✓What Excessive Agency is — in plain English and in OWASP’s definition
✓The three root causes: excessive functionality, permissions, and autonomy
✓Why LLM06 is an architectural failure, not a coding bug
✓How LLM06 amplifies every other OWASP LLM risk into real-world action
✓CVE-2025-53773 (GitHub Copilot, Aug 2025) — indirect injection → YOLO mode → malware → C2
✓CVE-2025-54136 (MCPoison, Apr 2025) — tool description poisoning, 60–72% success rate
✓Slack AI exfiltration (Aug 2024) — overpowered data access exploited via indirect injection
✓4 attack patterns: overpowered tools, excessive permissions, MCP poisoning, indirect injection
✓All 4 OWASP official scenarios: email agent, document agent, shell plugin, cascading agents
✓7 mitigations: least-priv functionality, least-priv permissions, human-in-the-loop, external authz, tool allowlisting, sandboxing, audit logging