Agent Privilege Escalation
Anti-pattern: let an agent's effective permissions be the union of its own identity, the identities of its tools, and the identities of the services those tools call.
Problem
Giskard's framing names this the 'attribution gap': permissions are managed dynamically across an opaque identity chain without a single governed identity for the agent. The agent can act with privileges that no single audit row reflects — the tool it called had broader scope than the agent itself, and the downstream service trusts the tool's identity, not the agent's. Classical IAM models don't fit: there is no one principal to authorise.
Solution
Don't. Adopt delegated-identity threading (on-behalf-of tokens, downscoped credentials). Apply capability-bounded-execution at every tool boundary. Audit by originating agent so the attribution gap closes. Pair with authorized-tool-misuse mitigations.
When to use
- Never. Cite when reviewing agent identity model.
- Thread agent identity through tools via delegated tokens.
- Cap tool effective permissions to agent's own permissions.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.