AI Picker
Agents · Research Note

AI Agent Permission Checklist

The important question is not whether an AI agent is impressive. It is what the agent is allowed to touch. This checklist turns vague autonomy claims into concrete permission decisions.

Use this note before connecting an agent to GitHub, email, Slack, Notion, Stripe, cloud infrastructure, deployment tools, or customer data. The agent's value is tied to access; the risk is also tied to access.

The permission ladder

AI agents are often described as if autonomy were one feature. In practice, autonomy is a ladder. Each rung changes the risk profile.

LevelPermissionExampleMain risk
1SuggestDraft a reply, propose a diff, summarize a document.Wrong output wastes review time.
2ReadRead a repo, meeting transcript, CRM record, or analytics dashboard.Sensitive data exposure.
3Write draftCreate a branch, draft a Notion page, prepare an email.Generated work may be mistaken for approved work.
4Modify live systemsEdit production content, merge code, update tickets, change settings.Incorrect actions create operational damage.
5Contact or spendSend email, invite users, buy ads, create cloud resources, issue refunds.The agent can create financial, legal, or reputational harm.

Most teams should start at levels 1-2. Level 3 can be safe with review. Levels 4-5 need explicit policies, logs, and approval gates.

Five questions before granting access

  1. What can the agent read? List data sources, not integrations. "GitHub" is too broad; "one public repo" is specific.
  2. What can the agent write? Draft-only is different from merge, send, publish, deploy, or charge.
  3. Who approves actions? Is approval required every time, only above a threshold, or never?
  4. Where is the audit trail? You should be able to see prompt, input, decision, action, time, and actor.
  5. How do you revoke access? Revocation should be obvious, fast, and testable.

The integration risk map

Integrations are not equal. A calendar reader and a deployment token should not be reviewed with the same seriousness.

IntegrationDefault stanceReason
Docs or notesRead-only firstUseful context, but may contain private strategy or customer information.
GitHub or GitLabBranch-only firstAgents can be useful for drafts; merging should remain human-approved.
EmailDraft-only firstSending messages creates external consequences.
Slack or chatPrivate-channel firstIncorrect messages can confuse teams or expose sensitive data.
Billing or paymentsManual approval alwaysRefunds, purchases, and invoices affect money and trust.
Cloud infrastructureRead-only or sandboxCreating resources can cost money; changing settings can break production.

Approval design matters more than prompts

A safer agent is not merely a better prompt. It is a better system around the prompt: scoped tokens, dry-run mode, diffs, approvals, rollback, and logs. The interface should make it hard to confuse "suggested" with "done".

Useful pattern: require the agent to produce a plan before action. Review the plan separately from the generated output. Then approve only the specific action, not a broad permission.

A team policy you can copy

For a small team, a simple policy is better than no policy:

  • Agents may read public documentation and designated non-sensitive project files.
  • Agents may create drafts, branches, tickets, and internal notes.
  • Agents may not send external messages, merge code, deploy, create paid resources, issue refunds, or change permissions without human approval.
  • All agent actions must leave a visible log.
  • Any integration touching customers, money, production, or private code requires owner approval before connection.

Trial plan for a new agent

  1. Start with a sandbox task. Use a fake repo, sample docs, or a small internal project.
  2. Give one integration only. Do not connect everything on day one.
  3. Use read-only access where possible. The first trial should test reasoning, not permissions.
  4. Measure review time. A fast agent that creates slow review is not a productivity win.
  5. Test revocation. Disconnect the tool and confirm it loses access.

The buyer's question

Ask: "What is the worst thing this agent can do without another human approving it?" If that answer makes you nervous, the permission set is too broad for the current trust level.

Use this note with the comparison pages when you move from evaluation to price checking.

Comparison index Coding plan pricing LLM API pricing Image generation API pricing

More Research Notes

SpecificityA 30-second test for spotting vague AI product promises before you waste time on a trial.TrustThe evidence an AI tool should show before you give it files, code, customers, or budget.BudgetEstimate the real cost of AI coding tools beyond the monthly subscription price.Local vs CloudA task-level decision framework for local models, hosted APIs, and hybrid workflows.
← Previous noteNext note →