Golub SoftworksGolub Softworks
Back to blog
AI SecurityPermissionsAutomation

Security and permissions for AI automation

How to design least-privilege access, audit trails, and data boundaries for AI agents that can use tools.

June 11, 20265 minGolub Softworks
Golub Softworks security visual showing permission boundaries around AI automation tools
AI automation should use the smallest permission set that can complete the job.

AI automation changes the security conversation because the system is not only showing information. It may be choosing tools, preparing changes, calling APIs, and influencing real business records.

That does not mean AI agents should be avoided. It means permissions need to be designed as carefully as the workflow itself.

Start with least privilege

An agent should receive only the access needed for its current job. If the first workflow is support triage, the agent may need to read tickets and account summaries. It probably does not need permission to change billing, delete records, or message every customer.

Keep read, draft, approve, execute, and admin permissions separate. A broad service account is convenient, but it hides risk and makes audit harder.

Separate data access from action access

Reading context and changing state are different risks. Many useful AI systems can start with read access plus draft output. Write access can come later, one action at a time, when review data proves the workflow is reliable.

This staged approach lets the team learn without giving the agent unnecessary power on day one.

Put policy in code, not only prompts

Prompt instructions are not a permission model. The backend should enforce what the agent can call, which records it can touch, which users can request which actions, and when approval is required.

If a refund requires manager review, that rule should live in the application logic. The prompt can explain the rule, but it should not be the only thing enforcing it.

Audit every meaningful action

When the agent uses a tool, record who initiated the job, what data was used, which tool was called, what parameters were sent, what changed, and whether a human approved it.

Logs should be useful without exposing more sensitive data than necessary. Security teams need evidence, but the log itself should not become a new data leak.

Design for revocation and containment

Assume a permission may need to be removed quickly. Build feature flags, per-tool toggles, scoped credentials, rate limits, and kill switches. Containment matters when an integration behaves unexpectedly or a policy changes.

Good AI automation security is not fear-based. It is operational discipline: small permissions, explicit boundaries, strong logs, and fast revocation.