Chapter 4

Excessive Agency / Tool Abuse

Excessive functionality, permissions, and autonomy — why least privilege is the #1 agent design principle.

The Core Idea

"Agency" = how much an agent can DO on its own.

Excessive agency = the agent has more power than it needs
                   for its job.

When an attacker compromises an agent (via prompt injection or
otherwise), the damage = scoped to whatever the agent could
already do.

Prompt injection represents the initial access vector; excessive agency determines the resulting blast radius.

For example, if an agent is granted write permissions to a production database, a successful prompt injection can cause immediate data loss. Conversely, restricting the agent to read-only metrics access neutralizes the impact of the same exploit.

This is why least privilege for agents is the primary mitigating design principle.


The Three Dimensions of Excessive Agency (OWASP Framework)

1. Excessive Functionality

The agent has access to tools/functions it doesn’t actually need.

Example:
You build a customer service agent.
It only needs to: read orders, send emails.
But you wired it to a generic execute_sql tool because
it was easier than building specific functions.

Now: any prompt injection can run any SQL.

This is the most common vulnerability, often arising when general-purpose tools are used instead of narrow, purpose-built functions.


2. Excessive Permissions

The agent’s tools have broader permissions than the agent needs.

Example:
Your agent uses a database tool.
The tool's database account has WRITE permission.
But the agent only ever needs to READ.

Now: any prompt injection can corrupt the database, even
though the agent's "official" job is read-only.

This focuses on identity and access management (IAM) scopes rather than functional code definitions.


3. Excessive Autonomy

The agent acts without human review on actions it shouldn’t take alone.

Examples:
- Auto-restart services        ← Low risk
- Auto-rollback deploys        ← Medium risk
- Auto-terminate prod nodes    ← High risk

High-risk actions require human-in-the-loop validation, even from trusted agents.

The Damage Formula

DAMAGE = (probability of compromise)
         ×
         (blast radius of agent's tools)
  • Prompt injection raises the probability.
  • Excessive agency raises the blast radius.

Defense layers attack both sides.


The Defense — Principle of Least Privilege

The classic security maxim, applied to agents:

QuestionAnswer Should Be
What tools does this agent need?The minimum set
What permissions do those tools need?The minimum scope
What actions need human approval?All high-blast-radius actions
Can the agent escalate its own permissions?Never

Enforcing these constraints at runtime acts as an application-level firewall monitoring agent behaviors.

Nerchuko Academy · Free DS Interview Prep