zoff.tech

May 19, 2026

The permission map every production agent needs before it calls a tool

Tool-using agents need an explicit map of what they can read, write, mutate, escalate, and never touch.

The dangerous part of an agent is not that it can write text. The dangerous part is that it can take action.

Once an agent can call tools, update records, send messages, create tickets, query databases, change configuration, or trigger workflows, the prompt is no longer the main control surface. The permission map is.

What a permission map contains

Before a production agent calls a tool, we want a written map of five boundaries:

  • Read: what data the agent can inspect, under which user identity, and with which filters.
  • Write: what records it can draft, stage, or propose.
  • Mutate: what it can change without approval.
  • Escalate: which actions require a human, and who that human is.
  • Never touch: systems, fields, customers, decisions, or actions outside the agent's authority.

This map should be boring enough for security review and specific enough for engineering to test.

Tool schemas are not permission models

A JSON schema tells the model what arguments a tool accepts. It does not tell the organization whether the model is allowed to call that tool for this user, on this record, in this state.

That missing layer is where production incidents happen. A tool call can be perfectly valid and still be unauthorized, premature, irreversible, or commercially unsafe.

The permission check belongs outside the model. The model proposes an action. The system checks identity, role, object state, workflow state, risk class, and approval requirement. Only then does the tool execute.

The eval has to include side effects

Most agent evals score the final answer. Tool-using agents need side-effect evals:

  • Did the agent call the right tool?
  • Did it avoid tools it was not allowed to call?
  • Did it pass the right structured arguments?
  • Did it stop before an irreversible action?
  • Did it produce the audit event a human would need later?

If the eval only reads the chat transcript, it is blind to the part of the system that can do damage.

The handover artifact

At handover, the permission map should sit next to the runbook. When something goes wrong at 3 a.m., the on-call engineer should know whether the incident is a model failure, a tool failure, or a permission-boundary failure.

That distinction decides the response. Roll back the prompt, disable the tool, tighten the policy, or escalate the workflow. Without the map, all four look like "the agent did something weird."

Production agents are not autonomous because they have no limits. They are useful because the limits are explicit enough to operate.