probing transactions in a short window, a common attacker reconnaissance tactic), immediately tighten permission scope or even suspend execution capability until human review restores it. The core principle stays constant: even with a large task scope, permission scope should still be decomposed so each granule corresponds to an explicit, verifiable necessity, rather than abandoning fine-grained design and handing over one blanket high permission just because the task is large.

04 · What should you do?

In multi-agent systems, an Orchestrator typically coordinates multiple Sub-agents to complete a task — should the Orchestrator itself hold the union of all Sub-agent permissions?

No, and this is an easily overlooked but high-impact least-privilege violation in multi-agent system design.

Intuitively it might seem reasonable: the Orchestrator 'commands' all the Sub-agents, so it should hold permissions covering all Sub-agents' work scope for 'easier management.' But this intuition is wrong, because it conflates two entirely different roles — 'coordination' and 'execution.'

The correct permission design: the Orchestrator itself should hold no execution-type permission directly (transaction-signing capability, database-write capability) — its role is purely to decide which Sub-agent to call and what parameters to pass. Real execution-type permissions should be distributed among the individual Sub-agents, each holding only the minimum permission its own task scope requires — the Sub-agent responsible for on-chain transaction execution holds the transaction-signing credential; the Sub-agent responsible for reading a database holds database access credentials. The Orchestrator holds none of these credentials — it only decides which Sub-agent to call right now.

The security value of this design: if the Orchestrator itself gets compromised (e.g., its LLM manipulated by Prompt Injection), the worst thing an attacker can do is trick the Orchestrator into calling some Sub-agent to perform an operation within that Sub-agent's own permission scope — but if that Sub-agent's permission is already minimized, the operation's possible damage is still bounded. In contrast, if the Orchestrator holds the union of all Sub-agent permissions, once compromised, an attacker can directly wield every permission in the system, with no bound on damage.

This principle is often called 'permission should follow the executor, not the coordinator' — a coordinator only needs to know who to ask to do something, not need the capability to do it itself.

Real-World Example +

A least-privilege implementation case for an on-chain yield-optimization Agent

An Agent that automatically moves funds between DeFi protocols to find optimal rates implemented permissions as follows: a separated credential architecture — the Agent holds two entirely independent credentials. A 'query credential' maps to a read-only RPC node access key that can query any protocol's rate, TVL, and historical data, but has no signing capability server-side — even if the Agent's reasoning is tricked into attempting to sign a transaction with it, the server rejects it outright (not because application logic decided not to call it, but because the key itself lacks that capability). An 'execution credential' maps to a wallet that can actually sign transactions, but held through a smart contract wallet (rather than a direct EOA private key), with two hard rules written into the contract layer: 'no single transfer exceeds 10% of user funds' and 'can only interact with 5 whitelisted protocol addresses.' These rules live in contract logic, not soft application-layer limits — even if the Agent's reasoning is fully manipulated, the contract cannot be made to execute beyond these two rules. Task scope dynamically adjusts permission: if a user removes a protocol from the whitelist, the Agent's execution credential immediately loses operational capability for that protocol at the contract level, without needing to wait for an application redeploy or logic update — permission tightening happens directly at the credential's capability layer, not relying on timely application logic updates. Tiered authorization handles high-value operations: operations within the 10% per-transaction cap execute autonomously; if an arbitrage opportunity requires moving funds beyond that ratio (e.g., discovering an unusually large rate gap), the system pushes a notification requiring the user to manually sign an additional 'temporarily raise the cap' transaction before the Agent can execute — final decision authority on high-value operations always stays with a human. The key principle this case demonstrates: permission restriction doesn't rely on the assumption that 'the Agent's reasoning logic is reliable enough and won't misbehave' — the restriction is carved into the smart contract and key capability layer itself. Even if the top-level LLM reasoning is completely manipulated, the damage it can cause is still locked to a clear ceiling by contract rules — exactly the least-privilege design mindset of 'assume the Agent could be tricked at any time, but keep the damage range controllable.'

Diagram
Least Privilege: Permission Tiers Mapped to Task Scope權限分層圖:左側呈現三層任務範圍(查詢/小額操作/高額操作),右側對應三層權限範圍,中間用箭頭連接顯示「任務範圍應該精確對應權限範圍」,並標註常見的過度授權錯誤連線(虛線)作為對比。Least Privilege: Task Scope → Permission ScopeTask TypePermission GrantedRead balance / queryNo signing neededRead-only keyNo transaction abilitySmall-value executione.g. under $50/txCapped signing keyPer-tx + daily limitHigh-value executionRequires human co-signMulti-sig requiredAgent alone insufficient✗ Common mistake: granting high-value permission to a query-only Agent "just in case"AI Agent Bible · aiagent-bible.com
Feel free to share. Please credit the source.
Common Misconceptions +
✕ Misconception 1
× Misconception 1: least privilege only needs restriction at the application logic layer (e.g., 'this function's code won't call sign-transaction'). If the permission restriction exists only in application logic while the underlying credential itself retains full capability, once the application logic has a vulnerability (whether a traditional bug or a Prompt Injection trick), the credential's full capability can still be abused. Real least privilege must be enforced at the credential/account's own capability boundary, not just relied upon through an application-layer assumption that 'it just won't be used that way.'
✕ Misconception 2
× Misconception 2: since the task scope itself is inherently large (e.g., an asset-management Agent), least privilege doesn't apply, and you can only grant one blanket broad permission. A large task scope doesn't mean permission can't be decomposed — a broad task can be split into independently verifiable, individually restrictable, individually revocable permission grains (protocol whitelist, per-transaction cap, daily cumulative cap), so even when the overall task requires broad operational capability, fine-grained permission boundary design still doesn't need to be abandoned.
The Missing Link +
Direct Impact

Least Privilege's core tradeoff is security boundary granularity versus development and maintenance complexity. The more finely permissions are decomposed (each sub-task with an independent, precisely scoped credential), the more solid the security boundary and the smaller the blast radius of any single point of failure; but each additional layer of permission decomposition adds another layer of credential management logic to develop, test, maintain, and monitor — potentially exceeding a small team's realistic engineering capacity. Another tradeoff is static permission versus dynamically adjusted permission: dynamically adjusting trust level based on an Agent's behavior history (relaxing on good performance, tightening on anomalies) can improve efficiency while maintaining security, but if the dynamic adjustment mechanism's judgment logic is poorly designed (e.g., anomaly-detection thresholds set too loosely), it can be exploited by an attacker's 'establish a good behavior record first, then attack' strategy to bypass restrictions. Recommendation: apply the strictest static decomposition uniformly to core fund-operation permissions (don't relax high-risk permissions like fund caps just because trust has improved), and reserve dynamic trust adjustment for low-risk operational scope (query frequency limits, access scope for non-fund functions) — avoid building the security-critical defense line on the dynamic assumption that 'good behavior equals trustworthy,' which can be bypassed by a long-dormant attack strategy.

Ask a Question
Please enter at least 10 characters