Ambient Authority
Quick Answer
Ambient authority is the security property of a process or agent acting under whatever permissions its surrounding environment happens to grant — inherited tokens, cookies, environment variables, mounted filesystems, registered tools — rather than under explicit, narrow grants for each operation. In an LLM agent runtime, ambient authority means any text that reaches the planner, including attacker-controlled content, can steer the full set of inherited credentials. It is the structural precondition that turns prompt injection into authorized action.
Ambient Authority
Ambient authority is the security property of a process — or, in agent contexts, an LLM-driven planner — being able to do whatever its surrounding environment permits, without presenting an explicit grant for each operation. A program inherits the user's filesystem access, network reach, environment variables, cloud credentials, browser cookies, and registered tools simply by virtue of running in that environment. The dual concept, drawn from the object-capability literature, is to instead hand the process narrow, unforgeable handles for each resource it actually needs. In tool-using agent runtimes, ambient authority is the structural reason indirect prompt injection becomes an authorized action: any text that reaches the planner can steer the full set of inherited credentials, because the runtime never required the task to name what it was allowed to touch.
See also
- Indirect prompt injection — attacker text smuggled in via tool output or fetched content
- Tool hijacking — abuse of a registered tool against the user's interest
- Tool-using agent hardening — operational steps for replacing ambient authority with narrow grants