Tool permissions & policy
An agent's real capability is its tool list, and policy is deciding what's on it: allow the core loop, deny the outward tail until first need, gate the irreversible behind a human. These posts cover the whole decision — how to write an allowlist, which tools to deny by default, why per-call permissions beat roles assigned at login, and the honest part most vendors skip: where client-side rules get bypassed and what enforcement outside the agent process looks like.
The Tool Surface Index is the raw material — every tool Claude Code and Codex declare, grouped by blast radius. The incident-by-incident version is the Stop Your Agent From… series.
Posts on tool policy
-
AI Agent Tool Allowlists: Deny by Default, Scope per Task, Audit Everything
One Claude Code session declares 76 tools; 64 of them never fire. A tool allowlist is the list of calls your agent may make — everything else denied. How to set one in Claude Code, Codex CLI, and MCP, and where client-side lists stop holding.
-
Which Claude Code Tools Should You Deny (or Gate Behind Approval) Out of the Box?
One Claude Code session declares 76 tools. The core coding loop isn't the risk — the never-invoked tail is: tools that send, schedule, publish, and spawn. A default posture, argued from blast radius, not asserted.
-
How to Govern AI Agent Tool Calls (Before They Run)
Your framework gatekeeps the server, not the call. How to authorize, scope, and audit every agent tool call per user — deterministically, before it executes.
-
Agent Access Control: Least-Privilege Scoped Tools
The fastest way to make an agent ungovernable is to give it broad tools. Why least-privilege, scoped tools are the foundation of access control for AI agents.
-
Claude Code's Deny List Can Be Bypassed. Here's What a Real Enforcement Boundary Looks Like.
Deny rules match command strings inside the client — compound commands, substitution, and one documented flag all route around them. Where client-side permissions honestly stop, and what enforcement outside the agent process looks like.
-
Claude Code's --dangerously-skip-permissions disables every governance hook
Claude Code's --dangerously-skip-permissions silently disables every PreToolUse and PostToolUse hook, including ACP's. How to detect it server-side.
-
When to Use an Agentic Control Plane (and When to Reach for a Sandbox)
A control plane is a reference monitor — it only holds on a boundary it can completely mediate. Here's honestly where ACP fits, where a sandbox is the right answer, and how they compose.
-
Per-Call Permissions for AI Agents: Why RBAC Breaks at Agent Speed
Your RBAC assigns roles at login. Your agent makes 47 tool calls in 90 seconds. Why agents need deny-by-default permissions checked on every tool call — and what that looks like in practice.
-
Stop your AI agent from deleting your production database — in three steps
If your agent has destructive credentials in its environment, it can use them. Recovery is rarely possible. Here's how to put a control plane between the agent's decision and your production system, with the exact configuration.
-
Stop your AI agent from making payments without approval — in three steps
Agentic commerce SDKs from Stripe, Visa, and Mastercard give your AI agent the ability to charge cards, transfer funds, and authorize subscriptions. One bad tool call is one real-world transaction. Here's how to put approval in the loop where it matters.
Related: Claude Code · MCP security · how ACP policies work · all posts