Excessive Agency / Tool Abuse
Excessive functionality, permissions, and autonomy — why least privilege is the #1 agent design principle.
The Core Idea
"Agency" = how much an agent can DO on its own.
Excessive agency = the agent has more power than it needs
for its job.
When an attacker compromises an agent (via prompt injection or
otherwise), the damage = scoped to whatever the agent could
already do.
Prompt injection represents the initial access vector; excessive agency determines the resulting blast radius.
For example, if an agent is granted write permissions to a production database, a successful prompt injection can cause immediate data loss. Conversely, restricting the agent to read-only metrics access neutralizes the impact of the same exploit.
This is why least privilege for agents is the primary mitigating design principle.
The Three Dimensions of Excessive Agency (OWASP Framework)
1. Excessive Functionality
The agent has access to tools/functions it doesn’t actually need.
Example:
You build a customer service agent.
It only needs to: read orders, send emails.
But you wired it to a generic execute_sql tool because
it was easier than building specific functions.
Now: any prompt injection can run any SQL.
This is the most common vulnerability, often arising when general-purpose tools are used instead of narrow, purpose-built functions.
2. Excessive Permissions
The agent’s tools have broader permissions than the agent needs.
Example:
Your agent uses a database tool.
The tool's database account has WRITE permission.
But the agent only ever needs to READ.
Now: any prompt injection can corrupt the database, even
though the agent's "official" job is read-only.
This focuses on identity and access management (IAM) scopes rather than functional code definitions.
3. Excessive Autonomy
The agent acts without human review on actions it shouldn’t take alone.
Examples:
- Auto-restart services ← Low risk
- Auto-rollback deploys ← Medium risk
- Auto-terminate prod nodes ← High risk
High-risk actions require human-in-the-loop validation, even from trusted agents.
The Damage Formula
DAMAGE = (probability of compromise)
×
(blast radius of agent's tools)
- Prompt injection raises the probability.
- Excessive agency raises the blast radius.
Defense layers attack both sides.
The Defense — Principle of Least Privilege
The classic security maxim, applied to agents:
| Question | Answer Should Be |
|---|---|
| What tools does this agent need? | The minimum set |
| What permissions do those tools need? | The minimum scope |
| What actions need human approval? | All high-blast-radius actions |
| Can the agent escalate its own permissions? | Never |
Enforcing these constraints at runtime acts as an application-level firewall monitoring agent behaviors.