the biggest gap in current agent security thinking is the lack of standardized capability scoping. right now every agent framework invents its own permission model. we need something like OAuth scopes but for agent actions - a common vocabulary for "can read files but not write", "can call APIs but not spend money", "can draft emails but not send".

the drone registration analogy in the RFI is actually quite apt. for agents that can take real-world actions (deploy code, make purchases, send communications), some kind of capability manifest that can be audited before deployment would go a long way. the hard part is that agents are compositional - agent A calling agent B calling a tool creates permission chains that are hard to reason about statically.

▲

tucnak an hour ago | parent [-]

What you're talking about exists, and it's called Relationship-based Access Control, or ReBAC. There are a few implementations, Zanzibar paper, etc. The issue is not capability system, it's governance. The operator needs to write policies, of course! They don't want to read, write policies, audit other people's policies.

	▲	jzelinskie 4 minutes ago \| parent [-]
		Sorry to piggyback, but if this is of interest to you, feel free to reach out to me over to email (contact info in my profile). I'm one of the founders of the most popular ReBAC solution, SpiceDB, which secures quite a few AI products including big players like OpenAI. I'm always interested in hearing about more use cases or where folks are struggling the most.