Least Agency

The agentic equivalent of least privilege — the principle that AI agents should be granted only the minimum level of autonomy necessary to complete their designated task, and no more. Coined in the OWASP Top 10 for Agentic Applications 2026.

Expanded Definition

Least Agency is the agentic security control that limits what an AI agent can decide, invoke, or persist while it performs a task. It is closely related to least privilege, but it focuses on autonomy, not just access rights. In practice, that means constraining tool use, scope of action, time horizon, and escalation paths.

No single standard governs this yet, and usage in the industry is still evolving. Some teams apply it narrowly to execution permissions, while others extend it to planning freedom, memory writes, and delegation behavior. The clearest operational reading is that an agent should be capable of completing one bounded objective without gaining broader authority than the task requires. That makes it a core concept in OWASP’s agentic security guidance and a natural fit alongside NIST Cybersecurity Framework 2.0 implementation discussions.

The most common misapplication is treating least agency as a one-time prompt constraint, which occurs when teams secure the model output but leave tool permissions, session tokens, and downstream automation unconstrained.

Examples and Use Cases

Implementing least agency rigorously often introduces workflow friction, requiring organisations to balance agent autonomy against response speed and operational simplicity.

• An IT support agent can triage tickets and draft remediation steps, but it cannot approve changes or execute privileged commands without human review.
• A code assistant may open a pull request and suggest fixes, but it cannot merge to production or rotate secrets unless its task scope explicitly allows it.
• A finance automation agent can reconcile invoices, yet it cannot create new payees or alter payment thresholds unless escalation is triggered.
• A cloud operations agent may read telemetry and recommend actions, but it cannot create identities, change IAM policies, or expand its own permissions.

These patterns are easier to design when teams already understand how NHIs are governed across lifecycle and access boundaries. The Ultimate Guide to NHIs is useful here because it frames identity control as a continuous discipline, not a one-off configuration. For teams mapping least agency to control design, NIST Cybersecurity Framework 2.0 helps translate the concept into governance, access control, and monitoring activities.

Why It Matters in NHI Security

Least agency matters because agents often operate with latent authority that exceeds the immediate task. When that happens, a compromised prompt, malicious plugin, or faulty workflow can turn a routine automation into an identity abuse event. The risk is not only that the agent can do too much, but that it can do too much too quickly, before detection or rollback is possible.

This is especially relevant in environments where service accounts, tokens, and API keys are already overextended. NHI Mgmt Group research shows that Ultimate Guide to NHIs reports 97% of NHIs carry excessive privileges, which means agentic systems frequently inherit an already risky access baseline. Pair that with weak visibility and you get a compound problem: the agent is not just autonomous, it is autonomous inside a permissive identity estate. Practitioners should align this concept with Zero Trust expectations and with the identity governance themes surfaced in NIST Cybersecurity Framework 2.0.

Organisations typically encounter the need for least agency only after an agent has overreached, modified data, or triggered an unintended action, at which point the control becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is the principle of least privilege and how does it apply to NHIs?
• What is MCP Step-Up Authorisation and how does it implement least privilege for agents?