Permission Models for AI Agents: A Technical Comparison
Permission models determine what an AI agent can do and how decisions are made when no explicit rule exists. The four dominant models are allow-by-default, deny-by-default, capability-based, and role-based access control (RBAC). SafeClaw by Authensor implements deny-by-default with first-match-wins evaluation, which security professionals broadly regard as the safest model for autonomous agents because it guarantees that any action not explicitly authorized is blocked before execution.
Quick Start
npx @authensor/safeclawThe Four Models
1. Allow-by-Default
How it works: Every action is permitted unless a rule explicitly denies it.
# Allow-by-default pseudocode
rules:
- action: shell.execute
command: "rm -rf /"
effect: deny
# Everything else: allowedProblems for AI agents:
- New action types (tools, APIs, file paths) are automatically permitted
- You must anticipate every dangerous action and write a deny rule for it
- A single missed deny rule creates a vulnerability
- Agents routinely discover new attack surfaces that no deny rule covers
Verdict: Unacceptable for autonomous agents. You cannot enumerate all dangerous actions.
2. Deny-by-Default
How it works: Every action is blocked unless a rule explicitly allows it.
# SafeClaw deny-by-default
rules:
- action: file.read
path: "src/**"
effect: allow
- action: shell.execute
command: "npm test"
effect: allow
- action: "*"
effect: deny
reason: "Default deny: not explicitly allowed"
Advantages for AI agents:
- New action types are automatically blocked
- You only need to enumerate what the agent should do, not what it should not do
- The allow list is typically 10-20 rules; the deny surface is infinite
- Policy is auditable: the allow list is the complete capability set
This is what SafeClaw implements.
3. Capability-Based
How it works: Agents receive capability tokens that grant specific permissions. To perform an action, the agent must present the corresponding token.
Agent receives: [cap:file.read:src/**, cap:shell.execute:npm test]
Agent attempts: file.write src/app.ts → No capability → DENIEDAdvantages:
- Fine-grained, transferable permissions
- Good for multi-agent delegation
Disadvantages:
- Complex token management
- Capability leakage if tokens are passed between agents
- Requires a token authority and revocation system
SafeClaw policies achieve the same granularity without token management overhead.
4. Role-Based Access Control (RBAC)
How it works: Agents are assigned roles, and roles map to permission sets.
roles:
junior-agent:
- file.read: "src/**"
- shell.execute: "npm test"
senior-agent:
- file.read: "**"
- file.write: "src/**"
- shell.execute: "npm *"Advantages:
- Familiar to enterprise security teams
- Easy to reason about at the organizational level
Disadvantages:
- Role explosion in complex environments
- Roles often become too broad over time
- Does not enforce deny-by-default unless explicitly designed to
SafeClaw supports RBAC as a pattern on top of deny-by-default: each role is a policy file, and every policy file ends with a deny-all catch-all.
Comparison Matrix
| Property | Allow-Default | Deny-Default | Capability | RBAC |
|---|---|---|---|---|
| Safety for unknown actions | None | Full | Partial | Depends |
| Policy complexity | High (deny list) | Low (allow list) | Medium (tokens) | Medium (roles) |
| Audit clarity | Low | High | Medium | Medium |
| Scalability | Poor | Good | Good | Good |
| Fail-safe behavior | Fail-open | Fail-closed | Fail-closed | Depends |
First-Match-Wins Evaluation
SafeClaw evaluates rules top-to-bottom and applies the first matching rule:
rules:
# Rule 1: Specific deny
- action: file.read
path: "src/config/secrets.yaml"
effect: deny
# Rule 2: Broader allow
- action: file.read
path: "src/**"
effect: allow
# Rule 3: Catch-all deny
- action: "*"
effect: deny
For file.read src/config/secrets.yaml: Rule 1 matches first, result is deny.
For file.read src/app.ts: Rule 1 does not match, Rule 2 matches, result is allow.
For network.request example.com: Rules 1-2 do not match, Rule 3 matches, result is deny.
This model is predictable, auditable, and mirrors firewall rule evaluation — familiar to security engineers.
Implementation Recommendation
For any AI agent deployment:
- Start with deny-by-default (SafeClaw baseline)
- Add allow rules for the specific actions the agent needs
- Layer RBAC on top by assigning different policy files to different roles
- Use the audit trail to identify missing allow rules (legitimate denies) and tighten overly broad allows
- Review policies quarterly
version: "1.0"
description: "Production agent — deny-by-default with RBAC"
rules:
- action: file.read
path: "src/**"
effect: allow
- action: shell.execute
command: "npm test"
effect: allow
- action: "*"
effect: deny
reason: "Deny-by-default baseline"
Why SafeClaw
- 446 tests validate first-match-wins evaluation across every edge case
- Deny-by-default is the safest model for autonomous agents
- Sub-millisecond evaluation makes the permission model invisible to users
- Hash-chained audit trail logs every evaluation for security review
- Works with Claude AND OpenAI — permission model is provider-agnostic
- MIT licensed — adopt the safest permission model without cost
See Also
- Role-Based Access Control for AI Agents
- Zero Trust Architecture for AI Agents
- How to Set AI Agent Policies for Engineering Teams
- Building an AI Governance Framework with SafeClaw
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw