Skip to content

Security

Security

Least Agency > Least Privilege

“Least privilege is not enough for AI agents — you need least agency.” — dev.to/thenexusguard

The distinction:

Least Privilege: daemon has email:read scope — can access emails
Least Agency: daemon can read but cannot act on what it read without human approval for irreversible actions

OWASP ASI03 recommends per-action authorization at each privileged step — not just authentication at the token level.

Real threats (not theoretical)

CVE-2025-32711 (EchoLeak)

What: prompt injection via email in M365 Copilot
CVSS: 9.3 (critical)
How: zero-click — a crafted email contains instructions that the LLM executes on the next API call
Relevance: our m365 daemon processes email metadata. If it processes email bodies through an LLM, injected instructions could alter behavior.

Authorization bypass via agent access

Black Hat USA 2025 demonstrated: an agent with email access can be manipulated to grant Drive access
The Hacker News (Jan 2026): agents with broad access are authorization bypass vectors

Compound errors in long runs

Small LLM errors compound over sequential runs
A hallucinated priority in a collector window → wrong classification in secretary briefing → wrong action by human

Rules applied

All collectors are read-only — no write access to any external system
Never process email bodies — metadata only (subject, sender, date, flags)
Briefings are advisory — human reviews before acting
Separate credentials per daemon — no shared API key
Minimal scopes — mail.read not mail.readwrite
Logging — every daemon logs: timestamp, source, prompt size, output path
Circuit breaker — prevents runaway retries (max 3 failures)

Future guardrails (P2)

Input sanitization before LLM: strip patterns like “Ignore previous instructions”
Output validation: check briefing structure before writing
Anomaly detection: flag briefings that diverge significantly from historical patterns

Sources