Least-Agency Provisioning and Just-in-Time Capability Governance

2. Summary

Least-Agency Provisioning and Just-in-Time Capability Governance requires that AI agents are provisioned with the minimum set of capabilities, permissions, and system access required for their current task — and no more. Capabilities that are not needed for the immediate operation must not be available to the agent. Capabilities that are needed temporarily must be granted just in time, scoped to the specific task, and automatically revoked upon task completion or timeout. Standing privileges — broad, persistent access granted at deployment and never reduced — are the primary attack surface for AI agent exploitation. This dimension eliminates standing privileges by requiring that every capability grant is justified, scoped, time-bounded, and automatically reversible.

3. Example

Scenario A — Standing Database Privileges Enable Data Exfiltration: An enterprise workflow agent is deployed to process expense reports. At deployment, the agent is granted read-write access to the full financial database to simplify integration. The agent needs access to only the expense_claims table and the employee_profiles table (read-only for employee details, write for expense claim status updates). Eight months after deployment, a prompt injection attack instructs the agent to query the salary_bands table and the executive_compensation table, then format the results as a CSV and attach them to an email. The agent complies because it has standing read access to all tables. The data is exfiltrated to an external email address. The breach affects 2,300 employees including 47 senior executives.

What went wrong: The agent was provisioned with broad database access at deployment — far exceeding what was needed for expense processing. The standing privileges were never reviewed or reduced. The prompt injection exploited the gap between needed access (2 tables) and provisioned access (entire database). Consequence: GDPR breach notification affecting 2,300 data subjects. ICO investigation. £890,000 in legal, notification, and remediation costs. Executive compensation data published online within 48 hours.

Scenario B — Just-in-Time Provisioning Contains Blast Radius: A procurement agent needs to access the supplier database, the purchase order system, and the payment gateway. Under least-agency provisioning, the agent has no standing access to any of these systems. When a purchase request arrives, the workflow engine grants the agent read access to the supplier database for the specific supplier referenced in the request, write access to the purchase order system for the specific order, and no payment gateway access (payment requires separate approval). The grants expire after 15 minutes or upon task completion, whichever comes first. When the same agent is targeted by a prompt injection attempting to modify payment routing details, the attack fails because the agent has no current access to the payment gateway — the capability was never granted for this task.

What went right: Just-in-time provisioning ensured the agent had only the capabilities needed for the current task. The attempted attack targeted a capability the agent did not possess. The blast radius of any successful attack was bounded by the narrow, time-limited capability grant.

Scenario C — Capability Accumulation Through Pipeline Progression: A multi-agent pipeline processes loan applications. Agent 1 (intake) gathers applicant data. Agent 2 (credit check) queries the credit bureau. Agent 3 (underwriting) makes the approval decision. Agent 4 (fulfilment) disburses funds. Each agent is provisioned independently, but a design flaw grants each agent the cumulative capabilities of all preceding agents — Agent 4 has access to applicant data gathering, credit bureau queries, underwriting decisions, and fund disbursement. When Agent 4 is compromised, the attacker has access to the full pipeline's capabilities. They submit 12 fraudulent loan applications, process them through credit checks using real applicant data, approve them at the underwriting stage, and disburse £1.4 million.

What went wrong: Capabilities accumulated through the pipeline rather than being scoped to each agent's function. Agent 4 needed only disbursement capability but had inherited capabilities from all upstream agents. Consequence: £1.4 million in fraudulent disbursements. 12 affected individuals whose credit data was misused. FCA enforcement action for inadequate systems and controls.

4. Requirement Statement

Scope: This dimension applies to every AI agent that accesses any system, data store, API, communication channel, or resource. The scope includes all forms of capability: database access, API permissions, network access, file system access, inter-agent communication privileges, and any other form of system access or operational authority. The scope extends to both direct capabilities (the agent's own credentials and permissions) and indirect capabilities (access inherited through pipeline position, delegated by other agents, or granted through shared infrastructure). Development, staging, and testing environments are within scope when they share infrastructure, credentials, or data with production systems.

4.1. A conforming system MUST provision each agent with the minimum capabilities required for its defined function and MUST NOT grant capabilities beyond those required for the agent's current operational scope.

4.2. A conforming system MUST implement just-in-time capability provisioning, granting capabilities only when needed for a specific task and revoking them automatically upon task completion or expiry of a defined time window.

4.3. A conforming system MUST enforce a maximum capability grant duration for each capability type, after which the capability is automatically revoked regardless of task status. Financial system access: maximum 15 minutes. Data store read access: maximum 30 minutes. Communication channel access: maximum 10 minutes. All other capabilities: maximum 60 minutes.

4.4. A conforming system MUST maintain an immutable log of all capability grants and revocations, including: the capability granted, the justification (task reference), the grant timestamp, the planned revocation timestamp, and the actual revocation timestamp.

4.5. A conforming system MUST prevent capability accumulation in multi-agent pipelines — each agent's capabilities are independently scoped and do not inherit or accumulate from upstream agents.

4.6. A conforming system MUST implement automatic capability revocation that does not depend on the agent requesting revocation — the infrastructure layer revokes capabilities on schedule regardless of agent state.

4.7. A conforming system SHOULD implement capability request review for high-risk capabilities, requiring human or governance-system approval before granting capabilities that exceed defined risk thresholds (e.g., access to payment systems, personal data stores, or critical infrastructure controls).

4.8. A conforming system SHOULD conduct periodic capability audits comparing each agent's provisioned capabilities against its actual usage, identifying and removing unused capabilities.

4.9. A conforming system MAY implement adaptive capability provisioning that adjusts the scope and duration of capability grants based on real-time risk signals (e.g., narrower grants during detected anomalies).

5. Rationale

The principle of least privilege is well-established in information security. Least-agency extends this principle to the specific challenges of AI agents: agents that reason, adapt, and can be manipulated into using capabilities for purposes other than those intended. The extension matters because AI agents create a fundamentally different threat model from traditional software.

Traditional software uses capabilities in deterministic, predictable ways — a database query service queries the database in the ways its code specifies. An AI agent uses capabilities based on its reasoning, which can be influenced by inputs, prompt injections, jailbreaking, and emergent behaviour. An agent with access to a payment system and a communication system might be manipulated into using the payment capability to fund an account and the communication capability to send the account details to an external party. Neither capability was intended for this combined use, but both are available because they were provisioned as standing privileges.

Just-in-time provisioning transforms the security posture from "the agent always has these capabilities and we hope it uses them correctly" to "the agent has only the capabilities needed for the current task and they expire automatically." This reduces the blast radius of any agent compromise from the full set of standing privileges to the narrow set of just-in-time grants active at the moment of compromise.

The time-bounded nature of just-in-time grants is critical. An agent compromise that occurs at 14:23 has access only to capabilities granted for tasks active at 14:23. Capabilities for tasks completed at 14:15 have already been revoked. Capabilities for tasks not yet initiated have not yet been granted. The window of exposure is measured in minutes rather than months.

Standing privileges also create governance drift. Capabilities granted at deployment are rarely reviewed, rarely reduced, and frequently expanded through incremental requests. Over the agent's lifetime, standing privileges tend to grow — each new use case adds capabilities but previous capabilities are never removed. Least-agency provisioning eliminates this drift by requiring that every capability grant is justified against a specific, current task.

6. Implementation Guidance

The implementation requires a capability broker that mediates all agent access to systems and resources. The agent does not hold credentials directly — the capability broker holds credentials and grants scoped, time-bounded access tokens to the agent upon verified request.

Recommended patterns:

• Capability broker architecture. Deploy a dedicated capability broker service that manages all system credentials and access tokens. When an agent needs to access a system, it submits a capability request to the broker specifying: the target system, the required access level (read, write, execute), the task reference, and the expected duration. The broker evaluates the request against the agent's mandate (per AG-001) and role definition, grants a scoped access token with an expiry timestamp, and logs the grant. The access token provides only the requested level of access to the specific resource — not broad system access. The broker monitors active grants and revokes expired tokens automatically.
• Short-lived, narrowly scoped access tokens. Instead of granting database credentials that provide access to all tables, issue a token that provides access to specific tables, specific operations (SELECT only, or SELECT and UPDATE on specific columns), and specific rows (e.g., where customer_id matches the current task's customer). The token expires after the defined maximum duration. The database enforces the token's scope — the agent cannot expand its access beyond the token's grant.
• Pipeline capability isolation. In multi-agent pipelines, each agent receives capabilities independently from the capability broker. Agent 3 in a pipeline does not inherit Agent 2's capabilities — it requests its own capabilities based on its own role definition. Inter-agent data passing uses structured messages, not shared access. If Agent 3 needs data from Agent 2's output, Agent 2 includes the data in the pipeline message — Agent 3 does not receive access to Agent 2's data source.
• Capability usage monitoring. Monitor the actual usage of granted capabilities. If an agent is consistently granted read access to 10 tables but only queries 3, the grant should be narrowed. If an agent is granted 15-minute windows but completes tasks in 2 minutes, the window should be shortened. Usage monitoring drives continuous refinement of capability grants.

Anti-patterns to avoid:

• Standing database credentials. Granting the agent a database username and password at deployment that provides broad access and never expires. This is the most common anti-pattern. Every agent compromise, every prompt injection, and every reasoning failure has access to the full database scope for the full lifetime of the credential.
• Over-provisioning for convenience. Granting broad capabilities because scoping is complex and the project timeline is tight. "We'll tighten it later" is the standing-privilege lifecycle in practice: it is never tightened. The capability broker should make narrow provisioning as easy as broad provisioning.
• Agent-managed revocation. Relying on the agent to release capabilities when it finishes a task. A compromised agent will not release capabilities. A malfunctioning agent may hold capabilities indefinitely. Revocation must be infrastructure-managed and time-bounded, independent of agent behaviour.
• Capability inheritance in pipelines. Allowing downstream agents to inherit upstream agents' capabilities. This creates cumulative exposure that the least-agency principle is designed to prevent. Each pipeline stage should have independently minimal capabilities.
• Capability grants without task reference. Granting capabilities without recording why. Unjustified capability grants cannot be audited, cannot be reviewed for appropriateness, and cannot be traced back to a legitimate business need.

Industry Considerations

Financial Services. Financial system access should use the shortest practical grant durations. Payment gateway access: maximum 5 minutes per transaction. Trading system access: maximum per-trade grants with automatic revocation after execution or cancellation. Credit bureau queries: single-use tokens that expire after the query response is received. The FCA expects that AI agent access controls are at least equivalent to human trader access controls, which typically enforce per-transaction authorisation.

Healthcare. HIPAA's minimum necessary standard maps directly to least-agency provisioning. An AI agent accessing patient records must access only the minimum necessary information for the current clinical task. Just-in-time provisioning should grant access to specific patient records (not the full patient database) for specific data fields (not the full record) for the duration of the clinical interaction.

Crypto/Web3. Wallet signing capabilities are particularly sensitive. An agent should never have standing access to wallet signing keys. Just-in-time provisioning should grant signing capability for a specific transaction, for a specific amount, to a specific recipient. The signing key should be held in a hardware security module (HSM) and the agent receives a single-use signing authorisation rather than the key itself.

Maturity Model

Basic Implementation — Each agent has a documented capability profile specifying its intended access. Capabilities are provisioned at deployment based on the profile. Standing privileges exist but are aligned with the capability profile. Capability grants are logged. No automated revocation exists — capabilities persist until manually removed. Periodic manual reviews (e.g., quarterly) identify and remove unused capabilities.

Intermediate Implementation — A capability broker mediates all agent access. Just-in-time provisioning grants capabilities for specific tasks with defined maximum durations. Automatic revocation occurs at expiry regardless of agent state. Capability grants are logged with task references and justifications. Pipeline agents have independently scoped capabilities. Capability usage monitoring identifies grants that exceed actual usage and recommends narrowing.

Advanced Implementation — All intermediate capabilities plus: capability grants for high-risk resources require governance-system approval. Adaptive provisioning adjusts grant scope and duration based on real-time risk signals. Formal verification has confirmed that no agent can accumulate capabilities beyond its current task scope. Hardware security modules protect high-value credentials. The capability broker has been independently tested for bypass vulnerabilities and all tests passed.

7. Evidence Requirements

Required artefacts:

• Agent capability profiles. Documented capability definitions for each agent specifying the minimum required capabilities for each task type. Evidence that provisioned capabilities match the profile.
• Capability grant and revocation logs. Immutable logs of all capability grants and revocations, including capability type, scope, task reference, grant timestamp, planned revocation timestamp, and actual revocation timestamp. Minimum 12 months retention.
• Capability usage analysis. Periodic analysis comparing granted capabilities against actual usage, with recommendations for narrowing over-provisioned grants.
• Automatic revocation evidence. Evidence that capability revocation occurs automatically at expiry, including test results demonstrating that expired tokens are rejected.

Retention requirements:

• Capability grant and revocation logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Testing AG-162 compliance requires verification that capabilities are minimally scoped, time-bounded, and automatically revoked.

Test 8.1: Minimum Capability Verification

• Stimulus: Provision an agent for a defined task (e.g., expense processing). Attempt to access resources outside the task scope (e.g., query the salary_bands table when only expense_claims access is provisioned).
• Expected behaviour: Access to out-of-scope resources is denied. The agent can access only the resources required for the defined task.
• Pass criteria: All out-of-scope access attempts are rejected with appropriate error responses. Only in-scope resources are accessible.
• Fail criteria: Any out-of-scope resource is accessible to the agent.

Test 8.2: Just-in-Time Grant Timing

• Stimulus: Submit a task that requires capability X. Verify that capability X is not available before the task begins, is available during the task, and is not available after the task completes.
• Expected behaviour: Capability X is granted only for the task duration. Before the task: access denied. During the task: access granted. After the task: access denied.
• Pass criteria: The capability lifecycle is precisely aligned with the task lifecycle.
• Fail criteria: The capability is available before the task begins or after it completes.

Test 8.3: Maximum Duration Enforcement

• Stimulus: Grant a capability with a 15-minute maximum duration. Do not complete the associated task. Verify that the capability is revoked at 15 minutes regardless of task status.
• Expected behaviour: At 15 minutes, the capability is automatically revoked. Subsequent access attempts using the expired grant are rejected.
• Pass criteria: The capability is revoked within 30 seconds of the maximum duration expiry. No access is possible after revocation.
• Fail criteria: The capability persists beyond the maximum duration, or the agent retains access after revocation.

Test 8.4: Pipeline Capability Isolation

• Stimulus: In a multi-agent pipeline, grant Agent 2 access to the credit bureau. Verify that Agent 3 (downstream) does not have credit bureau access unless independently granted.
• Expected behaviour: Agent 3 cannot access the credit bureau. Agent 2's capability grant does not transfer or cascade to Agent 3.
• Pass criteria: Each pipeline agent's capabilities are independently scoped. No capability inheritance occurs.
• Fail criteria: A downstream agent can access resources granted to an upstream agent without an independent capability grant.

Test 8.5: Revocation Independence from Agent

• Stimulus: Grant a capability and then simulate agent failure (crash, hang, or unresponsive state). Verify that the capability is revoked at expiry despite the agent's inability to request revocation.
• Expected behaviour: The capability is revoked on schedule by the infrastructure layer. Agent state does not influence revocation.
• Pass criteria: Revocation occurs at the scheduled time regardless of agent state.
• Fail criteria: The capability persists because the agent did not request revocation, or the revocation mechanism depends on agent cooperation.

Test 8.6: Capability Grant Logging Completeness

• Stimulus: Execute 50 capability grants and revocations across various agents and task types. Verify that every grant and revocation is logged with all required fields.
• Expected behaviour: All 50 grants and all 50 revocations are logged with: capability type, scope, task reference, grant timestamp, planned revocation timestamp, and actual revocation timestamp.
• Pass criteria: 100% of grants and revocations are logged with all required fields. No gaps in the audit trail.
• Fail criteria: Any grant or revocation is missing from the log, or any required field is absent.

Test 8.7: Credential Broker Bypass Prevention

• Stimulus: Attempt to access target systems directly, bypassing the capability broker — using network-level access, cached credentials, or alternative authentication paths.
• Expected behaviour: All bypass attempts are blocked. The agent cannot access target systems except through the capability broker.
• Pass criteria: No bypass path exists. All access routes enforce broker-mediated capability grants.
• Fail criteria: Any bypass path allows the agent to access target systems without a valid capability grant from the broker.

Conformance Scoring

• Score 0: No capability governance — agents have standing, broad access provisioned at deployment with no review or revocation mechanism.
• Score 1: Capability profiles exist and agents are provisioned according to profiles, but capabilities are standing (not time-bounded), revocation is manual, and no just-in-time provisioning exists.
• Score 2: Just-in-time provisioning is operational, capabilities are time-bounded with automatic revocation, pipeline capabilities are independently scoped, and all grants are logged with task references.
• Score 3: All Score 2 capabilities plus capability broker with hardware-secured credentials, adaptive provisioning based on risk signals, formal verification of capability isolation, and independently tested for bypass vulnerabilities.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	Direct requirement
GDPR	Article 25 (Data Protection by Design and by Default)	Direct requirement
GDPR	Article 32 (Security of Processing)	Supports compliance
HIPAA	Minimum Necessary Standard (45 CFR 164.502(b))	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
NIST AI RMF	MANAGE 2.2 (Risk Controls)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance

GDPR — Article 25 (Data Protection by Design and by Default)

Article 25 requires that by default, only personal data which is necessary for each specific purpose of the processing is processed. This maps directly to least-agency provisioning: an AI agent should not have access to personal data beyond what is necessary for its current task. Just-in-time provisioning ensures that the agent's access to personal data is bounded by the current task's scope and duration — satisfying the "by default" requirement that data access is minimised rather than maximised.

HIPAA — Minimum Necessary Standard

The HIPAA minimum necessary standard requires covered entities to make reasonable efforts to limit the use of, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. For AI agents in healthcare, this means the agent must not have standing access to the full patient database. Least-agency provisioning grants access to specific patient records, specific data fields, for specific clinical tasks, for specific durations — the structural implementation of the minimum necessary standard.

EU AI Act — Article 15 (Accuracy, Robustness and Cybersecurity)

Article 15 requires high-risk AI systems to be resilient against attempts by unauthorised third parties to exploit system vulnerabilities. Over-provisioned capabilities are a vulnerability: an agent with access to 50 systems when it needs 3 has a 50-system attack surface. Least-agency provisioning reduces the attack surface to only the systems needed for the current task, directly improving the system's cybersecurity posture as required by Article 15.

DORA — Article 9 (ICT Risk Management Framework)

DORA requires financial entities to manage ICT risks proportionally. Standing privileges for AI agents represent an ICT risk that is disproportionate to the agent's operational needs. Just-in-time provisioning implements proportional access control — the agent's access footprint matches its operational needs at every point in time.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Proportional to the over-provisioning gap — the wider the gap between provisioned and needed capabilities, the larger the blast radius of any agent compromise

Consequence chain: Over-provisioned capabilities directly determine the blast radius of any agent compromise. A prompt injection attack against an agent with standing access to 50 systems can exploit any of those 50 systems. The same attack against an agent with just-in-time access to 2 systems for 15 minutes can exploit only those 2 systems within the 15-minute window. The financial impact scales accordingly: the expense processing agent with full database access enabled exfiltration of 2,300 employee records; the same agent with just-in-time access to 2 tables could not have reached the compensation data. Standing privileges also create cascading risk in multi-agent environments: an agent with accumulated pipeline capabilities becomes a single point of compromise for the entire pipeline. The regulatory impact is significant under GDPR (over-collection/access violates Article 25), under HIPAA (exceeding minimum necessary), and under financial regulations that require proportional access controls. The organisational cost of remediation is high because capability reduction in production systems requires careful testing to avoid disrupting legitimate operations.