“LLMs should be granted the minimum level of permissions necessary to perform their intended task. Limit the plugins/tools/actions available to LLMs to only the minimum necessary.” Every tool registered with the agent is reachable by an adversary who can influence the agent’s input.

The Slack AI exfiltration (August 2024) worked because the model had access to the user’s full channel history — not just the channel relevant to the current question. An agent scoped to “current channel only” would have had nothing to exfiltrate. Full-mailbox access is a convenience that became a catastrophe.

→ For each agent deployment, list every tool/plugin/function it can call
→ For each tool, ask: “Does the primary task require this?” Remove any that don’t pass
→ Prefer purpose-built plugins over “full integration” plugins — read-only mail instead of full mail
→ Maintain a plugin inventory; audit it on every deployment change

Attempt to trigger each registered tool via a crafted prompt. If any tool responds that should not be available for this agent’s task, the functionality scope is too broad. An agent that only summarizes should not be able to send — test this explicitly.