Excessive Agency
Quick Answer
Excessive agency is an OWASP-named risk class in which an LLM-backed system holds more permission, autonomy, or tool breadth than its task requires. It is a property of the system's authority configuration, not any single prompt or output. The surplus authority becomes harmful only when prompt injection, a hallucinated plan, or poisoned retrieval converts it into a real action.
Excessive Agency
Excessive agency is an OWASP-named risk class for LLM applications in which an agent has more permission, autonomy, or tool breadth than the task it is performing actually requires. It describes the system's authority configuration, not the model's output: a read-only research agent given a logged-in browser with write access, a support summarizer wired to a refund API, or a database helper allowed arbitrary SQL all qualify, regardless of what they are currently doing. The harm only materializes when something else — prompt injection, a hallucinated plan, poisoned retrieval — converts the surplus authority into a real side effect, which is why excessive agency acts as the amplifier on most other LLM failure modes. The conceptual counterpart is least agency: minimum data, minimum tools, minimum side-effects, bounded autonomy. See agent capability control for how to scope authority around tool-using agents.
See also
- Tool hijacking — the realized attack that exploits excessive agency.
- Ambient authority — the systems-security term for the same shape of risk.
- Lethal trifecta — untrusted input plus private data plus external action.