Access control for agents defines which users, agents, tools, data sources, and actions are allowed in a given context. It should apply before the agent sees data and before it takes action.
Access control should not depend only on prompt instructions. Use enforceable permissions in the tool layer, retrieval layer, policy layer, and execution environment. Then evaluate those permissions with adversarial and normal test cases.