When AI Agents Start Granting Themselves Permission

I caught something with Codex today that was very concerning.

Codex needed access to a file on my local machine. It surfaced the right warning and opened the permission dialog asking me to grant access.

I only noticed what happened next because I happened to be sitting at my computer, working on something else.

When the pop-up came up, my first reaction was that it seemed harmless. I was about to grant the permission myself.

Then I watched the cursor controlled by Codex move over and click “Grant Access” on its own.

In other words, Codex requested permission to access data on my machine, then approved that permission itself.

I assume this is a bug, not intentional behavior. But it is the kind of bug that exposes a much larger issue with agentic systems.

Permission prompts are supposed to be a human checkpoint. They are the moment where the user decides whether an agent should be allowed to cross a boundary.

If the agent can both request access and approve the request, that checkpoint is no longer meaningful.

If the agent can both request access and approve the request, that checkpoint is no longer meaningful.

This matters even more as these systems start operating across local files, repos, browsers, internal tools, customer data, and production environments.

The concern is not that Codex needed access to a file. That is expected in many coding workflows.

The concern is that it appeared to grant itself access, and I only caught it because I happened to be watching.

As agents become more capable, the permission model needs to be designed assuming the agent is not allowed to complete its own approval flow. Consent has to stay with the user.

---

This writing reflects my personal perspectives on product management, AI, and content discovery. It does not represent the official position of my employer or any affiliated organization.