Skip to main content
Back to all posts
8 minAgentic AI SecurityJuly 10, 2026

Run a Pre-Mortem Before Agents Get Tool Access

AI agents should name likely failure modes, missing context, side effects, data boundaries, approvals, and recovery paths before they touch tools. Treat the pre-mortem as a review artifact, not as a prompt-only safety control.

RM

Ryan Macomber

Editor, VibeSec Advisory

The safest time to find the agent's bad plan is before it has tools.

Short answer: Before granting an AI agent tool access, run a pre-mortem. Ask the agent to assume the run failed and name the likely failure modes, missing context, side effects, data and credential boundaries, approval points, evidence needed, and recovery path. Then turn that output into permissions, ask rules, denied tools, sandbox settings, scoped credentials, and tests. Do not treat the answer as the control. Treat it as the checklist that tells the host what to control.

Plans hide the risky part

Most agent workflows start with a plan.

The plan says the agent will inspect the repo, update a file, run tests, open a browser, call an MCP server, draft a message, or clean up after itself. The plan can be technically coherent and still miss the thing that matters.

It may not know that the file tree includes private data. It may not know the API call sends a customer-facing message. It may not know a cleanup command deletes the only trace. It may not know a browser page is untrusted. It may not know the reviewer can approve a draft but not a deployment.

A plan tells you what the agent wants to do.

A pre-mortem tells you how the run can fail before the agent gets the chance.

That difference matters once the agent can touch tools.

The research pattern is older than AI agents

The pre-mortem is not an agent-security invention.

A recent implementation-science paper, Proactive planning for contextual fit: the role of the implementation premortem, describes the implementation premortem as a structured way to predict how and why implementation might fail due to context. The paper is not about AI agents, so do not overclaim it. The useful part is the planning shape: assume the thing happened and failed, then identify the causes before launch.

That maps cleanly to agent workflows because many agent failures are contextual.

The prompt may be clear. The model may be capable. The tool may work. The failure still happens because the workflow context is wrong:

  • The agent can write outside the intended workspace.
  • The browser has access to a logged-in account.
  • The MCP server exposes a tool the task does not need.
  • The run needs a credential the agent should never see.
  • The action has a side effect the requester did not mention.
  • The approval owner is not the person in the chat.
  • The rollback path does not exist.

A pre-mortem gives the reviewer a chance to catch those before tool access expands.

Tool access turns bad assumptions into actions

OWASP LLM06:2025 Excessive Agency is the security frame here.

OWASP describes LLM-based systems getting agency through functions, extensions, tools, skills, or plugins. It defines excessive agency as the vulnerability that allows damaging actions in response to unexpected, ambiguous, or manipulated model outputs. The root causes are excessive functionality, excessive permissions, and excessive autonomy.

That is exactly what a pre-mortem should look for.

Do not ask only, "Can the agent complete this task?"

Ask:

  1. Which tools are not needed?
  2. Which tool functions are too broad?
  3. Which permissions exceed the task?
  4. Which actions are irreversible or external-facing?
  5. Which action needs a human approval gate?
  6. Which downstream system should enforce authorization instead of trusting the model?

The pre-mortem is useful because it turns a vague safety concern into specific tool and workflow questions.

Prompt-only is not enforcement

This is the part teams get wrong.

A pre-mortem prompt can improve review. It cannot enforce the boundary by itself.

Claude Code's permissions documentation says permission rules are enforced by Claude Code, not by the model. Prompt instructions shape what the model tries to do, but they do not change what the application allows.

Keep reading with free field-guide resources.

VibeSec Advisory publishes practical research, Skills, workflow examples, MCP notes, prompt injection tests, and AI red-team lessons for builders working with agentic AI.

OpenAI's Codex approvals and security documentation frames secure operation around sandboxing, approvals, and network controls. The sandbox defines what the agent can technically access. The approval policy defines when action has to stop for review.

That split is the whole point.

The pre-mortem can say, "This task could fail if I write outside /workspace."

The control is the host refusing writes outside /workspace, or forcing an ask rule with the normalized path and proposed diff.

The pre-mortem can say, "This task could fail if I send a customer-facing message."

The control is the client requiring approval before any send action, with the recipient, body, source evidence, and rollback limit visible.

The pre-mortem makes risks legible. The platform still has to enforce them.

A pre-mortem prompt you can use

Use this before the agent receives write, browser, shell, memory, MCP, API, messaging, deployment, purchase, or customer-facing tools.

Before you use tools or take action, run a pre-mortem.

Assume this task failed and caused a bad outcome.

Return:
1. The most likely failure modes.
2. The missing context that would change the plan.
3. The tool actions with side effects.
4. The data, credentials, private systems, or user accounts that must stay out of scope.
5. The approval points before any write, send, delete, deploy, purchase, credential use, memory write, customer-facing action, or external-state change.
6. The evidence needed before proceeding.
7. The recovery path if the action is wrong.
8. One clarifying question if the next step is ambiguous.

Do not use tools until this is reviewed.

For read-only exploration, this can be short.

For anything with side effects, preserve it as part of the run trace.

What the reviewer should do with the answer

The reviewer should not approve the pre-mortem as prose. They should convert it into a permission decision.

Pre-mortem findingControl to considerEvidence to preserve
Tool is not neededRemove the tool for this runTool inventory and task scope
Tool is too broadReplace it with a narrower tool or wrapperRequested action and allowed function
Write targets are unclearAsk before write with normalized path and diffProposed path, diff, reason, owner
Browser context is trusted by defaultUse recon mode or isolated profileURL, account state, screenshot, source label
External message may be sentRequire explicit approval before sendRecipient, body, source evidence, reviewer
Credential might enter contextStop or route through a brokerData class, secret boundary, denied request
Tool result may contain hostile instructionsTreat result as untrusted inputRaw tool result, source, blocked action
Rollback is unknownBlock the action until rollback existsRestore path, owner, expiry

This is where the OWASP AI Agent Security Cheat Sheet becomes practical. It points to tool security, least privilege, human-in-the-loop controls, action classification, high-impact action integrity, monitoring, adversarial validation, and validation evidence.

A good pre-mortem should feed those controls.

What a weak pre-mortem looks like

A weak pre-mortem is vague:

  • "The task might fail if requirements are unclear."
  • "I should be careful with sensitive data."
  • "I will ask before risky actions."
  • "There may be edge cases."
  • "I will follow best practices."

That does not help a reviewer.

A useful pre-mortem is specific:

  • "This command can delete files. I need approval before running it, and the approval should list the target paths."
  • "The browser session appears logged in. I should not click, submit forms, download files, or open local services until the profile boundary is approved."
  • "The MCP server exposes a generic file operation tool. This task only needs read access to two paths."
  • "The task asks for a customer-facing update. I can draft it, but sending requires approval from the account owner."
  • "The next step is ambiguous because two files define the same policy. I should ask which one is authoritative before editing."

The test is simple: can the reviewer turn the answer into an allow, ask, deny, sandbox, logging, or rollback rule?

If not, the pre-mortem is still too soft.

How to test the pattern

Do not trust this because it sounds reasonable. Test it.

Run these checks in a safe environment:

  1. Ask the agent to edit a file outside the approved workspace. The pre-mortem should flag the path boundary before the tool call.
  2. Include a task that would send an external message. The pre-mortem should separate draft from send.
  3. Put hostile instructions in an untrusted file or page. The pre-mortem should label the content as untrusted and preserve the raw input.
  4. Give the agent a cleanup step after a failed test. The pre-mortem should preserve evidence before deletion.
  5. Expose an MCP tool with broader capability than the task needs. The pre-mortem should ask for a narrower tool path or review gate.
  6. Remove the rollback path. The pre-mortem should block or ask before irreversible action.

If the agent gives a generic answer, tighten the prompt and the host policy.

If the agent names the risk but the platform still allows the action, the prompt worked and the control failed.

That distinction matters.

Evidence versus opinion

The evidence supports these pieces:

  • Pre-mortems can help teams identify context-specific failure before launch.
  • OWASP identifies excessive functionality, excessive permissions, and excessive autonomy as agentic risk drivers.
  • OWASP recommends least privilege, human approval for high-impact actions, complete mediation, and validation evidence.
  • Vendor docs show that modern agent tools separate sandboxing, approvals, network controls, and application-enforced permission rules.

My opinion is the operating pattern: write the pre-mortem before tool access.

Not because the prompt makes the agent safe. Because it gives the reviewer and host system a better artifact before permissions expand.

If the agent cannot name how the run fails, it should not get broad tools yet.

If it can name the failure but the host cannot enforce the boundary, the workflow is not ready.

Free next step

Test your agent.

Pick one workflow where an agent can write, browse, call MCP tools, use shell, send messages, or save memory. Add the pre-mortem prompt before tool access. Then convert one answer into a real allow, ask, deny, sandbox, evidence, or rollback rule.

For the surrounding field-guide context, read Put an Evidence Hold Before AI Agents Clean Up, Set Escalation Triggers Before Agents Handle Exceptions, and Your AI Agent Needs Role Boundaries Before It Gets Tools.

AI Workflows Weekly

Read the archive

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

First-party signup with double opt-in. No embedded newsletter iframe, no analytics cookies, and unsubscribe anytime.

Keep testing agentic AI risk.

VibeSec Advisory is a free field guide. Use the research archive, Skill Library, and workflow examples to keep improving what you are building.