TKOResearch
Menu
OWASP LLM Top 10 guide

LLM06:2025

Excessive Agency

Excessive agency occurs when an AI system has more autonomy, permissions, tools, or action scope than the task requires.

Step 01

Input

Step 02

Model

Step 03

Tool / Data

Step 04

Impact

What it is

The agent can make too many decisions or execute too many actions without deterministic limits, approval gates, scoped credentials, or bounded workflow design.

Why it matters

Excessive agency is where prompt injection becomes operational: the model is not only wrong, it can send, delete, purchase, deploy, modify, or expose real assets.

Failure path

How it usually fails.

A useful review breaks this chain before the system reaches production data, tools, or customer-facing decisions.

Path 01

Find an agent with broad tools, credentials, or workflow authority.

Path 02

Use prompt injection, misleading context, or normal conversation to steer the agent.

Path 03

Make the agent take an action the user, owner, or business process did not intend.

Defenses

Controls worth checking.

The strongest controls are enforced outside the model and can be retested after a prompt, model, or workflow change.

Control 01

Reduce the action set

Give each workflow only the tools and scopes required for that job, with separate read, draft, write, send, delete, and deploy capabilities.

Control 02

Add approval gates

Require human approval for destructive, external, financial, security-sensitive, or customer-visible actions.

Control 03

Use deterministic policies

Enforce action rules outside the model so prompts cannot expand authority at runtime.

Signals to review

  • Agents holding broad OAuth scopes or long-lived service tokens.
  • Write-capable tools available in read-only workflows.
  • No separate approval path for send, delete, deploy, spend, or publish actions.

Questions for your team

  • What can the agent do if every prompt-level control fails?
  • Which tools can modify external state?
  • Can a human see and approve the exact target before execution?