Slide 5 · Not Just a Bug
Excessive Agency is an architectural failure, not a coding mistake.
You cannot patch your way out of an overpowered design.
The Common Mistake
Teams build an AI agent, give it broad access “for flexibility,” and plan to lock it down later. Later never comes. The agent ships with admin credentials, a plugin that can send emails, and no confirmation dialogs — because “it’s just internal.”
One plugin, many functions — reads, writes, and sends
Shared admin credentials — one service account for everything
No approval gates — agent acts immediately on any output
“We’ll restrict later” — never restricted
Purpose-built plugins — read plugin only for read tasks
Task-scoped credentials — read-only OAuth scope for read tasks
Approval for high-impact actions — send, delete, exec require confirmation
Minimum viable authority — baked in from day one
How LLM06 Amplifies Every Other Risk
Prompt injection (LLM01) becomes data exfiltration. Improper output handling (LLM05) becomes code execution. Supply chain compromise (LLM03) becomes full network access. Excessive Agency is the multiplier that turns every other AI vulnerability into a real-world action.