The Tool Scope Becomes the Intent Gate
The June 2026 arXiv paper Intent-Governed Tool Authorization for AI Agents, by Genliang Zhu and Chu Wang, argues that an agent's tool access should be narrowed by the user's stated purpose before the model can act.
Credential Is Not Intent
Agent permissions often begin with a familiar pattern: the user signs in, grants a connector or server access, and the model sees callable tools. That solves authentication, but not the whole authority problem. A calendar credential may allow reads, writes, deletes, invitations, and settings changes. A file credential may allow search, export, rename, share, and delete. The user rarely means to delegate the whole surface for every task.
This is the gap that Intent-Governed Access Control, or IGAC, tries to name. The question is not only "who is this user?" or "what scopes did they grant last month?" It is "what is this session for, and which subset of authority follows from that purpose?"
That distinction matters for tool servers, Model Context Protocol deployments, and enterprise connectors. Tool descriptions are visible to the model, but the model should not be the final authority on which operations belong to the user's intent. The authorization decision has to live outside the model's wish to be helpful.
What IGAC Adds
The paper, arXiv:2606.22916, was submitted on June 22, 2026. It proposes IGAC as a server-side layer that derives a compact representation of the user's task intent, attaches a session-scoped policy, filters the tool manifest exposed to the agent, and checks each tool call for consistency with that intent before execution.
The useful governance idea is monotonic narrowing. The user's expressed intent can reduce authority inside a session; it should not expand the underlying static policy. If the account does not have export permission, the intent layer should not create it. If the user asks to summarize a folder, the layer should not quietly expose sharing or deletion tools simply because the same connector technically supports them.
That makes the tool scope into an intent gate. The gate is not a chatbot apology, a reminder in the system prompt, or a hope that the model remembers the boundaries. It is an enforcement point between model output and external action.
The Manifest Is Political
Official MCP documentation describes tools as model-controlled capabilities exposed by a server. IGAC shifts attention to what the model is allowed to see in the first place. A manifest is not neutral. It defines the action imagination of the agent: which verbs exist, which arguments are normal, which resources appear reachable, and which side effects feel like ordinary completion.
Intent-aware manifest filtering is therefore more than interface hygiene. It is a way to keep broad credentials from becoming broad cognition. If the user wants to draft a reply, the agent may need read access to one thread and write access to a draft object. It does not necessarily need mailbox-wide export, contact deletion, rule changes, or mass send. If the user wants a budget summary, the agent may need categorized transactions, not account-transfer authority.
This connects directly to agent identity as service account and enterprise connector permission maps. Identity tells the system which principal is acting. Static permissions describe what that principal may ever do. Intent scoping asks what this principal may do now, for this stated task, under this evidence record.
Evidence and Limits
The paper reports a prototype implementation called OpenPort and evaluates IGAC with benchmarks covering authorization enforcement, deployment overhead, and end-to-end task completion. It presents the approach as compatible with common agent tool stacks rather than as a replacement for ordinary authentication, access control, or logging.
That is the right level of ambition. An intent layer cannot prove that the user really understood the task. It cannot solve prompt injection by itself. It cannot know every future side effect. It may misclassify ambiguous requests, overconstrain legitimate work, or underconstrain tasks phrased too broadly. It also creates its own governance questions: who defines the intent schema, how long intent certificates persist, which logs are retained, and how users contest an authorization denial.
The paper is still valuable because it refuses the weakest pattern in agent design: giving a model broad tools and asking it to be careful. Care is not an authorization model. A serious agent platform needs action gates that are inspectable, testable, and narrower than the credential.
Governance Use
For procurement, IGAC suggests a concrete question: can the vendor show how user intent narrows tool availability and arguments at runtime? A demo should not stop at "the model chose the right tool." It should show the full chain: original request, extracted intent, filtered manifest, blocked tools, approved call, arguments checked, action executed, and receipt stored.
For internal deployment, this means separating four records that are often blurred together: account identity, standing permission, session intent, and final action. Incident review should be able to say whether a bad outcome came from a bad credential, an overbroad manifest, a bad intent extraction, a model hallucination, a policy bug, or a human approval problem.
The immediate standard is modest. Sensitive tools should not appear merely because the account can use them. Destructive, external, financial, disclosure, and permission-changing actions should require tight intent evidence and visible confirmation. Weakly connected tool calls should be denied by default.
What This Changes
The tool scope becomes the intent gate when delegated action stops being a question of capability alone. "Can this account do it?" is not the same as "did this user ask for it here?" The second question is where agent governance lives.
The Spiralist reading is simple: an agent should not inherit the whole building because the user opened one door. It should receive the smallest corridor that matches the task, with a record of why that corridor was opened, which doors stayed shut, and who is accountable if the route was wrong.
Sources
- Genliang Zhu and Chu Wang, Intent-Governed Tool Authorization for AI Agents, arXiv:2606.22916 [cs.AI], submitted June 22, 2026.
- arXiv experimental HTML for Intent-Governed Tool Authorization for AI Agents, reviewed June 24, 2026.
- Model Context Protocol, Tools specification, version 2025-06-18, reviewed June 24, 2026.
- Related pages: The Tool Server Becomes the Trust Boundary, Model Context Protocol, The Agent Identity Becomes the Service Account, The Enterprise Connector Becomes the Permission Map, and The Agent Log Becomes the Receipt.