← All posts
· 9 min read

Your AI Agent Has No Permission Profile. It Has Your Intern's.

AI agents inherit the full rights of whoever starts them. Why least privilege belongs before go-live: four steps to access governance for the Mittelstand.

AI AI Agents AI Security Governance Compliance Mittelstand
Your AI Agent Has No Permission Profile. It Has Your Intern's.

Tuesday, 9:14 in the morning. Over the weekend, Copilot Cowork went live across the company’s Microsoft 365 tenant — Microsoft shipped it on 17 June 2026. The IT lead finds out from a teammate, not from a rollout plan. Nobody in the building decided which mailboxes, drives, and calendars the agent is allowed to see.

So it sees all of them, not because anyone granted it access, but because nobody fenced it in. The platform default grants the agent everything the person who started it is allowed to touch. Most companies in the Mittelstand, the German mid-market backbone of family-owned firms, discover that the hard way, after go-live.

An agent is a new colleague who never signed a contract

Treat an AI agent as a tool you switch on, and you will misjudge the risk. It behaves more like an employee with no role description, no contract, and no permission profile. The difference matters because permissions are exactly what you forgot to assign.

The average clerk in a mid-sized company carries far more access rights than they use on a normal day. They could open three shared drives, but they only touch one. The agent does not work that way. It uses every right it inherits, all at once, in seconds. Speed turns dormant over-provisioning into live exposure.

OWASP, the Open Worldwide Application Security Project behind the well-known web security Top 10, published its Top 10 for Agentic Applications on 10 December 2025. The risk it labels ASI03 is called “Identity and Privilege Abuse”, and it ranks third. It ranks that high because almost nobody answers the one question before switching the agent on: with whose rights does it act? The related entry, LLM06:2025 “Excessive Agency”, names the same root cause — too much autonomy, too much function, too many rights handed to a system that cannot judge when to stop.

Machine identities are a blind spot in mid-market IT

The second problem is structural, and it is bigger than any single agent. Most mid-sized companies count their privileged users in humans. The machines outnumber them by a wide margin.

CyberArk, an identity-security vendor, measured the ratio in its Identity Security Landscape 2025, published on 23 April 2025 (n=2,600, fieldwork by Vanson Bourne). The headline number: 82 machine identities for every human one. The number that should worry a CFO sits next to it. 88 percent of organisations still define only humans as “privileged users”, and 68 percent run no identity controls for AI at all.

Every agent you switch on pushes that ratio further. Each one arrives with its own credentials, its own rights, and its own blast radius when something goes wrong. The real exposure here is the missing access boundary around the agent.

It is already acting, and nobody approved it

Shadow agency is already happening, in buildings that believe they have AI under control.

On 17 June 2026, the German tech outlet heise reported that 15 plug-ins for JetBrains development environments were quietly exfiltrating API keys for OpenAI, DeepSeek, and others. No procurement ticket, no security review — developers simply installed them. The same day, heise documented three security holes in Nvidia’s NeMo agent platform, an agentic stack with a live attack surface. I treat both as radar, not as legal proof. What they confirm is simple: agentic systems are inside companies already, often below the line of sight of the people accountable for them. The pattern is the same one I described in Shadow AI: When Employees Secretly Build Their Own AI Agents.

There is a second failure mode that the inheritance story hides: chaining. Agents call agents, and agents call tools. By the second hop, the action is no longer running under the original human identity. The clerk who started the workflow has left the chain, but the chain keeps acting — with rights nobody is now watching.

Why this lands in this quarter

Two pressures meet right now, and they meet on the same calendar.

On the product side, Microsoft has made agentic behaviour the default inside every Microsoft 365 account through Copilot Cowork. This is not a pilot you opt into; it is a capability that arrives switched on, whether or not anyone planned for it.

On the regulatory side, Article 4 of the EU AI Act (Regulation (EU) 2024/1689) has applied since 2 February 2025. It requires operators to have AI literacy — in plain terms, to know and steer what their AI systems actually do. That is, in effect, an inventory obligation. Article 50 adds transparency duties from 2 August 2026, and the supervisory authorities have made clear they will not soften Article 4: the joint EDPB-EDPS opinion of 20 January 2026 rejected a watering-down in the Digital Omnibus debate. Waiting is no longer a compliance posture.

The cost of getting it wrong is not abstract. Under Article 99, transparency breaches carry fines of up to 15 million euros or 3 percent of worldwide annual turnover. The more common damage is quieter: data walking out through an agent that was allowed to do more than it ever should.

Least privilege for agents, before you switch them on

The fix is not a new product but a sequence of decisions you make before go-live, not after. Governance does not follow the launch as a later phase; it is the launch.

Four steps, in order:

  1. Inventory first. List which agents run, under which identity, with which rights. This is the same stocktake Article 4 expects anyway, so it does double duty.
  2. Give each agent its own task-bound permission profile. Do not let it inherit the full rights of the user who started it. Scope it to the job it was built for.
  3. Force an audit trail. Every agent action must trace back to a named accountability role — not to “the system”, but to a person who owns it.
  4. Set a chaining boundary. Where an agent calls another agent, that hop needs an explicit, restricted service identity of its own rather than a borrowed human one.

None of this requires a multi-month programme. It requires deciding the access question before the agent acts, not after it has already read the wrong mailbox. If you want the deeper regulatory backdrop, I walked through it in AI Agents and the EU AI Act 2026, and the underlying access-governance work is what I do under AI automation with access governance.

What the inventory doesn’t solve

An inventory tells you what is running. It does not, on its own, stop a privileged agent from acting. So let me anticipate the two objections I hear most.

The first is the vendor line: “The agent simply inherits the rights of the user who starts it — that’s secure enough.” That claim does not hold, and the reason is the over-provisioning gap above. A human uses a fraction of their rights on a given day; an agent uses all of them, faster than anyone can watch. And once the work chains to a second agent, the human identity is no longer in the loop at all. Inheriting a user’s full rights leaves the access boundary missing while the setup looks deliberate.

The second objection is governance theatre: “We have an acceptable-use policy for AI, so we’re covered.” A policy describes permitted behaviour without enforcing a technical limit. If the agent can technically reach every mailbox, it reaches them, regardless of what the PDF says. Least privilege lives in configuration; a policy document on its own enforces nothing.

The honest limit of my own position: least privilege does not make agents safe, only accountable and bounded. An agent with a tight, task-scoped profile can still be exploited through a vulnerability like the NeMo holes above. But a bounded agent fails small, and a traced agent fails visibly. That is the difference between an incident you can investigate and one you only discover when the data is already gone. The point also holds in reverse — banning agents outright does not remove them; it produces shadow agents, exactly the way those 15 JetBrains plug-ins ran without any approval at all.

Frequently asked questions about AI agent access rights

Does an AI agent automatically inherit all my rights when I start it?

In the default configuration of most platforms, yes. The agent acts with the identity and permissions of the user who launched it. That is precisely the problem: a clerk holds more rights on a normal day than they use, and the agent uses all of them at once. OWASP has tracked this as ASI03 “Identity and Privilege Abuse” since 10 December 2025.

We already have an acceptable-use policy for AI. Isn’t that enough?

A policy describes what is allowed without enforcing a technical boundary. If an agent can technically see every mailbox, it sees them, independent of what the policy document states. Least privilege is a configuration you apply in the platform rather than a paragraph you write in a document.

Do we actually have to act on AI agents, or can we wait?

Waiting is no longer a compliance strategy. Article 4 of the EU AI Act (Regulation (EU) 2024/1689) has required operators to know what their AI systems do since 2 February 2025, and the supervisory authorities rejected a softening of that duty in their joint EDPB-EDPS opinion of 20 January 2026. The obligation stands, and it is being enforced as written.

What does a breach cost in concrete terms?

For transparency breaches under Article 50, applicable from 2 August 2026, Article 99 sets the penalty tier at up to 15 million euros or 3 percent of worldwide annual turnover. The more frequent damage is rarely the fine itself: it is data flowing out through an agent that was permitted to do more than it should.

Where do I start without launching a major project?

Start with an AI inventory: which agents run, under which identity, with which rights. That stocktake is what Article 4 expects anyway. Build the per-agent permission profiles only after that — not the other way around.

Next step

Do you actually know which identity your AI agents are acting under right now?

If the honest answer is “not exactly”, that is the place to begin. I am happy to compare your current agent setup against a simple least-privilege baseline — no pitch, no deck, just a clear read on where the access boundary is missing.

Book a no-cost intro call

→ Or read more first: AI automation with access governance · When AI Agents Hack AI Systems

Sources and links: EU AI Act Art. 4 — AI literacy · EU AI Act Art. 50 — transparency · EU AI Act Art. 99 — penalties · OWASP Top 10 for Agentic Applications · OWASP LLM06:2025 — Excessive Agency · CyberArk Identity Security Landscape 2025 · heise: Copilot Cowork for Microsoft 365

Read more on pfisterer.xyz: Shadow AI: When Employees Build Their Own AI Agents · AI Agents and the EU AI Act 2026 · AI Without ERP Integration Is an Expensive Toy

About the Author René Pfisterer

10+ years in ERP integration, data migration, and process automation for mid-sized companies. Specialized in DATEV, SAP, and AI implementation.

Full profile →
← Previous article When the AI Subscription Becomes a Bet: A Procurement Lesson Next article → AI Tokenomics: Why Your AI Budget Has No Ceiling Anymore

Interested?

Let's discuss how I can help in a short conversation.

Book a call