Introducing Scope Locking for AI Agents
Zafer Polat Kalender
Founder & CEO
Today we're announcing Scope Locking — a new authorization primitive that dynamically restricts an agent's permissions based on the task it's currently performing. Think of it as least-privilege that adapts in real-time to what the agent is actually doing.
The Problem with Static Permissions
Traditional authorization systems assign permissions statically. An agent gets a role — "support-agent" or "data-processor" — and that role comes with a fixed set of permissions that apply regardless of context. This creates a fundamental tension: if you grant enough permissions for the agent to handle every possible task, you've over-provisioned it for any individual task.
A customer support agent might need to access customer records, process refunds, and update shipping addresses. But when it's handling a specific support ticket about a shipping delay, it should only access that customer's records and that order's data — not the entire customer database.
How Scope Locking Works
Scope Locking introduces a new concept: task-scoped permissions. When an agent begins a task, it declares what it intends to do, and PermitNetworks dynamically narrows its permissions to only what that specific task requires.
// Start a scoped session for handling a support ticket
const scope = await permit.createScope({
agent: "support-agent-1",
task: "handle-support-ticket",
context: {
ticketId: "TKT-4892",
customerId: "cust_28a1f3",
},
allowedActions: ["read:customer", "read:order", "update:shipping"],
excludeActions: ["delete:*", "read:payment-info"],
ttl: 600, // 10 minute maximum
});
// Within this scope, the agent can ONLY access data
// related to customer cust_28a1f3 and ticket TKT-4892The key insight is that scope locking doesn't just restrict what actions the agent can take — it restricts what data those actions can touch. The agent can read customer records, but only for the customer associated with the current ticket. It can update shipping addresses, but only for the order in question.
Automatic Scope Inference
For common task patterns, PermitNetworks can automatically infer the appropriate scope from the task context. If your support agent always needs access to the customer's orders and profile when handling a ticket, you can define a scope template:
// Define a scope template (done once, at configuration time)
{
"name": "support-ticket-handler",
"auto_scope": {
"customer": "context.customerId",
"orders": "customer.orders",
"allowed": ["read:customer", "read:order", "update:shipping"],
"denied": ["delete:*", "export:*", "read:payment-info"]
}
}When the agent begins handling a ticket, PermitNetworks automatically resolves the scope template against the task context, creating a tight permission boundary with zero additional code from the developer.
Scope Locking vs. Static RBAC
Here's how scope locking compares to traditional Role-Based Access Control:
- RBAC: "This agent can read all customer records" — applies to every customer, at all times.
- Scope Locking: "This agent can read customer records for cust_28a1f3, for the next 10 minutes, while handling TKT-4892" — precise, time-bounded, task-specific.
The difference matters enormously for security. If an agent is compromised or malfunctions while scope-locked, the blast radius is contained to only the resources within the current scope. An agent that goes rogue while handling one customer's ticket cannot access any other customer's data.
Built-In Expiration
Every scope has a TTL (time to live). When the TTL expires, the scope closes and the agent's elevated permissions are automatically revoked. This prevents "permission drift" — the gradual accumulation of access that happens when temporary permissions are never cleaned up.
If the agent completes its task before the TTL expires, the scope can be closed explicitly. Either way, the permissions don't linger.
Getting Started
Scope Locking is available today in the PermitNetworks SDK (v0.4+) for TypeScript and Python. Define your scope templates in the dashboard, and enable scope locking in your agent's authorization flow with a single API call.
Check out our Policy Language Guide for detailed documentation on scope templates, and our Examples page for real-world scope locking patterns.