How do I enforce least privilege for AI agents?

Least privilege for AI agents means giving each agent only the minimum permissions required for its specific task — but traditional credential-based least privilege is insufficient because agents dynamically decide which tools to call, making their actual permission requirements unpredictable.

Why traditional least privilege fails for agents:

• Dynamic tool selection: Agents choose which tools to call at runtime — you can't predict all needed permissions in advance
• Credential granularity mismatch: Database credentials are table-level, but agents need row-level or column-level restrictions
• Over-scoping for functionality: Teams give agents broad permissions "just in case" — the PocketOS pattern
• No per-action evaluation: IAM evaluates credentials once at authentication — not per action

Exogram implements dynamic least privilege at the execution boundary. Credentials stay broad (for operational flexibility), but every individual action is evaluated against deterministic policy rules. An agent with admin database credentials can still only execute SELECT queries if the policy says so. Gate 8 blocks destructive SQL. Gate 6 blocks system file access. Gate 5 blocks code execution. Least privilege isn't about the credentials anymore — it's about the governance layer.