Constrained Execution: The Security Model AI Agents Need

The principle of least privilege is one of the oldest ideas in computer security: give every system component only the access it needs to do its job, and nothing more. It's behind Unix file permissions, database roles, IAM policies, and container sandboxing. It works because it makes the blast radius of any compromise small and predictable.

AI agents need the same model. Not because they're malicious — they're not — but because the consequences of an agent acting outside its intended scope are real regardless of intent. An agent that accidentally calls the wrong endpoint causes the same damage as one that was manipulated into doing it.

Most agent frameworks start from an open default: the model can call any tool you give it, and you add restrictions as needed. This is backwards from a security standpoint. Open by default means that your safety depends on how well you've anticipated every possible misuse. Miss one case and you have a gap.

Closed by default — where the agent can only access what's explicitly registered — means your safety depends on what you've intentionally allowed. Miss one case and you have a missing feature, not a vulnerability. The failure modes are categorically different.

A counterintuitive effect of constrained execution is that it makes teams more willing to give agents real responsibility. When you know with certainty that an agent can only call the five tasks you've registered, you're more comfortable letting it run autonomously on real data with real consequences.

Without that certainty, teams tend to keep agents in low-stakes, human-reviewed workflows indefinitely — not because the agent isn't capable, but because they can't be sure what it might do. Constraint resolves that uncertainty and unlocks autonomy.

In a constrained execution model, the agent receives a list of registered tasks at planning time. These are the only tools it knows about. It cannot look up additional APIs, cannot construct arbitrary HTTP requests, and cannot access any system not in the registry. The execution layer enforces this — it won't run a task that doesn't exist in the registry, regardless of what the model generates.

Within that boundary, the agent has full freedom to plan creatively, chain tasks in complex ways, and handle the full range of inputs it encounters. Constraint defines the perimeter. Inside the perimeter, the agent can be as capable as the model allows.