Find an agent with broad tools, credentials, or workflow authority.
LLM06:2025
Excessive Agency
Excessive agency occurs when an AI system has more autonomy, permissions, tools, or action scope than the task requires.
Step 01
Input
Step 02
Model
Step 03
Tool / Data
Step 04
Impact
What it is
The agent can make too many decisions or execute too many actions without deterministic limits, approval gates, scoped credentials, or bounded workflow design.
Why it matters
Excessive agency is where prompt injection becomes operational: the model is not only wrong, it can send, delete, purchase, deploy, modify, or expose real assets.
Failure path
How it usually fails.
A useful review breaks this chain before the system reaches production data, tools, or customer-facing decisions.
Use prompt injection, misleading context, or normal conversation to steer the agent.
Make the agent take an action the user, owner, or business process did not intend.
Defenses
Controls worth checking.
The strongest controls are enforced outside the model and can be retested after a prompt, model, or workflow change.
Reduce the action set
Give each workflow only the tools and scopes required for that job, with separate read, draft, write, send, delete, and deploy capabilities.
Add approval gates
Require human approval for destructive, external, financial, security-sensitive, or customer-visible actions.
Use deterministic policies
Enforce action rules outside the model so prompts cannot expand authority at runtime.
Signals to review
- Agents holding broad OAuth scopes or long-lived service tokens.
- Write-capable tools available in read-only workflows.
- No separate approval path for send, delete, deploy, spend, or publish actions.
Questions for your team
- What can the agent do if every prompt-level control fails?
- Which tools can modify external state?
- Can a human see and approve the exact target before execution?
