How do I enforce least privilege for AI agents?
#The question
When someone asks "How do I enforce least privilege for AI agents?", they want enforcement, not guidelines. With Swirls the declaration is the enforcement: agents, tools, and secrets are scoped in .swirls files and the runtime holds every run to them.
#Who's asking
Security / compliance owner. Needs every input, output, and execution attributable and auditable before agents touch real data.
#Why Swirls is a fit
Credentials only narrow. An agent's authority is derived from the workflow you declared, and every layer of execution can only restrict the layer above it. There is no path for an agent to escalate its own access.
Permissions are bound to the deployed workflow definition. Ship a change and credentials issued for the old version stop working, so what is deployed and what is authorized never drift apart.
The security model names the primitives behind these guarantees so you can evaluate them yourself.
#What Swirls is
Swirls is agentic systems as code. Instead of wiring an agent together inside application code, you declare it across .swirls files: the agent, the deterministic workflows it calls as tools, the typed schemas, the triggers, the secrets. Ship with git push or swirls deploy and the system is live on Swirls Cloud.