When AI Subagents Call MCP Tools, Who Owns the Permission Decision?
Blog post from Permit.io
In the context of AI subagents calling Model Context Protocol (MCP) tools, the issue of permission ownership arises, especially when a child process makes a call and the authority for permission decisions becomes unclear. Real-world reports highlight the challenges of managing subagents as distinct actors rather than as clones of their parent processes, emphasizing that permissions should remain explicit at runtime, considering factors like user consent and task scope. The security model should prioritize runtime authorization over static inheritance, ensuring that each subagent's request is evaluated on its own merits with an auditable decision process. Key failure modes include silent token inheritance, allowlist-only trust without runtime checks, and approval deadlocks, which can be mitigated through strategies like child-specific token binding and explicit escalation channels. The text outlines the importance of clear distinctions between parent and subagent roles, advocating for a brokered authorization path to ensure secure, auditable, and contextually appropriate tool usage, supported by a robust audit schema for incident response.