What is the Principle of Least Privilege?
The principle of least privilege states that every entity (user, agent, process) should have only the minimum permissions necessary to perform its intended function — and nothing more. For AI agents, this means access to only the MCP tools and arguments required for the specific task.
WHY IT MATTERS
Least privilege is the single most important security principle for AI agent tool access. An agent that only needs to read files should not have shell execution access. An agent that only queries a database should not have write permissions. An agent that only needs to search the web should not have filesystem access.
The principle has three dimensions for agents: scope (which tools can it invoke?), constraint (what arguments can it pass?), and time (for how long?). Each should be minimised. A policy that allows only read_file and list_directory, restricts file paths to the project directory, and is rate-limited to 60 calls per minute — that is least privilege in action.
The challenge is finding the right minimum. Too restrictive and the agent cannot function. Too permissive and a compromise causes maximum damage. Start restrictive and expand based on observed needs — it is easier to add permissions than to recover from excessive ones.
HOW POLICYLAYER USES THIS
Intercept enforces least privilege for MCP tool access through its fail-closed YAML policy model. By default, all tools are denied. Operators explicitly allow only the tools the agent needs, with argument constraints limiting how those tools can be used. This inverts the default — instead of an agent having access to everything and trying to restrict it, the agent has access to nothing and must be granted specific capabilities.