AI Agent Tool Permission Matrix

A no-login launch resource for deciding which AI agent and MCP tool actions can run automatically, which need approval, and which should be blocked before production. Use placeholder workflow names only.

Build MCP policy Generate fixture plan Buy digital pack

Permission matrix

Action class
Default gate
Evidence before launch

Read public or low-risk context

Public docs, product pages, public issue text, or sanitized examples.

Allow when source and data class are in policy.

Record source, purpose, data class, and whether content is untrusted instruction or reference data.

Read private business context

Tickets, CRM notes, internal docs, customer messages, memory, or private repositories.

Ask or restrict by role, tenant, and workflow. Never grant broad read scope by default.

Show scoped credential, redaction path, audit trail, retention rule, and least-privilege boundary.

Draft externally visible content

Email, support replies, public posts, pull-request comments, status pages, or customer-facing summaries.

Allow draft-only; require approval before send or publish.

Receipt should name destination, reviewer, untrusted inputs used, and final approval state.

Write to systems of record

Database updates, CRM changes, ticket status, billing metadata, file edits, or repository writes.

Require approval unless the workflow is narrow, reversible, and tested with fixtures.

Record old value, new value, rollback path, policy id, and deterministic replay result.

Execute code or commands

Shell commands, deploy hooks, browser automation, package install, build scripts, or MCP tools that run code.

Block by default. Allow only in sandboxed, explicit, logged workflows.

Show sandbox boundary, command allowlist, denied commands, timeout, network policy, and human approval rule.

Financial, identity, or credential actions

Payment, subscription, account permissions, OAuth apps, API keys, password changes, tax, bank, or card data.

Block for autonomous agents. Require human-owned manual flow.

Receipt should prove the agent cannot view or transmit sensitive payment, tax, bank, card, OAuth, cookie, token, or password data.

What to test before launch

  • Can untrusted content change the tool choice, destination, or approval state?
  • Can output from one MCP server influence another server or outbound action?
  • Does every write/send/delete/deploy/payment-like action have a receipt and rollback expectation?
  • Does the workflow fail closed when policy, scanner, or approval checks are unavailable?
  • Are secrets, customer records, private handles, and payment details redacted before logs or model-visible summaries?

Launch rule

Ship the agent with the smallest useful tool scope, then widen only after replayable fixtures show deterministic policy decisions. If the action changes another system or reaches a person, approval and receipts should be part of the launch criteria.

This page is a public planning aid, not legal advice, compliance certification, penetration testing, incident response, or a security guarantee.