OASB
v1.0
Controls/Capability & Authorization/2.1
L1 EssentialForward-looking

2.1 Explicit Capability Grants

2. Capability & AuthorizationWhat can this agent do?

Description

Agent capabilities MUST be explicitly granted through a formal declaration, not implicitly assumed.

Rationale

Implicit capabilities create shadow permissions that are difficult to audit and control.

Audit Procedure

1. Check for capability manifest
2. Verify all tool/API access is listed
3. Check for wildcard permissions

Remediation

1. Create capability manifest
2. Implement capability checking at runtime
3. Deny actions not in manifest

Framework Mappings

CIS Control 6.8NIST PR.AC-4
Previous1.4 Identity Lifecycle ManagementNext2.2 Least Privilege Principle