How do I prevent AI agent privilege escalation?

AI agent privilege escalation occurs when an agent gains access to resources, operations, or data beyond its authorized scope — either through credential inheritance, cross-agent contamination, or hallucinated tool calls.

Common privilege escalation vectors in AI agents:

• Credential inheritance: Agents inherit developer or service account credentials with admin-level access. A read-only task agent suddenly has DROP TABLE privileges
• Cross-agent contamination: In multi-agent systems (CrewAI, AutoGen), a compromised agent passes elevated permissions to downstream agents through the context chain
• Hallucinated admin commands: LLMs generate tool calls to administrative endpoints they were never intended to access — GRANT ALL, sudo, chmod 777
• Tool discovery: Agents with MCP or broad tool access discover and invoke tools that weren't part of their intended workflow
• Prompt injection escalation: Attackers use injection to instruct the agent to access higher-privilege tools or data stores

The industry best practice: "Replace static, long-lived API keys with short-lived, scoped credentials to reduce the blast radius." And: "Scope permissions strictly per tool rather than per agent."

Exogram enforces least privilege at the action level. Even within a single authenticated session, each tool call is evaluated against scoped policy rules. If an agent with SELECT permission attempts a DELETE, it's blocked regardless of the underlying credential's capabilities. Exogram issues short-lived execution tokens (JWTs) with scoped permissions and TTL expiry, ensuring that privilege cannot accumulate over time.