Review authority, not the word AI
An AI app is software running with the authority of its process and the permissions you grant. The meaningful questions are what it can read, write, execute, control and send over the network.
Browser-based assistants, desktop apps and command-line agents have different access. Do not assume one settings screen describes them all.
Check macOS Privacy & Security
Review Accessibility, Automation, Screen & System Audio Recording, Input Monitoring, Full Disk Access, microphone and camera. Remove grants you no longer need through System Settings.
macOS does not provide third-party apps with one supported universal API to enumerate every other app’s current grants. An audit can guide you, but System Settings remains authoritative.
Understand local tools and MCP servers
An MCP server can connect an AI client to files, developer tools, databases or online accounts. Local servers may launch commands with the client’s user privileges.
Review the exact command, arguments, package source, remote endpoint, writable roots, environment variables and whether approvals or sandboxing have been weakened.
- Avoid unreviewed shell download pipes.
- Be cautious with automatically installed, unpinned packages.
- Keep credentials out of shared project configuration.
- Prefer narrow folders and scopes over home-wide access.
- Do not start an unknown server merely to inspect it.
Use change history
After a baseline, review newly added hooks, remote endpoints, background helpers and agent configuration. A static scan cannot prove why a process acted or whether a prompt caused it.
Real-time blocking is a separate security-engineering problem. A useful first step is transparent configuration review and confirmation before high-impact actions.