You have an agent running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?
(I am uninterested in "Don't run an agent" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)
@mjg59 Isn't that the same question as:
You have malware running on your local system. You want it to have access to a restricted set of things, both locally and remote. What is the technical mechanism you use to ensure that it has a subset of the access that you, as an individual logged into the same system, do?
(I am uninterested in "Don't run malware" because while yes I see your point that doesn't mean it's not happening and security professionals have to deal with what's happening not what we want to be happening)
?
Matthew Garrett
Oriel Jutty 
Daphne Preston-Kendal