Least Privilege Isn't Enough for AI Agents. You Need Least Agency.

Least privilege is foundational. It's been a core security principle for decades, and it's no less relevant in agentic AI environments. An agent shouldn't hold permissions beyond what its task requires, and remediating over-permissioned agents is one of the highest-value quick wins available to any agentic AI security program.

But here's what the security industry has been slow to acknowledge: correctly implemented least privilege still isn't sufficient.

An agent can stay entirely within its authorized permission set and still behave in ways that are inappropriate for its declared purpose. The permission boundary defines the outer limit of what the agent can reach. It doesn't constrain how the agent reasons about what to do within that space, how it sequences its actions, how it responds to adversarial inputs, or whether the aggregate effect of its individually permitted actions is consistent with the intent for which it was deployed.

That's the gap least agency is designed to fill.

What Least Agency Actually Means

Least agency isn't about permissions. It's about behavior. It asks not "what can this agent access?" but "what autonomous actions should this agent be permitted to take, in what sequence, under what conditions, and subject to what oversight?" It scopes what agents do, not just what they can reach.

Consider the practical difference. An HR agent provisioned with read access to the employee database according to least privilege principles is correctly scoped in terms of what it can reach. But if that agent is compromised through prompt injection and begins querying records for employees outside its assigned workflow, one record at a time, staying below any volume threshold, it has violated the spirit of its deployment without violating a single access control. Least privilege says the access was authorized. Least agency asks whether the behavior was appropriate.

Scope Creep: The Silent Accumulation Problem

Preventing scope creep is a continuous governance challenge. As agents evolve, take on new tasks, and integrate with new systems, their effective scope tends to expand. Without deliberate governance checkpoints that require explicit justification for scope expansion, agents accumulate capabilities that were never formally authorized and may never have been security-reviewed.

The data on this is stark. Entro Security's research found that 97% of non-human identities carry excessive privileges. Over 5.5% of AWS NHIs are full administrators, accounts with unrestricted access across cloud services. In some organizations, that rate reaches 18%. These "super NHIs" didn't start that way. They accumulated permissions incrementally, through deadline pressures, convenience decisions, and the absence of governance checkpoints that would have caught the drift.

Maintaining least agency requires treating scope changes to existing agents with the same rigor as the initial deployment of new ones. The agent that received an expanded tool integration six months ago without a security review now has an effective permission scope that was never formally authorized. That's an unreviewed agent in a reviewed agent's clothing.

The Operational Mechanisms: JIT Access and Dynamic Scoping

Just-in-time (JIT) access and dynamic scoping are the operational mechanisms for implementing least agency at runtime. An agent executing a customer service task doesn't need access to the financial reporting system, even if its service account technically has permissions there. Dynamic scoping constrains the agent's effective access based on the specific task it's currently performing, tightening that scope as the task progresses and the relevant data needs become clear.

JIT access, already a best practice for privileged human accounts, becomes a core governance mechanism for agents in high-risk contexts. Rather than granting permissions once and allowing agents to exercise them indefinitely, dynamic authorization models grant permissions incrementally based on demonstrated need in context, withdraw them when a task is complete, and constrain them further when behavioral signals indicate elevated risk.

The Least Agency Ratio: A Metric Worth Tracking

The most useful metric for the board conversation on agentic AI risk is the least agency ratio: the measured gap between what an agent is permitted to access and how much of that access it's actually allowed to act on autonomously, evaluated per agent, at runtime.

Most enterprises today have no visibility into this ratio, which means they have no way to know whether their agent fleet is operating within acceptable risk parameters. Reporting the least agency ratio by agent class, rather than as a single enterprise-wide average, surfaces the specific deployments where behavioral constraints aren't keeping pace with permission scope. That's the question boards need to ask.

Tracking this metric also creates the data foundation for investment decisions. A program that can show the board exactly where least agency ratios are out of tolerance, which agent classes, which platforms, and which business units, is a program that can make a credible case for the resources needed to address it.

The Delegation Chain Problem: Decision Budgets

In multi-agent architectures, least agency governance faces an additional challenge: the compounding of autonomous decision scope across delegation chains. When an orchestrator agent delegates a sub-task to a specialized sub-agent, which may in turn delegate further, each hop extends the autonomous decision-making scope. The aggregate autonomy exercised by the chain as a whole can significantly exceed what any single agent was explicitly authorized to exercise, and may far exceed what the originating user intended to delegate.

Decision budgets provide a principled mechanism for governing this compounding. The concept treats autonomous decision-making authority as a finite resource allocated at the top of the chain and consumed as it flows through delegations. When the budget is exhausted, the chain must return to a human decision point before proceeding, because the system has consumed its sanctioned allocation of autonomous action and needs renewed authorization to continue.

This model integrates naturally with least agency governance. Decision budgets extend the behavioral constraint to the chain as a whole, ensuring the aggregate effect of sequential delegations remains within bounds that a human authorized at the outset.

Download Beyond Identity: The CISO's Guide to Securing Agentic AI for the complete framework for implementing least agency governance, including the least agency ratio metric, dynamic scoping approaches, and decision budget architecture.