Cognitive Least Privilege: your agent should know only what it needs

Any information that doesn't serve the agent's job both lowers accuracy and widens the attack surface. Borrow least privilege from security and extend it to what an agent knows.

One of the oldest principles in information security is this: give each user only the level of access they need to do their job, no more. The same principle can be extended from a user’s access to the realm of an agent’s knowledge — what’s called, in English, Cognitive Least Privilege. By it, every agent should hold only the information that is essential to its task, and not a bit more.

Why less is better

This restriction has two major advantages, both important. First, accuracy: giving an agent irrelevant information creates noise in its processing; the model may use that very irrelevant data in its decisions and fall into error or hallucination. Second, security: the more limited the data in an agent’s context, the less room there is for information to leak or be abused. Here the logic of security and the logic of accuracy converge: less is better.

The boundary between self-knowledge and system-knowledge

A simple distinction helps a great deal: an agent should know about itself, not about the system. “Self-knowledge” covers things like the agent’s identity, its responsibilities, and the rules that govern its behaviour — this should be provided to the agent. “System-knowledge,” by contrast, means the agent’s awareness of other agents, the system topology, and the data flow — this should be left out. Define the agent by the task it does, not by the position it holds in the system. Remove referential phrases like “upstream” and “downstream” from the instructions, and ask for output without specifying a destination; for example, instead of “send the result to such-and-such component,” write “return the result.”

In practice

Before adding any information to the context, ask this question: does the agent really need this datum to do its job? If the answer is no, remove it. The second question: could this information leak into user-facing output or reveal the system’s internal details? If yes, again refrain from including it. Observing this structural discipline both raises the agent’s accuracy and keeps the attack surface small. A focused agent that has command only of its own task will almost always outperform a know-it-all agent.