What are AI agent permissions?
AI agent permissions define which tools an AI agent may use and which data it may reach. The safest model is an allow-list: a new agent can do nothing until an administrator explicitly grants each capability, tool by tool.
This is the opposite of the common default, where an agent gets broad access and a prompt is supposed to keep it in bounds.
Allow-list vs. deny-list
Section titled “Allow-list vs. deny-list”The distinction decides what happens when you forget something.
- Allow-list. Start with nothing permitted; add capabilities explicitly. Anything not granted is forbidden by default. Forgetting means "the agent cannot do it."
- Deny-list. Start with everything permitted; remove specific capabilities. Anything you forget to block stays allowed. Forgetting means "the agent can do it."
For agents that touch real systems, the allow-list failure mode is the safe one.
Why prompts are not permissions
Section titled “Why prompts are not permissions”A prompt is a request, not a boundary. Two ways it fails as a control:
- Prompt injection. A malicious document or message can talk the model out of its instructions.
- Drift. A model can simply not follow an instruction reliably.
Prompt injection is not a fringe concern. It ranks first, as LLM01, in the OWASP Top 10 for LLM Applications, holding the top spot for the second consecutive edition. A boundary that the single most prevalent attack against language models can switch off is not a boundary.
Real permissions live in code, outside the model. If a tool is not granted, the agent cannot call it, regardless of what the prompt or the user says. The model decides whether to use a granted tool; it can never reach an ungranted one.
Granularity that matters
Section titled “Granularity that matters”Good permission systems are specific. "Can use Odoo" is coarse. "Can read sales orders but not write them, for this agent, for these users" is the kind of boundary a business actually needs. The finer the grant, the smaller the blast radius if an agent misbehaves.
In Pinchy
Section titled “In Pinchy”In Pinchy a new agent starts with zero tools. Admins enable each tool explicitly, per agent. Combined with roles and groups, this controls both what an agent can do and who can ask it to. See Agent Permissions.