LLM06:2025Excessive Agency
Slide 18 of 27
Part 4 · PreventionSlide 18
PART 4
Prevention
Slides 18–25 · 7 mitigations from OWASP and real deployments
Slide 18 · Prevention Overview
Seven controls that limit what an agent can do — and what an attacker can steal.
No single control is enough. Defense-in-depth is the only durable answer.
🔧
M1 — Least-Privilege Functionality (Slide 19)
Only register the tools and functions the agent’s task genuinely requires.
🔑
M2 — Least-Privilege Permissions (Slide 20)
Authenticate with minimum OAuth scope and IAM roles — read-only when reading, never admin by default.
👤
M3 — Human-in-the-Loop (Slide 21)
Require explicit human approval before any send, delete, modify, or execute operation.
🏛️
M4 — External Authorization Enforcement (Slide 22)
Downstream systems enforce their own access controls — never delegate authorization to the LLM.
📋
M5 — Tool Allowlisting & Provenance (Slide 23)
Verify MCP server identity; restrict which tool descriptions the agent trusts.
📦
M6 — Sandboxed Execution (Slide 24)
Run agent actions in isolated environments with no network or filesystem access by default.
📊
M7 — Audit Logging & Anomaly Detection (Slide 25)
Log every tool call; alert on unusual sequences before the blast radius grows.
← BackNext → M1: Least-privilege functionality
📄 View sources for this lesson