Key insight
Excessive agency is granting an agent more power than its job needs — more tools, broader access, greater freedom to act unsupervised. On a normal day the extra power just sits there. But the moment the agent is tricked, every bit of it becomes power the attacker controls. It shows up as three dials you can turn down: too many tools, too much access, and too much autonomy. The cure is least agency by default: start at zero and add only what the job proves it needs, so a tricked agent can still do little harm.
The earlier attack topics all end on the same note: you cannot stop every trick, so you must limit what a trick can reach. This page is that limit, made precise. It is the most controllable risk in the whole series, because it is entirely about choices you make in advance — and getting them right shrinks the damage of every other attack at once.
1 · Agency: the power to act
Everything that makes an agent more than a chatbot comes down to one word: agency — the power to actually do things. An agent can send email, query databases, call APIs, move files, spend money. That power is the entire point; it is also the entire danger. Excessive agency is the vulnerability of granting an agent more of that power than its real job requires. On a normal day, the extra power just sits there unused and harmless. But the moment the agent is tricked — by an injection, a jailbreak, a poisoned document — every bit of power you handed it becomes power the attacker now controls. Excess capability is stored-up blast radius.
2 · Three flavours of “too much”
Excessive agency shows up in three distinct flavours, and naming them helps because each has its own fix. Too much functionality: the agent is wired to tools it does not need — a support bot that can also delete accounts. Too much permission: the tools it does use run with far more access than the job requires — a read-only lookup connected through an account that can also write and delete. Too much autonomy: the agent is allowed to take big, irreversible actions entirely on its own, with no human confirmation. They are three separate dials — capability, access, and freedom — and the goal is to turn each down to exactly what the job needs, no higher.
3 · The blast-radius idea
Here is the idea that ties this topic to every attack before it. The other topics ask, “can the agent be tricked?” — and the honest answer is always, eventually, yes. This topic asks the follow-up that actually decides how bad the day is: “when it is tricked, how much can it reach?” That reach is the blast radius, and it equals the sum of every tool, every permission, and every unsupervised action you gave the agent. A tightly scoped agent that gets injected causes a small, recoverable mess. A wide-open agent that gets injected the exact same way can drain accounts or wipe data. Same attack, wildly different outcome — and the difference is entirely how much agency you granted in advance.
4 · Too many tools
Take the first flavour concretely. You build a customer-support agent whose only real job is to look up an order’s status. But the platform makes it easy to grant tools in bulk, so the agent ends up wired to a whole shelf of them: issue refunds, delete accounts, send email, change prices, maybe even deploy code. On a good day it only uses the lookup. But every one of those other tools is a loaded weapon within reach. The day an injected order-lookup request whispers “and also issue a full refund to this account,” the agent can — because you gave it the refund tool it never needed. The fix is almost embarrassingly simple: connect an agent only to the tools its task genuinely requires, and nothing more.
5 · Too much access
The second flavour is subtler because the tool itself can look reasonable. Say the agent has exactly one tool: read a customer record. Sounds safe. But under the hood, that tool connects to the database through an account that can read, write, and delete every table — because someone reused powerful admin credentials instead of creating a limited one. Now a tricked agent, using that single “read” tool, may be steered into writing or deleting far beyond what the tool’s name suggests, because the account behind it has the keys to everything. The tool was scoped; the permissions were not. The fix is least privilege at the account level: whatever identity the agent’s tools run as should reach only the exact data the job needs, in only the ways it needs.
6 · Too much freedom
The third flavour is too much autonomy: letting the agent take large, irreversible actions entirely on its own. Reading data or drafting a message is low-stakes — fine to do unsupervised. But wiring transfers, deleting production records, sending mass emails, or changing live configuration are actions you cannot take back. When an agent is free to do those alone, a single successful trick becomes an instant, unrecoverable event with no chance to catch it. The fix is not to strip the agent’s usefulness; it is to insert a pause at exactly the high-stakes moments — a human confirmation before the biggest, most irreversible steps. The agent still does the work; a person holds the final “yes” on the actions that would hurt most if they were wrong.
7 · Defense: least agency by default
The overarching defense is a mindset: least agency by default. Instead of starting an agent with broad powers and trimming back when something scares you, start it at zero and add only what the task provably needs. Give it only the specific tools required. Run those tools through accounts scoped to the minimum data and the minimum actions. Require a human confirmation for anything big or irreversible. And log every action the agent takes, so you can see what it did and catch trouble early. These are the same instincts from the injection topic — because they are two halves of one strategy: you cannot stop every trick, so you shrink what any trick can reach. An agent held to least agency can be fooled and still not do much harm.
8 · A simple test you can run this week
1. List every tool one agent can call — the full list, not what you think it uses.
2. Cross off any it does not truly need, and actually remove them.
3. Check what each remaining tool’s account can actually reach.
4. Put one human check in front of its most dangerous action.
The lesson: blast radius is the sum of the agent’s powers — grant only what the job needs, because the day it is tricked, every extra power becomes the attacker’s.
9 · Glossary — every term, spelled out
- Agency
- An agent’s power to take real actions in the world through its tools.
- Excessive agency
- Granting an agent more tools, access, or freedom than its job needs — stored-up blast radius.
- Blast radius
- How much harm a single successful trick can cause — the sum of every tool, permission, and unsupervised action.
- Least privilege
- Granting the minimum tools and access needed — applied to the account an agent’s tools run as, not just the tool name.
- Autonomy
- The agent acting without a human in the moment; safe for small steps, risky for big irreversible ones.
- Least agency by default
- Starting an agent at zero power and adding only what the job proves it needs, rather than trimming from broad.
Excessive agency is giving an agent more tools, access, and freedom than its job needs.
It comes in three dials: too many tools, too much access (scope the account, not just the tool), and too much autonomy.
Blast radius — the damage of one successful trick — equals the sum of the agent’s powers.
The cure is least agency by default: start at zero, add only what the job proves it needs, and keep a human on the irreversible steps.
References
- OWASP, Top 10 for Large Language Model Applications — LLM08: Excessive Agency. owasp.org
- NIST, Artificial Intelligence Risk Management Framework (AI RMF 1.0). nist.gov
- This guide’s Prompt Injection, Explained From Zero — the trick whose damage least agency contains.
- This guide’s Human-in-the-Loop Oversight, Explained From Zero — the pause on the biggest actions.