Less is more - especially for AI agents
The least privilege principle benefits agentic systems twice. Limiting the powers of an agent improves security and, at the same time, its performance and accuracy.
You have probably heard about the recent Vercel security incident. Several (non-sensitive) environment variables, which probably also contained multiple API keys of Vercel's customers, were compromised.
What happened?
A Vercel employee granted "Allow All" OAuth permissions to a third-party enterprise AI tool (Context.ai) within their Google Workspace. The attack started within Context.ai and allowed attackers to take over the employee's Google Workspace account and get into Vercel's internal systems.
Least privilege principle
After the battle, everyone is a general. The principle of least privilege is a general security practice that is even more needed in the age of AI agents.
Agents can hallucinate, and agents are prone to prompt injection. LLMs are a perfect solution to process unstructured (textual) data. Talk to users or just read your emails. However, such input data are hard to sanitize or check, and suddenly your personal agent (or your company chatbot) reads malicious instructions and can start reading your Google Drive and leaking sensitive files to the internet.
Plan agent capabilities
Though it is tempting to give an AI agent lots of capabilities, in reality, it also brings worse agent performance. And now, I am not only talking about burned tokens (or $$$). Or the possibility that the agent hallucinates and sends an email you didn't want to. I mean, less accuracy as it can have trouble picking the right MCP tool. And it means a lower success rate.
To be honest, we learned this while building our internal agentic system. In our tests, we created an MCP mock with the tools we wanted our agents to use. Tests were working fine, and we started testing our agent with a real (3rd party) MCP server, which had more tools available. Suddenly, the agent started to use tools we weren't expecting.
In the end, more tools available to the agent sometimes led it down wrong paths, and the success rate visibly decreased. We restricted the MCP server tools in code, and the performance of the agent went back to what we had seen in our automated tests.
Less is more
Benefits of using fewer tools for AI agents:
- Security - fewer tools mean fewer options to misuse (e.g., due to prompt injection).
- Accuracy - fewer tools allow the AI agent to focus on what is important, leading to better results.
- Money - though this impact is in general minimal, fewer tools means fewer tokens burned by the agent, especially when it starts to use tools useless to the completion of the task.
Let's build some agents in a pragmatic way.
