Excessive Agency
What is Excessive Agency?
Excessive AgencyOWASP LLM06 — granting an LLM-driven system more functionality, permissions, or autonomy than it actually needs, so that a successful prompt injection or model error translates into outsized real-world impact.
Excessive Agency is item LLM06 in the OWASP Top 10 for Large Language Model Applications. It describes the class of harms that occur when an LLM-based system is given more tools, broader permissions, or higher autonomy than its use case requires — for example, a customer-support agent with write access to the production billing API, or a code assistant that can both read repositories and push to main without review. The vulnerability is not the model itself but the surrounding system: when the agent is later subverted (via prompt injection, hallucination, or simply a bad day), the blast radius is shaped entirely by what powers it was granted. Mitigations follow least-privilege design: scope each tool to the minimum data and action it needs, require human approval for irreversible operations, prefer read-only or staging tools wherever possible, separate planning and acting models, and instrument tool calls so anomalous sequences surface in detection.
● Examples
- 01
An LLM-powered ticket triage tool is granted full admin to the CRM and ends up bulk-modifying customer records after a prompt injection in a support email.
- 02
A coding agent is restricted to opening pull requests rather than pushing directly to main, so a bad suggestion remains reviewable rather than shipping to production.
● Frequently asked questions
What is Excessive Agency?
OWASP LLM06 — granting an LLM-driven system more functionality, permissions, or autonomy than it actually needs, so that a successful prompt injection or model error translates into outsized real-world impact. It belongs to the AI & ML Security category of cybersecurity.
What does Excessive Agency mean?
OWASP LLM06 — granting an LLM-driven system more functionality, permissions, or autonomy than it actually needs, so that a successful prompt injection or model error translates into outsized real-world impact.
How does Excessive Agency work?
Excessive Agency is item LLM06 in the OWASP Top 10 for Large Language Model Applications. It describes the class of harms that occur when an LLM-based system is given more tools, broader permissions, or higher autonomy than its use case requires — for example, a customer-support agent with write access to the production billing API, or a code assistant that can both read repositories and push to main without review. The vulnerability is not the model itself but the surrounding system: when the agent is later subverted (via prompt injection, hallucination, or simply a bad day), the blast radius is shaped entirely by what powers it was granted. Mitigations follow least-privilege design: scope each tool to the minimum data and action it needs, require human approval for irreversible operations, prefer read-only or staging tools wherever possible, separate planning and acting models, and instrument tool calls so anomalous sequences surface in detection.
How do you defend against Excessive Agency?
Defences for Excessive Agency typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Excessive Agency?
Common alternative names include: LLM06, Over-privileged AI agent.
● Related terms
- ai-security№ 870
OWASP LLM Top 10
An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models.
- ai-security№ 027
Agentic AI Security
The discipline of securing autonomous LLM agents that plan, call tools, and act on real-world systems, where prompt injection turns into remote code execution and excessive agency into actual blast radius.
- identity-access№ 955
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
- ai-security№ 689
LLM Guardrails
Mechanisms that constrain what an LLM-based application can input or output, enforcing safety, security, and business rules around the underlying model.
- ai-security№ 969
Prompt Injection
An attack that overrides an LLM's original instructions by smuggling adversarial text into the prompt, causing the model to ignore safeguards or execute attacker-chosen actions.
- ai-security№ 1285
Tool-Use Injection
Attacks that manipulate an LLM agent's tool-calling layer — forging tool arguments, smuggling instructions through tool outputs, or coaxing the model into calling unsanctioned tools.