AI Agents Should Earn Their Permissions
Agent autonomy should expand through evidence, with permissions tied to demonstrated reliability and consequence.
Teams often grant an agent the permissions required by the imagined end state, then try to claw back control through prompting. That is backwards.
Begin in observation mode. Let the agent recommend actions using realistic inputs while creating no side effects. Compare proposals with expert decisions and categorise disagreements. Next, allow reversible low-impact actions with confirmation. Expand scope only when evidence supports it.
Permissions should be narrow in resource, action, value and time. An agent that can draft a refund recommendation need not issue refunds. An agent permitted to update one case should not receive tenant-wide write access.
Maintain per-action audit trails, rate limits, idempotency and a rapid revocation path. Reassess when models, instructions, tools or operating conditions change; past reliability does not automatically transfer.
Treat the agent as a production operator with its own identity, not as an interface borrowing a user's authority. Use short-lived credentials, separate read and write scopes, transaction limits and immediate revocation. Autonomy is not a launch setting. It is earned through observed performance, and the useful target is the smallest permission set that delivers the intended value.