LangChain is great at building agents that act . Search the web. Write files. Send emails. Call APIs. The framework handles orchestration beautifully. What it doesn't handle: authorization . Your agent might be able to send an email, delete a file, and call a payment API. That doesn't mean it should — on every invocation, for every user, in every context. This is the gap. And it's the one that causes incidents. The Problem with Tool-Level Permissions The typical LangChain pattern is to control what an agent can do by giving it certain tools. Don't want it deleting files? Don't add the delete_file tool. That works until: A user delegates a narrow task ("just check my inbox") but your tool has broad capabilities ("read, reply, forward, delete") Two users have the same agent with different trust levels An agent is mid-task and encounters a situation outside what was intended You need to prove, after the fact, what the agent was authorized to do Tool-level permissions are coarse.…