Excessive Agency

01What it is

A category of risk where the model has functionality, permissions, or autonomy that exceeds what the use case requires. Three sub-categories: excessive functionality (tools you do not need), excessive permissions (overly broad scopes), excessive autonomy (acts without human approval on irreversible operations).

02Why it matters

Agentic AI is moving from demo to production. Every new tool adds attack surface. A read-only research agent that can email is a phishing engine waiting for injection. A coding agent with broad GitHub access is a supply-chain attack vector. Severity scales with the blast radius of the tools.

03Attack vectors

• Confused-deputy — the agent acts on behalf of the user but uses tool credentials that have admin scope.
• Tool-description injection — an MCP server returns crafted tool descriptions that re-shape the agent's behaviour.
• Plan-injection — the attacker embeds a multi-step plan in the prompt that the agent executes blindly.
• Cross-tool composition — individually-safe tools combined produce unsafe outcomes (read file → send email).
• Cascading agency — agents that spawn sub-agents amplify the original injection.

04Defence patterns

• Least functionality — only expose the tools you absolutely need.
• Least permission — every tool runs with the original user's scope, not a service account.
• Human-in-the-loop on irreversible actions — wire transfers, deletes, external sends.
• Tool sandboxing — code execution in containers, file access through a virtual FS, network through an allowlist.
• Action logs + replay — every tool call recorded, reviewable, attributable.
• Rate limits per tool, per session — even if injected, blast radius is bounded.

05Detection

06India context

07MITRE ATLAS mapping

08Related modules on RingSafe

09Further reading