Less is more - especially for AI agents
Least privilege principle benefits agentic systems twice. Limiting powers of an agent improves security and, at the same time, its performance and accuracy.
You have probably heard about the recent Vercel security incident. Several (non-sensitive) environment variables containing probably also multiple API keys of Vercel's customers were compromised.
What happened?
Vercel employee granted "Allow All" OAuth permissions to a third-party enterprise AI tool (Context.ai) within their Google Workspace. The attack started within Context.ai and allowed attackers to take over the employee's Google Workspace account and get into Vercel's internal systems.
Least privilege principle
After the battle, everyone is a general. Principle of least privilege is a general security practice that is even more needed in the age of AI agents.
Agents can hallucinate, agents are prone to prompt injection. LLMs are a perfect solution to process unstructured (textual) data. Talk to users or just read your emails. However such input data are hard to sanitize or check, and suddenly your personal agent (or your company chatbot) reads malicious instructions and can start reading your Google Drive and leaking sensitive files to the internet.
Plan agent capabilities
Though it is tempting to give an AI agent lots of capabilities, in reality it also brings worse agent performance. And now, I am not only talking about burned tokens (or $$$). Or possibility that agent hallucinate and send email you didn't want to. I mean less accuracy - it can have trouble picking the right MCP tool. And it means lower success rate.
To be honest - we learned this while building our internal agentic system. In our tests we created MCP mock with tools we wanted to be used by our agent. Tests were working fine and we started testing our agent with real (3rd party) MCP server which had more tools available. Suddenly the agent started to use tools we weren't expecting.
In the end, more tools available to the agent sometimes led it down wrong paths and the success rate visibly decreased. We restricted MCP server tools in code and the performance of the agent went back to what we had seen in our automated tests.
Less is more
Benefits of using fewer tools for AI agents:
- Security - fewer tools mean fewer options to misuse (e.g. due to prompt injection).
- Accuracy - fewer tools allow the AI agent to focus on what is important, leading to better results.
- Money - though this impact is in general minimal, fewer tools means fewer tokens burned by the agent, especially when it starts to use tools useless to the completion of the task.
Let's build some agents in a pragmatic way.
