Why Privilege Design Matters
AI agents (Claude Code, Devin, Operator, Replit Agent, etc.) are mechanisms that let external tools execute the LLM's judgment results directly. Convenient, but prompt injection or LLM hallucination can directly cause "DELETE on the production DB" or "email to all customers."
In 2025 MCP (Model Context Protocol) spread and the number of tools agents can handle exploded. That's exactly why the three pillars of least privilege, sandbox, and human approval are essential.
1. Least Privilege
Give each agent only the minimum scope needed for the task.
- Read-only keys: SELECT-only for data-aggregation agents. INSERT/UPDATE/DELETE is a separate agent.
- Directory restriction: coding agents can write only under a specific repo. Can't read /etc or ~/.ssh.
- API scope: for GitHub Apps, repo:read only. OAuth carved out per user.
- Expiry: set tokens short-lived (1-24h), rotate periodically.
In June 2026, Cloudflare introduced "Temporary Cloudflare Accounts for Agents" (GIGAZINE): AI agents performing deploys or similar tasks get a disposable account that is not tied to any human Cloudflare account, and that account is destroyed once the task ends. It is the "short-lived token + minimum scope + rotation" pattern this article describes, but provided as a first-class cloud-platform feature — agent credentials are decoupled from human accounts at the account level itself, pushing minimum-privilege from per-project implementations into the platform layer.



