Coding agents are everywhere. See what yours are doing.
01
Finding 01
02
Finding 02
03
Finding 03
03
Methodology
Least Privilege Research Report 2026

Agents broke permissions

The world is grossly overpermissioned. This was fine for humans, but not for agents.
Corporate workers have access to permissions across all your key systems, but they don't touch 96% of them. Agents will.

Key Findings

How agents break permissions

Humans move slowly. They apply judgment. They don't want to get fired. So most permissions stay untouched. Agents don’t work that way. Agents run continuously. They test what they can do. Then they do it.

Human-Driven vs Agent-Driven Systems
Humans
Agents
Exploitation Example
Speed of Interaction
Slow, task-based; limited exploration of the system
Machine-speed; exhaustive exploration of available actions
Shadow Escape
Zero-click data exfiltration exploit
Likelihood of Enumerating Permissions
Low — most users don’t even know what permissions they have
High — agents routinely check and test all available capabilities
ServiceNow
Agent privilege escalation
Response to Unexpected System Behavior
Intuition + context: users self-correct
No intuition: agents repeat or escalate failed attempts
Replit
Agent deletes production database
Error Containment
Human errors are localized
Agent errors can propagate quickly across resources
Google Antigravity
Agent accidently deletes user storage

Research Results

Finding 01

Corporate Workers Leave 96% of Permissions Unused

Organizations grant broad permissions to avoid blocking legitimate work. Most of those capabilities are never exercised.

Key Stats

What This Means

Least privilege has been the goal for decades. In practice, permissions accumulate over time: granted to unblock a project, fix an issue, or run a report. The result is a gap between the access people have and the access they actually use. For human-driven systems, that gap was (mostly) tolerable. Humans move slowly and exercise only a fraction of their permissions. Agents remove that constraint.

See Example

A sales operations manager holds permissions to:

View all opportunities (500 in the system)

Edit all opportunities

Delete all opportunities

Export opportunity data

Share opportunities with external users

Modify territory assignments

Create custom reports

Delete reports

Over 90 days, she views 15 opportunities and edits 3. She uses 2 of her 8 permission types (25% of her permissions). The other 6 sit unused but ready—for her. An AI agent with identical access operates differently.

"At 1Password, we’re seeing the same pattern Oso highlights as teams start putting AI agents into real production workflows. Access models built for humans don’t map cleanly to agents. When agents are handed broad, static permissions, the unused ones don’t just sit there, they quietly expand the attack surface. What teams need instead are identity systems that keep agent actions tightly scoped and explicitly tied back to human intent, so they can move fast without creating risk they didn’t mean to take."

Nancy Wang
CTO at 1Password
Finding 02

Sensitive Data is Broadly Available

Organizations grant access broadly so workers can respond quickly to customer needs. The majority of that access is never used. But the permissions remain.

Key Stats

What This Means

Broad access to sensitive data dramatically expands the blast radius. Humans rarely exploit that access at scale. No one sits down and reads an entire customer database. Agents don’t have that limitation. If the data is reachable, an agent can read all of it.

See Example

Your customer success platform contains 50,000 customer records with PII

Your CS team has 200 people. Each person can access all 50,000 records. Over 90 days:

150 team members log in (75% of the team)

Those 150 people access 4,000 unique customer records combined

46,000 records (92%) remain untouched

All 200 team members still hold access to all 50,000 records

The access exists for flexibility. An agent with the same access doesn't need flexibility—it needs precision.

"The authorization challenge for agents isn't new; it's the same problem security has dealt with for decades, just massively accelerated. We need partners who understand this deeply. At Brex, we're pushing agents into production fast, and working with Oso gave us the foundation to do that without creating new security risks."

Mark Hillick
CISO of Brex
Finding 03

Destructive Permissions Are Everywhere

Permissions to delete, modify, or export critical data are far more common than organizations realize.

Key Stats

What This Means

Organizations grant permissions so workers can manage systems without friction. Humans use those capabilities sparingly, and usually with clear intent. Agents don’t apply that judgment. If destructive permissions are available to agents, routine automation can trigger irreversible actions.

See Example

Your engineering team uses a project management tool

40 engineers have accounts. Each engineer can:

Delete tasks

Delete projects

Modify project timelines

Export all project data

Over 90 days, 2 engineers delete tasks (cleanup work). 1 engineer exports data (board snapshot for a presentation). The remaining 37 engineers never touch these capabilities. But if you deploy an agent with typical engineer permissions—"help me organize my tasks"—that agent inherits delete access to every project in the system.

Methodology

Scope of the Research

THE SAMPLE

This research examines permission usage in a 90-day window across

2.4 million*
end users across production applications
3.6 billion*
application permissions
THE DATA

We analyzed real-world production data to quantify:

1.
How many permissions users have
2.
The relative risks of those permissions
3.
How many of those permissions each user actually exercises
THE GOAL

Size the risk surface for AI agents operating within human-permissioned systems

Definitions

User

Resource

Action

Permission

User

The actor taking an action. Users can include people, services, or AI agents.

Examples:

Sarah, a sales rep logging into your CRM

An AI agent summarizing customer support tickets

A billing service accessing payment records

The GitHub integration syncing repository data

Resource

The object being acted upon. Resources include data, documents, records, or any entity in your system that requires access control.

Examples:

An invoice in your billing system

A customer's email address (PII)

A Slack channel with confidential product discussions

A database containing financial records

A specific Salesforce opportunity

Action

What the actor does to the resource. Actions define the specific operation being performed.

Examples:

view — Read a customer support ticket

edit — Modify an opportunity's close date

delete — Remove a draft invoice

export — Download a CSV of user data

share — Grant another user access to a document

Permission

The capability linking a user, action, and resource. Permissions answer the question: "Can this user perform this action on this resource?"

Examples:

Sarah can edit opportunities in the Enterprise segment

The billing agent can view, but can't delete payment records

Support engineers can view customer PII but can't export it

An AI agent can read docs but cannot modify production configs

Marketing managers can only create campaigns in their regional workspace

Permission Usage vs Resource Access

How we measure

Permission Usage

A permission is an action/resource type combination. If you can read documents, that counts as one permission, whether you can access 1 document or 1,000 documents. The metric tracks whether you exercise the capability at all, not how many individual resources you touch.

For example:

If you have read access to 500 opportunities in your CRM but only view 1 opportunity in 90 days, you've used 100% of that permission.

How we measure

Resource Access

Resource utilization measures how many individual resources get accessed out of the total available. This metric exposes the gap between the access you grant and the resources people actually need.

For example:

If your CRM contains 500 opportunities and users access 10 of them in 90 days, then 2% of the resources have been accessed (10 accessed opportunities / 500 total opportunities).

"At HashiCorp, we’ve spent many years helping organizations manage their sprawl of secrets. We consistently see that both humans and services are over-privileged and that bad hygiene turns into a major security threat, validated by this research. Now with agents, we are seeing the risks compound exponentially. There is a broader surface area of access, with more secrets, and more over-privilege than ever before. Organizations need to tackle authorization of agents, and avoid taking a bolt-on approach to security."

Armon Dadgar
Co-Founder and CTO

Recommendations

What to implement
Why it matters
Audit permission sprawl before deploying agents.
Use your identity governance platform to identify dormant and excessive permissions. If 96% of human access goes unused, that same access should not be handed to an agent.
Create dedicated agent identities.
Do not let agents inherit user credentials or operate under human service accounts. Provision separate, purpose-built identities with only the permissions each agent requires.
Start agents in read-only mode.
Deploy agents in observation mode before granting write or delete access. Monitor what they attempt to do and use the logs to right-size permissions before expanding access.
Log every agent action from day one.
Ensure all agent interactions—tool calls, API requests, data access—are captured in your existing logging infrastructure. You cannot govern what you cannot see.
Configure agent-specific detection rules.
Set up SIEM alerts for anomalous agent behavior: querying systems outside task scope, accessing unfamiliar data, attempting privilege escalation, or operating at unusual hours.
Triage permissions by blast radius.
Prioritize locking down destructive permissions—modify, delete, export—and high-privilege admin roles before addressing read-only access.
Use only official, vendor-maintained integrations.
Prefer battle-tested MCP servers and connectors from established vendors over community-maintained tools with less tested security boundaries.
Expand agent access incrementally.
Start with a single tool or integration, monitor behavior, and expand only after validating operational patterns. Treat each new integration as a controlled rollout.
Run an agent red team exercise.
Before broad deployment, deliberately attempt to make agents misbehave—exfiltrate data, follow injected prompts, access unauthorized systems. Find permission gaps before an adversary does.
Make this a board-level conversation.
Agent deployment is a strategic priority. Few situations allow security to so clearly unlock business value. Frame permissions infrastructure as what accelerates safe agent adoption.

We Need More Research

To our knowledge, this is the first research examining how permissions are actually exercised in production systems.

Most discussions about least privilege focus on policies: how access should be structured. Much less is known about how access is actually used.

Our analysis covers 2.4 million users and 3.6 billion permissions across organizations running Oso in production. While that is a substantial dataset, it represents only a small portion of the global software ecosystem. It also represents companies that already take authorization seriously.

Large infrastructure providers operate systems with far greater visibility into how permissions are used across industries and workloads. Similar analyses from those providers would help validate these findings and deepen the industry’s understanding of how permissions are actually used.

Secure Your Agents

If you want to run powerful agents safely, you need the right guardrails in place. To learn more about agentic security and how Oso can help, book a meeting with the Oso team.