Agentic Privacy Boundaries are the controls that scope what an autonomous agent may access and do, per task, with the least privilege the task requires, and that make the resulting delegation visible and revocable. The problem is genuinely new. Earlier privacy design assumed a fairly static, product-side data relationship: you tell users what you collect, you get consent, the relationship holds still. An agent breaks all three assumptions. It acts on behalf of the user, across multiple tools and accounts, over time, often without the user watching each step.
That autonomy is what makes the boundary the design problem. An agent that can read your email, calendar, files, and payment methods, and act across all of them, is only as safe as the limits on what it may touch for the task at hand. The 2026 reality is that the old authorization model does not hold: static OAuth scopes are too coarse for "read this one record, for this user, for this task," and long-lived blanket grants create what the identity world now calls agentic sprawl.
This principle deliberately starts where consent and expectation-setting stop. Asking for consent and telling users what to expect are necessary, but they do not answer the agentic question: what is my agent allowed to do, with whose data, right now, and can I see and stop it?
The principle: scope agent access to the task with least privilege, make delegation visible and revocable, and prevent over-reach across the accounts the agent can touch.
The boundaries draw on a classic security principle, a theory of privacy as context, and a 2026 shift in how identity systems handle agents.
Saltzer and Schroeder (1975) gave computing the principle of least privilege in The Protection of Information in Computer Systems: every program and user should operate with the minimum set of privileges needed to complete the job. Half a century later it is the exact design default an agent needs. An agent should hold the narrowest scope for the current task, time-boxed, not a standing grant to everything it might ever need. Least privilege shrinks the blast radius when something goes wrong, and with autonomous agents acting unattended, something eventually will.
Nissenbaum (2010) supplies the privacy theory in Privacy in Context. Her concept of contextual integrity holds that information flows are appropriate only within the context in which they were shared. Data you gave a calendar app for scheduling is not automatically fair game for an agent to feed into a shopping decision. An over-reaching agent that pipes data from one context into another, simply because it can reach both, violates contextual integrity even if every individual access was technically authorized. The boundary is not just who can read what; it is whether this flow fits the context.
The 2026 layer makes the gap concrete. The identity field is openly arguing that the existing authorization model will not survive agentic AI: OAuth scopes are static for a token's lifetime and cannot express task-level or resource-level constraints, so agents need dynamic, conditional access like "read this record for this user for this task." The emerging answers are standards-based: on-behalf-of delegation and token exchange (RFC 8693) to represent an agent acting for a user, ephemeral and granular scopes replacing long-lived credentials, and real-time revocation. GDPR Article 5 supplies the legal expression of the same idea, purpose limitation and data minimisation: only touch what the task needs, only for the purpose it was given.
For Users: When you hand a task to an agent, you are trusting it with reach across your accounts. Visible, revocable, task-scoped boundaries are what let you delegate without signing over everything you have.
For Designers: The delegation surface, what the agent can access, for what, and how to revoke it, is a real interface you design. Make it legible and revocable, or users will either over-trust or refuse the agent entirely.
For Security and Identity Engineers: Static scopes and long-lived tokens were built for apps, not autonomous agents. Implementing least-privilege, on-behalf-of, time-boxed access is what keeps agentic capability from becoming agentic sprawl.
For Product Managers: Purpose-limited, revocable agent access is both a trust feature and a compliance requirement under GDPR and HIPAA. It is what makes an agent that touches sensitive data shippable.
Agentic privacy comes down to scoping the access, showing the delegation, and keeping it revocable.
Scope access to the task, not to everything. Grant the agent the narrowest access the current task needs, ideally time-boxed, instead of a standing grant. A travel-booking task needs calendar and payment for the booking, not perpetual access to all email.
Use on-behalf-of delegation, not shared blanket credentials. Represent the agent as acting for a specific user, for a specific purpose, with an auditable link back to who authorized it. Token exchange and on-behalf-of flows exist precisely for this.
Show the user what the agent can currently access. A visible delegation view, "your agent can currently access X, Y, Z for this task," turns invisible autonomous reach into something the user can see and reason about.
Make revocation real and immediate. The user must be able to pull access in real time, and it must actually take effect. Long-lived tokens that survive a revocation click are a boundary in name only.
Prevent cross-context over-reach. Stop data shared for one purpose from silently flowing into another just because the agent can reach both. This is contextual integrity as a design constraint, and it is the boundary that pure permission lists miss.
Gate irreversible side effects with a human. For actions like sending email, moving money, or modifying production data, pair the privacy boundary with a human-in-the-loop approval, the data-access boundary and the action boundary working together.