AI Agent Permissions - DeveloPassion

# AI Agent Permissions Controlling what [[AI Agents]] can and cannot do: which tools they can call, which files they can read/write, which commands they can execute, and what approval is required before action. ## Why permissions matter An AI agent with unrestricted access is a security risk. It can read sensitive files, execute destructive commands, push code to production, send messages, or exfiltrate data. The [[Lethal Trifecta for AI Agents]] (hallucination + tool access + autonomy) becomes catastrophic without permission boundaries. ## Permission models ### Claude Code model - **Allow once**: approve a specific tool call for this invocation only - **Allow always**: auto-approve this tool pattern for the session or permanently - **Deny**: reject the tool call - **Restricted patterns**: `Bash(command:npm *)` allows only npm commands via Bash - **Dangerous bypass**: `--dangerously-skip-permissions` disables all checks (CI/CD use only) - **Permission scoping**: project-level (`.claude/settings.json`), user-level (`~/.claude/settings.json`), enterprise-managed ### General patterns - **Allowlists**: explicitly enumerate what the agent can do - **Denylists**: block specific dangerous operations - **Approval workflows**: require human confirmation for high-risk actions ([[Human-in-the-Loop]]) - **Tiered access**: different permission levels for different agents or contexts ## The [[Least Privilege Principle]] applied to AI Every agent should have the minimum permissions needed to do its job. A code review agent doesn't need write access. A search agent doesn't need shell access. A drafting agent doesn't need to publish. ## Challenges - **Granularity**: most tools are all-or-nothing. "Can use Bash" is too broad; "can use Bash but only for git commands" is closer to right - **Context-dependent permissions**: the same agent might need different permissions for different tasks - **Permission fatigue**: too many approval prompts train users to click "allow always" for everything - **Transitive access**: if agent A can spawn agent B, agent B inherits A's permissions unless explicitly restricted - **Skill permissions**: a skill loaded at runtime can request tools the user didn't anticipate ([[AI Skill Supply Chain Security]]) ## Connection to [[AI Skill Scoping]] Permission levels often follow skill scope: user-level skills get user permissions, project-level skills get project permissions. Enterprise-managed permissions override both. ## References - ## Related - [[AI Agents]] - [[AI Agent Harness]] - [[Lethal Trifecta for AI Agents]] - [[AI Skill Supply Chain Security]] - [[Human-in-the-Loop]] - [[AI Guardrails]] - [[AI Safety]] - [[Least Privilege Principle]] - [[AI Skill Scoping]] - [[Claude Code]]