// GLOSSARY -- AI AGENT SECURITY

What is Least Privilege (MCP)?

2 min read Updated

Applying the principle of least privilege to MCP tool access: AI agents should only have access to the specific tools and argument ranges required for their current task, with all other access denied by default.

WHY IT MATTERS

The principle of least privilege is one of the oldest and most fundamental concepts in information security. First articulated by Jerome Saltzer in 1974, it states that every subject should operate using the least set of privileges necessary to complete its task. For AI agents with MCP tool access, this principle is not just relevant — it is critical.

Traditional software systems enforce least privilege through role-based access control, IAM policies, and network segmentation. MCP has no built-in equivalent. The protocol connects clients to servers and exposes tools — there is no native mechanism to restrict which tools an agent can call or what arguments it can pass. This gap means that without external enforcement, every agent operates with maximum privilege by default.

Implementing least privilege for MCP requires answering three questions for each agent deployment. First, which MCP servers does the agent need to connect to? Second, within those servers, which specific tools does the agent need? Third, within those tools, what argument ranges are valid for the agent's task? Each layer of specificity reduces the attack surface.

The practical challenge is that least privilege requires upfront analysis of what each agent needs. This is effort that teams often skip in favour of broad access. The result is over-permissioned agents with unnecessarily large blast radii — exactly the situation least privilege is designed to prevent.

HOW POLICYLAYER USES THIS

Intercept is purpose-built for implementing least privilege in MCP. YAML policies define per-server, per-tool, per-argument constraints that scope an agent's permissions to exactly what is needed. The fail-closed default denies any tool not explicitly allowed, making least privilege the automatic posture rather than something you have to opt into. Argument conditions in policies constrain not just which tools are callable, but how they can be called — restricting file paths, query patterns, and parameter values to the minimum required range.

FREQUENTLY ASKED QUESTIONS

How do I determine what minimum permissions my agent needs?
Start permissive in a staging environment with Intercept in log-only mode. Run the agent through its intended workflows, then review the audit log to see exactly which tools and arguments were used. Write policies that allow only those patterns, then enforce in production.
Does least privilege mean a separate policy for every task?
Ideally, yes. Different tasks require different tools. A code review task should not have access to deployment tools. Intercept supports multiple policy profiles, making it practical to apply task-specific permission sets without managing separate agent instances.
What happens when an agent needs a new tool that is not in its policy?
The call is denied and logged. This is the intended behaviour — it surfaces the need for a policy update through a reviewable process. Update the YAML policy, review in a pull request, and Intercept hot-reloads the change without restart.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.