← home

Why Task-Scoped Permissions Fail for Non-Deterministic AI Agents

April 7, 2026

Almost 9 months ago, I believed the hardest problem in agent security was task-scoped permissions.

Define the task. Compute the minimal permissions. Issue a token. Auto-revoke on completion. Get it right, and your AI agent can never do more damage than you explicitly authorized.

I designed the full stack and then spent months watching it fail against actual agent behavior.

The breaking point was simple: LLM agents can't pre-declare what they're going to do, because what they do emerges from reasoning at runtime. The execution graph branches at every node depending on what the agent learned at the previous one. You can't compute the minimal permission set for a path that doesn't exist yet.

Most long-running agents don't have clear task boundaries either — your SDR agent runs all day, your monitoring agent never completes, and multi-agent workflows nest tasks inside tasks.

We built a beautiful permission model for a lifecycle that doesn't exist.

What I've learned from designing past the failure:

Stop trying to compute the perfect permission set.

Bound the damage instead.

Cap volume — 100 reads, 10 writes, $5 cost ceiling, 8-hour window. The gateway can count requests without knowing the execution graph. Budget exhaustion = auto-revoke.

Scope to the goal, not the path.

An agent declared for "QBR preparation" that scans 200 unrelated Notion pages is misbehaving — even if every individual API call was technically permitted. Intent-based enforcement catches drift that task-scoping never will.

Permissions are multi-dimensional. Single token flattens them.

Session, time, budget, task, intent, resource scope, delegation depth, risk level. These need to compose and intersect per request, not collapse into a single monolithic grant.

Task Token vs Composable Stack
Task tokens break when execution path is unknown. Composable stacks work without knowing the path.

No single layer is as precise as a perfect task token would be. But a perfect task token can't exist for non-deterministic agents.

The composable stack trades the illusion of precision for actual enforceability — multiple imprecise constraints that together create a tighter envelope than any one mechanism alone.

A single token creates a single failure domain, but multiple independent constraints mean an attacker has to defeat all of them simultaneously.

That's what keeps me building.