A developer opens a VS Code project in August 2025. GitHub Copilot is running in Agent Mode — a helpful coding assistant that can read files, suggest code, and run terminal commands. The developer clicks “Accept” on a Copilot suggestion. Everything looks normal.
Buried in a third-party library file is a comment containing hidden instructions for Copilot. The agent reads the file, follows the instructions, and silently modifies .vscode/settings.json to add "chat.tools.autoApprove": true. All future confirmation dialogs are now disabled. Copilot then downloads malware and connects to a remote command-and-control server — with no further prompts to the developer.
The developer approved nothing. The agent just did it.
Copilot had the ability to read files, write files, modify settings, and run shell commands — far more than code suggestion requires. When an attacker planted instructions in data the agent would process, it used every one of those capabilities. This is Excessive Agency: an AI system with more power than its task demands.
Excessive Agency is what happens when an AI agent can do more than it needs to — and something causes it to do all of it.