The Principle of Least Privilege

A foundational security principle applies across all systems, from traditional IT security to AI: any system should have only the minimum access and permissions required to do its specific job. Nothing more.

Applied to AI agents: an agent that summarizes emails doesn't need write access to send emails. An agent that looks up information doesn't need access to your financial accounts. An agent that helps with research doesn't need permission to install software or modify your system. An agent designed to handle a specific workflow shouldn't have access to all your accounts.

When you grant an AI agent more access than it needs, you're expanding the damage that could result if the agent is compromised or manipulated. If your email summarizer has permission to send emails and it's successfully injected with instructions to forward sensitive messages, the injection succeeds. If it only has read access to your mailbox, the injection can't accomplish that goal — the agent lacks the capability even if its instructions are overridden.

Least privilege is the practical defense against agentic AI risk. It won't prevent injection attempts, but it limits what an injected agent can actually do.