Least Privilege Is Not Enough for AI Agents. You Need Least Agency.

The OWASP Top 10 for Agentic Applications introduced a distinction that most agent builders have not internalized yet: least privilege is not the same as least agency. Least privilege asks: what can this agent access? Least agency asks: how much freedom does this agent have to act on that access without checking back? Yesterday's VentureBeat coverage of 1Password and Corridor made this gap concrete. RockCyber's analysis of the IETF AIMS draft showed it is structural. The email example An agent has email:send scope. It is authorized to send meeting notes on your behalf. With that same scope, it can also email every contact in your address book a different message. Each action is technically within scope. The OAuth framework treats them identically. Least privilege says both are fine — the agent has email:send. Least agency says: wait, the second action requires a different level of autonomy than what was intended. Why authorization stops at the token boundary The IETF's AIMS draft (draf