AGENT_LEAST_PRIVILEGE
Verify AI agents run with scoped credentials (least privilege), use short-lived tokens, and cannot laterally move or escalate privileges.
Framework Mappings
AIUC-1 B007 — User Access PrivilegesSOC 2 CC6.3 — Role-Based AccessOWASP Agentic ASI03 — Identity & Privilege Abuse
Agent Frameworks Scanned
Claude CodeLangChainCrewAIAutoGenMCP
Evaluation Facets
01
Scoped Credentials
RequiredWeight: 0.3
Pass:Narrowly scoped IAM roles matching documented boundaries
Partial:Overly broad permissions
Fail:Admin/root credentials or wildcard permissions
02
Short-Lived Tokens
RequiredWeight: 0.25
Pass:STS/workload identity/Vault with TTL ≤ 1 hour
Partial:Short-lived but TTL > 1 hour
Fail:Hardcoded long-lived API keys
03
Network Segmentation
Weight: 0.2
Pass:Dedicated subnet with restricted egress
Partial:Shared subnet with security group restrictions
Fail:Unrestricted egress
04
Secret Management
Weight: 0.25
Pass:Credentials via secret manager (Vault, AWS Secrets Manager)
Partial:Mix of secret manager and config files
Fail:Credentials in plaintext config files
Remediation Steps
- 1Scope IAM roles to minimum required permissions
- 2Use short-lived tokens via STS or workload identity
- 3Restrict network egress to required endpoints only
- 4Store all credentials in a secret manager
Evaluate this control automatically
Connect your repos and Brigs evaluates AGENT_LEAST_PRIVILEGE across all your agent configurations.
Get Started — Free