Zero Standing Permissions for AI Agents: Lessons from Hermes Blank Slate and Toolset Pinning
Blog post from Permit.io
Hermes Agent's "Blank Slate" approach exemplifies the zero standing permissions (ZSP) model for AI agents, emphasizing minimal initial access and granting permissions only as needed for specific tasks. This model enhances security by ensuring that AI agents do not have persistent access to sensitive tools or data, thereby reducing the risk of unauthorized actions. The framework involves multiple layers, such as baseline-deny configurations and runtime checks, to enforce context-aware authorization. The approach advocates for tools to start disabled by default, thereby minimizing potential exposure from prompt injections or model errors. The ZSP model is complemented by static pinning of essential tools and dynamic, just-in-time (JIT) grants for sensitive actions, which are subject to stringent audit trails and revocation policies. By transitioning from all-on-by-default to a more controlled runtime-authorized model, organizations can maintain productivity while enhancing security and auditability.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| MCP | 16 | 6,026 | 689 | 188 | -15% |
| AI Agents | 7 | 4,874 | 1,103 | 240 | -1% |
| Developer Experience | 1 | 384 | 227 | 88 | -19% |