Static Role for a Dynamic Agent
Anti-pattern: authorize a goal-driven agent with static, login-time, role-based privileges, so its standing permissions persist between and beyond tasks, forcing a choice between over-granting broad access and blocking the agent mid-task.
Problem
Role-based access control decides permissions once, from a static role, for a predictable actor. A goal-driven agent is none of those things. Its action set is dynamic and task-dependent, so the role either grants more standing privilege than any single task needs — broad, long-lived access that persists between and beyond tasks and becomes the blast radius when the agent is hijacked, prompt-injected, or simply wrong — or it grants too little and the agent is blocked mid-task, so someone widens the role to unblock it. Because each new task path wants a different permission combination, roles multiply until effective access can no longer be explained. The model cannot express what actually governs a safe agent action: this principal, this task, this moment, revocable when the task ends. Standing privilege is the default the model pushes toward, and it is exactly the wrong default for an actor that decides its own next step.
Solution
Replace standing, role-based grants with runtime, task-scoped authorization. Decide each consequential action against the current principal, task intent, and context rather than against a role assigned once at login; issue least-privilege, short-lived, revocable credentials per task so privilege never outlives the work that needed it; expand access only as the agent demonstrates it needs and can be trusted with more. Mitigation patterns: delegated-agent-authorization for scoped, short-lived, revocable per-action credentials, and progressive-tool-access for minimal access that expands only as competency is shown. Static RBAC is not wrong for human users whose access is decided at login; it is wrong as the authorization model for an actor that chooses its own next step, which is the mismatch this anti-pattern names.
When to use
- An agent is assigned a static role with standing permissions decided once, at deployment or login.
- The agent's role is periodically widened to unblock it mid-task, and privilege never narrows again.
- Effective agent access is assembled from proliferating roles or groups and can no longer be explained per action.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.