ALARA for Agents: Least-Privilege Context Engineering Through Portable Composable Multi-Agent Teams

2026-03-24 · Source: cs.MA updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

A new declarative context-agent-tool (CAT) data layer and a command-line shell, npcsh, have been introduced to address the fragmentation and security vulnerabilities in multi-agent systems. This system applies the ALARA (As Low As Reasonably Achievable) principle to agent context, ensuring each agent's tool access and context are scoped to the minimum required for its role through interrelated files. Unlike prose instructions, the system structurally parses and enforces these specifications, guaranteeing behavioral changes. The framework was evaluated across 22 locally-hosted models, ranging from 0.6B to 35B parameters, on 115 practical tasks including file operations, web search, and multi-agent delegation. The evaluation involved approximately 2,500 total executions, characterizing model performance across various task categories and identifying breakdown points. The framework and benchmark are open source.

Key takeaway

For AI Architects and Research Scientists designing multi-agent systems, adopting a declarative, least-privilege framework like CAT is crucial. Your systems will gain enhanced security against prompt injection and improved reliability, especially for smaller models, by structurally enforcing tool access rather than relying on interpretive compliance. Consider leveraging the open-source npcsh framework to implement these principles and improve agent performance and maintainability.

Key insights

Declarative, least-privilege context engineering for multi-agent systems enhances reliability and security by structurally enforcing tool access.

Principles

• Least privilege minimizes attack surface and improves reliability.
• Structural enforcement guarantees agent behavior, unlike prose instructions.
• Tool-use reliability is a distinct, trained capability.

Method

The CAT data layer uses context files, NPC files, and Jinxes (YAML tool definitions) to declaratively specify agent harnesses. Jinxes compose into DAGs, enabling complex workflows and deterministic scaffolding for tool execution.

In practice

• Scope agent tool access to minimum required for its role.
• Implement retry policies that are category-aware.
• Prioritize models specifically trained for tool use.

Topics

• Multi-Agent Systems
• Least Privilege
• Context Engineering
• Tool Use
• Agent Benchmarking

Code references

• NPC-Worldwide/npcsh
• paul-gauthier/aider
• langchain-ai/langchain
• crewai/crewai

Best for: AI Architect, AI Scientist, Research Scientist, AI Engineer, Machine Learning Engineer, AI Researcher

Related on AIssential

• Context Engineering 2.0: MCP, Agentic RAG & Memory // Simba Khadder — Unifying RAG, memory, and structured data into a single "context engine" is crucial for effective AI agents.
• Brit mathematician lets AI agent loose with credit card – cue password leaks, CAPTCHA chaos and more — Autonomous AI agents, while capable, pose significant risks regarding data privacy and security when given agency.
• Issue #122 - The 12-Step Blueprint for Building an AI Agent. Part I — Effective AI agent development prioritizes systems engineering over prompt engineering for production readiness.
• MCP Is Dead — MCP's design of injecting tool descriptions into an agent's context window creates a critical, unpatchable security vulnerability.
• Claude Code's Hidden Multi-Agent Orchestration now Open-source — AI agents are evolving to manage complex tasks and context more autonomously and efficiently.
• Dive into Claude Code: The Design Space of Today's and Future AI Agent Systems — AI agent architectures are shaped by human values and deployment context, even with similar core functionalities.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.MA updates on arXiv.org.