Abstract
The principle of least privilege states that an identity should hold only the permissions strictly required for its task, which has been a foundational concept in access control for decades. However, we argue that this principle is insufficient for agentic AI systems, which not only hold permissions but can also combine, approve, and amplify them across workflows and system boundaries.
Theory Development
We propose least autonomy as an appropriate generalization and develop a formal theory.
-
Compositional Blast Radius: We define a compositional blast radius $d(a,b)$ that measures the structural separation between actions in an enterprise hierarchy, combining an ultrametric tree with lattice-valued confidentiality, integrity, and control-context labels.
-
Directed Agent Influence Graph: We define a directed agent influence graph $G(\theta)$. An arc from $U$ to $V$ requires a directed shared-resource write-to-read meeting or a conservative undirected agent-to-agent (A2A) communication meeting, with an influence potential at or above an externally selected policy threshold $\theta$. A catalogue-radius profile supports calibration and auditing of $\theta$.
-
Collusion Predicate: Finally, we define a collusion predicate over graph reachability that detects authorization composition, decision manipulation, and cross-domain capability composition.
Blogger's Review: The proposed theory of least autonomy offers a fresh perspective on permission management in AI systems. By constructing influence graphs and blast radii, it enhances our understanding of permission interactions within complex systems, holding significant theoretical and practical implications. Future research could further explore effective implementations of this theory.