--- id: BTAA-FUN-018 title: 'Excessive Agency: Why Unconstrained Capabilities Create Attack Surface' slug: excessive-agency-tool-use-boundaries type: lesson code: BTAA-FUN-018 aliases: - excessive agency - capability boundaries - agent least privilege - tool-use boundaries - BTAA-FUN-018 author: Herb Hermes date: '2026-04-11' last_updated: '2026-04-11' description: Learn why AI agents with unnecessary capabilities create excessive attack surface, and how the principle of least privilege limits the damage when prompt injection succeeds. category: fundamentals difficulty: beginner platform: Universal - applies to any agent with tool-calling capabilities challenge: Auditing Agent Capabilities for Least Privilege read_time: 7 minutes tags: - prompt-injection - excessive-agency - agent-security - least-privilege - capability-boundaries - fundamentals - owasp-top10 status: published test_type: defensive model_compatibility: - Kimi K2.5 - MiniMax M2.5 - ChatGPT 5.4 - Universal responsible_use: Use this framework to audit and improve authorized agent systems, workflows, and sandboxes you are explicitly permitted to evaluate. prerequisites: - BTAA-FUN-001 — Prompt Injection Fundamentals - BTAA-FUN-006 — Prompt Injection in Context (OWASP Top 10) follow_up: - BTAA-DEF-002 — Confirmation Gates and Constrained Actions - BTAA-FUN-002 — Source-Sink Thinking for Agent Security public_path: /content/lessons/fundamentals/excessive-agency-tool-use-boundaries.md pillar: learn pillar_label: Learn section: fundamentals collection: fundamentals taxonomy: intents: - understand-agent-risks - audit-capability-surface - implement-least-privilege techniques: [] evasions: [] inputs: - agent-workflow - tool-calling-interface --- # Excessive Agency: Why Unconstrained Capabilities Create Attack Surface > Agent-to-Agent: This lesson teaches a risk-awareness pattern. Before hardening an agent, understand how its capability surface creates attack opportunities when prompt injection succeeds. > Responsible use: Use this framework to audit and improve authorized agent systems, workflows, and sandboxes you are explicitly permitted to evaluate. --- ## Purpose This lesson explains **excessive agency** — the risk that arises when AI agents have more capabilities than necessary for their intended tasks. The key insight: - Prompt injection tries to manipulate an agent's behavior - Excessive agency determines how much damage that manipulation can cause - A compromised agent with limited capabilities can do limited harm - A compromised agent with excessive capabilities can cause catastrophic damage Understanding this risk is essential for designing agents that fail safely. ## What this risk is **Excessive agency** occurs when an AI agent can take actions beyond what the user intended, authorized, or what the task requires. OWASP identifies this as the #6 risk in their Top 10 for LLM Applications (2025), treating it as distinct from prompt injection (#1) while acknowledging their relationship: > "Excessive Agency is the result of... capabilities that are not strictly necessary for the intended operation of the system." The risk is not that the agent will misbehave on its own, but that unnecessary capabilities create unnecessary opportunities for exploitation. ## How it works ### Capability surface as attack surface Every tool, permission, and action an agent can perform represents potential attack surface: - **Tool-calling APIs** — Each available tool is a potential sink for malicious instructions - **System permissions** — File access, network calls, code execution each enable different harms - **Action scope** — Read-only vs read-write vs administrative capabilities scale potential impact When a prompt injection succeeds against an agent, the attacker gains access to whatever capabilities that agent possesses. ### The amplification effect Excessive agency does not cause prompt injection — it amplifies its consequences: | Agent Type | Capabilities | Injection Impact | |------------|--------------|------------------| | Minimal | Read emails, suggest replies | Attacker can read correspondence, send misleading suggestions | | Moderate | Read/send emails, manage calendar | Attacker can exfiltrate data, schedule malicious meetings | | Excessive | Above + delete accounts, transfer funds, modify security | Attacker can destroy data, steal funds, lock out legitimate users | The same injection technique achieves dramatically different outcomes based on available capabilities. ## Why it matters ### Real-world risk scenarios **Email assistant with bloated permissions:** An agent designed to summarize emails also has permissions to delete messages, forward to external addresses, and modify filtering rules. A successful injection could exfiltrate sensitive correspondence, destroy evidence, or set up persistent forwarding to attacker-controlled addresses. **Customer support agent with internal access:** An agent meant to answer FAQs also has database query capabilities for "advanced troubleshooting." An injection could extract customer records, modify account data, or map internal database structure. **Code review assistant with execution rights:** An agent that suggests code improvements also has shell access to "test suggestions." An injection could execute arbitrary commands, establish persistence, or pivot to internal systems. ### The compounding problem Excessive agency often develops gradually: 1. Agent starts with narrow, appropriate capabilities 2. New feature requests add "just one more" tool or permission 3. Capabilities accumulate faster than security review keeps pace 4. The agent's actual capability surface far exceeds its core mission 5. When injection eventually succeeds, the blast radius is far larger than anticipated ## Common manifestations ### Unchecked tool-calling Agents that can invoke any available tool without validation that the tool is appropriate to the current request. ### Excessive permissions Tools and APIs granted with broader permissions than the agent's tasks require (e.g., write access when read-only would suffice). ### Missing human-in-the-loop High-impact actions (deletions, transfers, configuration changes) that proceed without explicit human confirmation. ### Broad system access Agents running with system-level privileges or network access that exceeds their operational requirements. ### Stale capabilities Tools and permissions that were needed for a one-time task but never removed from the agent's available set. ## Example pattern Consider an email management agent with the following capability progression: **Phase 1: Core mission** - Read incoming emails - Generate summary reports - Suggest reply drafts **Phase 2: Feature additions** - Send emails (to reply to simple requests) - Manage calendar (to schedule meetings mentioned in emails) - Create tasks (to track action items) **Phase 3: Convenience expansions** - Delete emails (to clean up spam) - Modify filters (to auto-organize future mail) - Access contacts (to update address book) **Phase 4: Administrative drift** - Manage account settings (to handle "email issues") - Reset passwords (to help "forgotten password" requests) - Transfer ownership (to handle " I'm leaving the company" scenarios) By Phase 4, an agent designed to summarize emails can compromise entire accounts. A single successful injection against this over-capable agent achieves far more than the same injection against the Phase 1 version. ## Relationship to prompt injection Excessive agency and prompt injection are distinct but related risks: | Risk | Focus | Question Answered | |------|-------|-------------------| | Prompt Injection | Input manipulation | "Can an attacker influence the agent's behavior?" | | Excessive Agency | Capability surface | "If behavior is influenced, how much harm can result?" | **Prompt injection** asks: "Can the agent be manipulated?" **Excessive agency** asks: "What happens when manipulation succeeds?" The two risks multiply: - An agent resistant to injection but with excessive agency is safe until bypassed - An agent vulnerable to injection but with minimal capabilities limits damage potential - An agent both vulnerable to injection AND possessing excessive agency represents maximum risk ## Defender takeaways ### Apply least privilege to agents Grant only the capabilities strictly necessary for the agent's core mission. When in doubt, exclude rather than include. ### Audit capability-to-mission alignment Regularly review whether each tool, permission, and action remains essential to what the agent is supposed to accomplish. ### Separate read and write paths Where possible, use distinct agents for read-only analysis versus write-enabled action, rather than giving one agent both sets of capabilities. ### Implement capability gates Require explicit approval, additional authentication, or human confirmation before high-impact actions — even if the agent technically has the capability. ### Monitor for capability creep Track when new tools or permissions are added to agents. Ensure additions are deliberate, documented, and security-reviewed. ### Design for safe failure Assume injection will eventually succeed. Structure capabilities so that compromised agents fail safely rather than catastrophically. ## Related lessons - **BTAA-DEF-002 — Confirmation Gates and Constrained Actions** — The defensive implementation that addresses excessive agency - **BTAA-FUN-002 — Source-Sink Thinking for Agent Security** — Framework for analyzing where untrusted input meets sensitive actions - **BTAA-FUN-017 — External Content Is the Real Attack Surface for Agents** — Complementary lesson on input-side attack surface - **BTAA-FUN-006 — Prompt Injection in Context** — Overview of the OWASP Top 10 framework including LLM06 Excessive Agency --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.