Matthew Garrett1d ago

You have an agent running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?

(I am uninterested in "Don't run an agent" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)

Show threadAsh
@mjg59 https://leash.strongdm.ai/ looks promising
Leash by StrongDM — Security for AI Agents

Security, visibility, and authorization for AI agents. Sandboxed execution, MCP authorization, and policy enforcement from development to production.

Leash
Apr 2 at 8:24amWeb
Show threadcoldclimate1d ago
@ash @mjg59 StrongDM are doing some bleeding edge stuff. Which isn't normally what I want from a company selling that sort of product, but....
Show threadMatthew Garrett1d ago
@coldclimate @ash It's very funny that in this case the industry is in the process of rejecting the at least somewhat designed bleeding edge thing so it can return to just having a script execute a random tool that has its own auth token
Show threadMatthew Garrett1d ago
@ash Well no given it seems to be focused on MCP as a boundary and sadly that's not how anything works as of last month
Show threadMatthew Garrett1d ago
@ash What I need is to be able to define the set of oauth scopes an agent or tools acting on its behalf can receive, I can't rely on all access being via some other layer that I can impose access control on
Show threadAsh1d ago
@mjg59 ah, i see, limiting to a subset of permissions, yeah that bit Leash won’t help with - it would only give yea or nay to a tool etc
Show threadAsh1d ago

@mjg59 that might be the how the page describes, but the native Darwin mode is not in anyway to do with an MCP.

It uses Kernel feature to filter and deny file r, w, exec, and net access.

When I’m at my desk I’ll get a screen shot

Show threadMatthew Garrett1d ago
@ash That still doesn't really help me, I need something that's aware of who's using what token