What is an Over-Permissioned Agent?

Over-permissioning is the most common security misconfiguration in AI agent deployments. It happens because granting broad access is easy — restrict nothing and the agent works for any task. Scoping permissions requires understanding what the agent needs, which takes effort. So teams default to giving agents access to everything.

The risk is straightforward: an over-permissioned agent that is compromised via prompt injection, or that simply hallucinates an inappropriate tool call, can do far more damage than one with scoped access. An agent with access to both a read-only analytics tool and a production database write tool has a fundamentally larger blast radius than one with only the analytics tool.

This is not a theoretical concern. In practice, MCP client configurations often list every available server, giving agents access to dozens of tools when they need three. Each additional tool is additional attack surface — more ways for injected instructions to cause harm, more sensitive data the agent can access, more destructive operations it can invoke.

The principle of least privilege exists precisely for this scenario: grant only the minimum access required for the task at hand. For AI agents, this means configuring tool access per-task or per-session, not per-deployment.

Intercept enforces least privilege at the policy layer. YAML policies define exactly which tools each agent can access and what argument values are permitted, scoping permissions far more granularly than MCP client configuration alone. You can define different policy profiles for different tasks — a code review agent gets read-only file access, while a deployment agent gets write access to specific paths only. Intercept's deny-by-default mode ensures that any tool not explicitly allowed is blocked, preventing over-permissioning even as new tools are added to MCP servers.