Skip to content
RingMod
Framework

Least Agency

Your agent should earn autonomy, not get it by default. A five-rung authority ladder — read-only to autonomous — and the controls each rung requires before you hand it over. An agent has earned only the rung its controls can back.

Version 1.0 Updated July 1, 2026 CC BY 4.0

Most teams grant an agent authority the way they grant a script permissions: by default, up front, sized to what would be convenient. Least agency inverts that. The question isn’t “what can we let the agent do?” It’s “how much authority has this agent actually earned — and what controls back it?” OWASP made this a first-class principle in its Top 10 for Agentic Applications (December 2025): autonomy is earned, not a default setting — least privilege extended from permissions to authority.

This is the companion to The Production-Readiness Bar. The bar scores the surrounding system across six dimensions; its Guardrails dimension asks for human-in-the-loop “on the actions that carry real consequences.” Least Agency operationalizes that one line into a scored ladder you can hold an agent against. It’s the same thesis that runs the system that builds this site: agents propose; verification and policy decide; a human approves the apply.

The authority ladder

Five rungs of granted authority.

Each rung is more authority than the one below it — and demands more control to earn. The rule that ties them together: an agent has earned only the rung its controls can back. Grant it a higher rung than that, and the difference is your unmanaged risk.

L0

Read-only

Observe and retrieve. Cannot change state anywhere.

The agent can read data and call read-only tools, but holds no credential that can write, deploy, spend, or send.

Earn it
Output handling and input provenance — a read-only agent over untrusted content is still an exfiltration surface.
Fail
Treating “it can’t write” as “it’s safe,” and pointing it at untrusted inputs with no output controls.
L1

Propose

Draft a change. A human enacts it by hand.

The agent produces a diff, a plan, or a message, but has no write credential of its own. Nothing it emits reaches a real system until a person acts on it.

Earn it
A human-in-the-loop who actually reads the proposal — not a rubber stamp — plus the read-only controls beneath.
Fail
A “review” that is one click on a diff no one reads; approval fatigue turns Propose into de-facto autonomy.
L2

Gated apply

Apply a change — but only through a gate.

The agent’s change can reach a real system, but only after machine verification and policy-as-code pass and a human approves the specific apply. Agents propose; verification and policy decide; a person presses the button.

Earn it
Permission scoping (short-lived, least-privilege credentials — no standing admin), human-in-the-loop on the apply, and an audit trail of what was applied.
Fail
A gate that checks style but not blast radius; long-lived keys; an approval that cannot see what it is approving.
L3

Bounded autonomous

Act without per-action approval — inside a fenced, reversible blast radius.

The agent takes actions on its own within a scope you have deliberately bounded: reversible operations, a capped surface, and a stop control you have tested.

Earn it
All four controls, plus demonstrated reversibility and a kill switch you have actually exercised — not one you assume works.
Fail
Calling an agent “autonomous within guardrails” when the guardrail is a prompt, the scope is your whole account, and no one has tested the stop.
L4

Autonomous

Act across a broad surface with no human in the loop.

The agent decides and acts across a wide range of consequential actions without approval or a bounded scope.

Earn it
Almost never justified where a wrong action is expensive or hard to reverse. The honest default in regulated production is a lower rung.
Fail
Granting rung 4 by default — wiring an agent to production tools “to be useful” — and finding out the blast radius only after it fires.

The controls

What earns a rung.

Four controls gate the ladder. A rung is earned only when the controls it requires are real and tested — not written in a design doc. “We plan to add a kill switch” means you have not earned the rung that needs one.

Human-in-the-loop
A named person approves actions that carry real, hard-to-reverse consequences before they take effect — and can actually see what they are approving.
Permission scoping
The agent holds the minimum authority its task requires: scoped, short-lived, least-privilege credentials and no standing administrator access. OWASP’s “least agency” is least privilege extended to autonomy.
Kill switch
You can halt the agent immediately — and you have tested that you can. A rogue agent you cannot stop is a control you do not have.
Audit trail
Every action, and the input and reasoning behind it, is logged and attributable, so you can reconstruct what the agent did and why after the fact.

Score yourself

Granted vs. earned.

Find the rung your agent operates at today — its granted authority. Then find the highest rung all of whose controls you can honestly check as real and tested — its earned authority. The gap between the two is the finding. It is almost always a gap.

Rung The agent may… Requires You?
L0 Read-only Observe and retrieve. Cannot change state anywhere. Output handling and input provenance — a read-only agent over untrusted content is still an exfiltration surface.
L1 Propose Draft a change. A human enacts it by hand. A human-in-the-loop who actually reads the proposal — not a rubber stamp — plus the read-only controls beneath.
L2 Gated apply Apply a change — but only through a gate. Permission scoping (short-lived, least-privilege credentials — no standing admin), human-in-the-loop on the apply, and an audit trail of what was applied.
L3 Bounded autonomous Act without per-action approval — inside a fenced, reversible blast radius. All four controls, plus demonstrated reversibility and a kill switch you have actually exercised — not one you assume works.
L4 Autonomous Act across a broad surface with no human in the loop. Almost never justified where a wrong action is expensive or hard to reverse. The honest default in regulated production is a lower rung.

Reading it: if your agent’s granted rung is higher than its earned rung, close the gap by adding the missing control — or by dropping the agent to the rung it has actually earned. Both are safe; the gap is not.

What an unearned rung costs

A bug, not a guardrail, is what stopped it.

In July 2025 an attacker committed a malicious instruction into the open-source repository behind the Amazon Q Developer extension for VS Code, and it shipped in version 1.84.0. The injected prompt told the AI assistant to wipe the machine “to a near-factory state” — deleting local files and, through the AWS CLI, cloud resources such as S3 buckets and EC2 instances.

It deleted nothing. AWS confirmed the code “was unsuccessful in executing due to a syntax error,” which “prevented the malicious code from making changes to any services or customer environments” (CVE-2025-8217). Note what AWS credits with stopping it: not scoping of what the assistant could reach, not human approval on a destructive aws command, not a permission boundary — the attacker’s own syntax error. The assistant had been granted the authority to destroy by default — rung-4 reach with rung-0 controls — and nothing in the disclosure points to a control that would have caught it.

This is the failure least agency is designed to make impossible: not by trusting the agent to behave, but by never granting the gap. The related class is wider than a single incident — Google’s research on “task injection” shows an attacker-controlled environment can present an agent a sub-task that looks legitimate and drives it to act against the user, slipping past prompt-injection classifiers because it reads like ordinary page text. The more authority the agent holds, the more that sub-task can do.

Reference & reuse

Cite it, build on it.

Least Agency is published under CC BY 4.0 — use it, adapt it, fold it into your own agent-governance standards. Attribute RingMod and link back so a reader can find the current version.

Suggested citation

Least Agency v1.0. RingMod (Matt Woolly), 2026. https://ringmod.ai/least-agency/

Questions this raises

Straight answers.

What is “least agency”?
Least agency is the discipline of granting an agent only as much autonomy as its task requires and its controls have earned — the least-privilege principle extended from permissions to authority. OWASP names it as a core design principle in its Top 10 for Agentic Applications (December 2025): autonomy should be earned, not granted by default. This framework turns that principle into a five-rung ladder you can score an agent against.
How is the authority ladder different from just using least privilege on credentials?
Least privilege scopes what an identity can access. Least agency scopes what an agent is allowed to decide and do on its own — which is a larger surface, because an agent chains tools and actions. A read-only agent can still be driven to exfiltrate data; a scoped-credential agent can still take a destructive action no human approved. The ladder scores granted authority (rungs 0–4) against the human-in-the-loop, scoping, kill-switch, and audit controls each rung requires.
What rung should a production agent operate at?
For most consequential work in a regulated environment, rung 2 — gated apply — is the defensible ceiling: the agent proposes and verifies fast, machine checks and policy gate the change, and a human approves the specific apply. Rung 3 (bounded autonomous) is justified only where actions are reversible, the scope is fenced, and you have tested the kill switch. Rung 4 is rarely appropriate where a wrong action is expensive or hard to reverse.
Can I use Least Agency for my own assessments?
Yes. It is published openly under CC BY 4.0 — score your agents against the ladder, share the result, and attribute the source with a link. The framework pairs with the Production-Readiness Bar, which scores the surrounding system; least agency scores the authority you have handed the agent inside it.

Agentic Delivery

Want agent throughput you can actually put near production?

A governed agent workflow built to this ladder — change proposal, machine-verified guardrails, policy gate, human approval — so the authority you grant is authority you have earned.

Agentic Delivery →