“Authorization must be enforced in external systems, not delegated to the LLM itself. Do not rely on the LLM to decide whether an action is authorized.” An LLM can be manipulated into believing an action is authorized. A downstream system enforcing policy independently cannot be argued with.

Confused-deputy attacks exploit exactly this gap: the agent decides an action is authorized based on the user’s request, uses its own admin credentials to perform it, and the downstream system never checks whether the requesting user was actually permitted. The LLM acted as judge and executor — both roles compromised by the attacker’s prompt.

→ Every API the agent calls must verify the identity and permissions of the requesting user, not the agent’s service account
→ Use OAuth on behalf of the user — actions inherit the user’s actual permissions
→ Downstream services reject requests that exceed the authorizing user’s entitlements, regardless of what the agent claims
→ “The agent said it was OK” is never a valid authorization proof

Using a low-privilege user account, instruct the agent to perform an action that account cannot perform directly. If the agent succeeds using its own elevated credentials, external authorization is not enforced. The downstream system must reject the operation regardless of who the agent is.