LLM06:2025Excessive Agency
Slide 4 of 27
Part 1 · What Is It?Slide 4
Slide 4 · Three Root Causes
Excessive Agency always comes from one — or more — of these three failures.
Each is independent. All three together are a disaster.
Root Cause 1 — Excessive Functionality

The agent is given tools it doesn’t need. A mail-reading agent that also has a send function. A document agent that also has delete. A code assistant that can also run shell commands. The extra tools sit idle — until an attacker finds them.

Root Cause 2 — Excessive Permissions

The agent’s credentials grant more access than required. An agent that only needs to read customer records is authenticated with an admin service account. An email summarizer is granted a full-access OAuth token instead of a read-only scope. When an attacker hijacks the agent, they inherit those credentials.

Root Cause 3 — Excessive Autonomy

The agent acts without asking. It can send emails, delete files, run commands, and approve transactions — all without a human checkpoint. When something goes wrong (a bad prompt, a hallucination, an injection), there is nothing to catch it before the action is taken.

The Right Mental Model

Every tool, permission, and autonomous capability an agent has is attack surface. Design for minimum viable authority, not maximum convenience.

← BackNext → Why this isn’t just a bug
📄 View sources for this lesson