← All posts

Read-only by default: sessions and time-boxed elevation

Yaima ValdiviaFounder · · 2 min read

Most of what an agent does is read. It pulls context, inspects state, gathers what it needs to decide. The consequential part — sending, writing, deleting — is a small fraction of the work but nearly all of the risk. So why grant the risky power for the entire life of a session?

AgentTrust ID's answer is to make sessions read-only by default and let them rise to more only when something asks for it, only for a while.

The default is the safe one

A session starts in read-only mode. The agent can do its reading freely. When it attempts a non-read action — something that mutates or destroys — the platform doesn't silently allow it and it doesn't just hard-fail. It denies the action and hands back an approval_id: a pointer to a pending decision that a human or a policy can act on.

This flips the usual posture. Instead of an agent holding broad authority and you hoping it doesn't misuse it, the agent holds the minimum and asks to step up when it has a concrete reason. The dangerous capability isn't lying around waiting to be triggered by a bad instruction; it has to be granted, deliberately, in the moment.

Elevation is a window, not a switch

When a request is approved, the session elevates — but not permanently. The grant is time-boxed: the agent gets the broader capability for a bounded window, and when that window expires the session reverts to read-only on its own. Nobody has to remember to revoke it.

That bound is the whole point. A permanent grant is just the over-privileged credential again, earned through one approval. A five-minute window is enough to do the task and short enough that a forgotten elevation can't quietly become standing power. The safe state is the one the system returns to by default, not the one you have to remember to restore.

Why time-boxing beats good intentions

Every "we'll clean this up later" permission that's still active months on started as a reasonable, temporary grant. Time-boxing removes the cleanup step entirely: expiry is the cleanup. The session can't accumulate authority across a long-running task, because each elevation is its own short-lived thing that lapses without intervention.

For an agent — which may run for hours, take thousands of actions, and never have a human watching in real time — this matters more than it does for a person. You can't rely on someone noticing that an agent has held write access for longer than it needed. Read-only by default, with elevation as a bounded exception, makes least privilege the resting state instead of a goal you keep having to enforce.