SECENG DEFEND
Agent Authority Review & Hardening
Find the authority your agents actually have.
Compare declared tool permissions against observed capabilities, API scopes, and side effects so AI agents cannot quietly write, delete, send, execute, or administer more than intended. SecEng Agent Authority Diff turns vague agent access into a defensible permission review and hardening backlog.
Compare
Compare declared permissions, tool definitions, observed capabilities, side effects, scopes, and confirmation requirements.
Detect
Flag write, delete, send, execute, admin, secret, filesystem, browser, and network access.
Harden
Split tools, reduce scopes, add approval gates, and create audit trails.
Review
Accelerate manual permission review without replacing human security judgment.
Core capabilities
What SecEng Agent Authority Diff does.
Declared vs Observed Permissions
Compare tool descriptions and declared scopes against capabilities visible in schemas, API grants, and implementation evidence.
Excessive Agency Detection
Detect read-only claims that hide write/delete access, harmless assistants that can send messages, and support agents with delete or admin paths.
OAuth and API Scope Review
Identify excessive OAuth/API scopes, hidden admin grants, and broad permissions that should be reduced before release.
Approval Gate Analysis
Flag missing or weak human approval requirements for irreversible, external, administrative, or high-blast-radius operations.
Tool Hardening Plan
Recommend split tools, smaller scopes, confirmation gates, audit trails, and release-blocking fixes.
Threat Canvas Handoff
Feed permission findings into Threat Canvas, Release Gate, and engineering backlog workflows.
Evidence & signals
What you get out of the box.
Capability Classes
- Read
- Write
- Delete
- Send
- Execute
- Admin
- Secret
- Filesystem
- Browser
- Network
Findings
- Permission drift report
- Excessive agency findings
- Scope review
- Missing approval gates
- Release blocking risks
Hardening Outputs
- Tool split recommendations
- Reduced scopes
- Approval requirements
- Audit trail gaps
- Engineering backlog
AI SECURITY ENGINEERING WORKBENCH
Ready to put SecEng Agent Authority Diff to work?
Agent Permission Diff is an active-development SecEng Workbench capability available through scoped public-site review conversations. We compare declared and observed permissions, then produce a hardening backlog for agent tools and approvals.
Also in the Workbench
WHAT AI DO WE HAVE?
SecEng Surface Scanner
Browser, Repo & IDE AI Discovery
WHERE CAN AI CODE BECOME AN ATTACK PATH?
SecEng Code Scanner
AI Attack-Path SAST
WHAT DID IT ACTUALLY DO?
SecEng Runtime Proxy
MITM Capture, Replay & Runtime Evidence
HOW CAN IT FAIL UNDER ATTACK?
SecEng Adversarial Range
AI Red-Team Scenario Harness
WHAT CAN AGENTS ACTUALLY DO?
SecEng Authority Graph
Agent Authority & Approval-Path Analysis
WAS RETRIEVAL AUTHORIZED?
SecEng RAG Test Harness
Retrieval & Context Security Test Harness
SecEng Threat Canvas
AI Threat Modeling & Trust-Boundary Mapping
SecEng Trust Scanner
Public AI Trust Signal Scoring
Atlassian Threat Canvas
Security Data Flow Canvas for Jira + Confluence
SecEng Agent Permission Analyzer
Agent Tool Permission Security Analysis
SecEng Artifact Analyzer
Static Artifact Intelligence
SecEng Injection Harness
Prompt Injection Testing
SecEng Prompt Reviewer
Prompt & Corpus Security Review
SecEng Model Gateway
Governed AI Routing, Policy Enforcement & Spend Control
SecEng Program Blueprint Kit
AI Security Program Build
SecEng Output Safety Tester
AI Output Safety Testing
SecEng Evidence Scorecard
AI Product Security Assessment & Maturity Scoring
WHAT CAN YOUR AI TOOLS REALLY DO?
SecEng Tool Capsule Analyzer
AI Tool Capability & Permission Analysis
WHERE ARE YOUR PRODUCTION PROMPTS?
SecEng Prompt Asset Scanner
Prompt Asset Inventory & Security Review
WHICH AI DEPENDENCIES CHANGE RELEASE RISK?
SecEng Supply Chain Scanner
AI Supply Chain Risk Analysis
CAN YOU PROVE WHAT YOUR EVALS COVER?
SecEng Eval Coverage Auditor
AI Security Eval Coverage Evidence
ARE YOUR AI CONFIGS SAFE TO DEPLOY?
SecEng AI Config Linter
AI Runtime Configuration Security
AIPSA Evidence Packs
Structured Security Assessment Outputs