AI agent security: permissions, tools, and legitimate non-response
This page clarifies AI agent security as a problem of permissions and tooling, and makes explicit why legitimate non-response is a security property, not a weakness.
An AI agent is not merely a model that responds. It is a system that can act: call tools, read sources, write, execute operations, persist memory, and chain decisions. This capability transforms risk: an error is no longer merely an incorrect sentence, it can become an incorrect action.
In an interpreted web, agents are exposed to heterogeneous content, tools, and authority signals. Security is not reduced to “avoiding injections”. It depends on how the agent distinguishes what can instruct, what can inform, what can authorize, and what can execute.
Operational definition
AI agent security: capacity of an agent to operate in an open environment (web, documents, tools, systems) without executing actions, tool calls, or decisions that exceed its authority perimeter, explicit permissions, and governance rules.
Permissions: the agent’s real perimeter
An agent’s risk surface is a function of its permissions. A permission is not a technical detail, it is a declaration of operational authority.
To stabilize explicitly:
- Reading: which sources the agent can consult, and under which conditions.
- Writing: where the agent can write (files, CRM, CMS, tickets) and with what traceability.
- Execution: which actions are possible (scripts, APIs, commands) and which safeguards apply.
- Persistence: what can be memorized, consolidated, or reused as an implicit rule.
Tools: the action chain
Tools (APIs, connectors, browsers, scrapers, automations) introduce a critical property: they transform textual outputs into real effects. A secure agent must therefore bound:
- what the tool returns and how it is interpreted (data vs instruction)
- what the agent has the right to request from the tool
- when a tool call is forbidden, even if it seems “useful”.
Legitimate non-response: security property
In an agentic context, “not responding” can be the correct decision. A non-response is legitimate when responding would imply executing an action outside the perimeter, relying on an unverified source, or producing a decision without explicit jurisdiction.
Non-response is not a system failure. It is the system’s capacity to recognize its own limits and to suspend rather than act incorrectly.
