Voice OS Permissions Model: What the AI Can Read and Do (2026)

Voice OS Permissions Model

A voice OS that has access to your calendar, inbox, files, and the ability to take action on your behalf is powerful and dangerous in equal measure. The permissions model is the system that controls what the AI can read and what it can do. It has three parts: OAuth scopes that define what data the AI can access, per-tool consent that controls which actions the AI can take, and confirmation flows that put the user in the loop for irreversible operations. Without a clear permissions model, voice AI becomes a security liability.

WHAT TO LOOK FOR

The three things that actually matter

OAuth scope minimization

Each external integration uses the smallest OAuth scope sufficient for the feature. Calendar read and calendar write are separate; Gmail read and Gmail send are separate. Users can grant calendar read without granting calendar write.

Per-tool consent

Tools like send_email, create_calendar_event, and pay_invoice each have their own consent state. Granting voice access to one does not implicitly grant access to all. Consent state is durable and revocable at any time from the user dashboard.

Confirmation for irreversible actions

Sending an email, creating a payment, or deleting a record requires explicit voice confirmation: 'Should I send that?' Reversible or low-risk actions like reading data or creating a draft do not require confirmation, which keeps the conversation flowing.

TLDR:Lucy OS1 uses Google OAuth with the minimum scopes required for each feature. Calendar access is read-only by default; calendar write is a separate scope the user explicitly grants. Email read is one scope; email send is another, and Lucy always confirms a draft out loud before sending. Memories can be edited or deleted by the user at any time. The permissions model is opt-in per capability, not all-or-nothing, so users can grant Lucy access to exactly what they want and no more.

Why Lucy OS1

OAuth scope minimization

Per-tool consent

Confirmation for irreversible actions

Memory access controls

Users see every memory in a dashboard and can edit or delete each one. Memories can be marked private, which excludes them from prompt injection. There is no opaque memory layer that the user cannot inspect.

Conversation deletion

Users can delete individual conversations or wipe their entire history. Deletion is irreversible and removes the conversation from active databases within a defined window. Backups follow the same retention policy.

Audit trail

Every tool call the AI made on behalf of the user is logged with timestamp, parameters, and result. The user can review this trail to see what Lucy did and when. This is essential for trust in any AI that takes actions.

QUICK COMPARISON

Lucy OS1 vs most AI tools

Capability	Lucy OS1	Most AI tools
Memory across sessions	✓ Permanent, never resets	✗ Resets after every session
Voice quality	✓ Lucy OS1 Natural Voice (best-in-class)	✗ Basic STT, struggles with noise
Calendar awareness	✓ Reads Google Calendar in real time	✗ No calendar access
Available 24/7	Always on, any device	Available but stateless each time
Gets personal over time	✓ Builds your context continuously	✗ Starts from zero every session

Try Lucy OS1, setup takes 30 seconds

Voice-first AI with memory and calendar integration. Free to try.

Start Talking

Free tier available. No credit card required.

GET STARTED

How to use Lucy OS1

Create your free account

No credit card required. Sign in with your Google account and you're inside in under a minute.

Connect your Google Calendar

Lucy reads your upcoming events before every conversation, so it already knows your day before you say a word.

Start talking about voice os permissions model

Speak naturally. Lucy listens, responds by voice, and begins building context from your very first exchange. The more you use it, the better it gets.

Start for free → Free tier available. No credit card.

Frequently Asked Questions

Can the AI send emails without asking me?

No, by default. Lucy OS1 always reads back the recipient, subject, and body before sending and waits for explicit voice confirmation. Power users can opt into auto-send for specific recipients, but the default is always confirm.

What happens if I revoke an OAuth scope?

The features that depend on that scope stop working immediately. Lucy detects the missing permission on the next attempted action and tells the user, then offers to walk them through re-granting if they want.

Can I see what the AI has done with my account?

Yes. The dashboard shows an audit trail of every tool call: when it happened, what parameters were used, what the result was. This includes calendar creates, email sends, web searches, and reminders.

Are memories shared across users?

Never. Per-user encryption and database-level isolation guarantee that memories created in one account are not visible to any other account. There is no cross-user memory pooling at any layer.

How do I delete everything if I stop using the service?

A single account deletion action wipes all conversations, memories, and tool grants. OAuth tokens are revoked at the source. The deletion is irreversible and completes within a defined retention window, after which no backup contains the data.

Does the AI have access to my full inbox or just recent messages?

By default, only the most recent 10 inbox subjects are injected per turn for context. Search across the full inbox happens only when the user explicitly asks for it, and the search results are scoped to the OAuth scope granted.