OWASP Top 10 for LLM Applications 2025 – LLM06: What is Excessive Agency?

As organizations adopt AI copilots, AI assistants, and autonomous AI agents, a new security challenge is emerging: What happens when AI systems are given too much authority?

The OWASP Top 10 for LLM Applications 2025 identifies this risk as LLM06:2025 Excessive Agency. The vulnerability occurs when an AI-powered system is granted excessive functionality, permissions, or autonomy, enabling it to perform actions that exceed its intended purpose.

Unlike traditional chatbots that simply generate text, modern AI agents can interact with email systems, cloud platforms, CRMs, databases, ticketing systems, code repositories, and productivity tools. These integrations create tremendous business value, but they also expand the potential attack surface.

What is Excessive Agency?

Excessive Agency is the vulnerability that enables damaging actions to be performed in response to unexpected, ambiguous or manipulated outputs from an LLM, regardless of what is causing the LLM to malfunction. Common triggers include:

hallucination/confabulation caused by poorly-engineered benign prompts, or just a poorly performing model;
direct/indirect prompt injection from a malicious user, an earlier invocation of a malicious/compromised extension, or (in multi-agent/collaborative systems) a malicious/compromised peer agent.

The root cause of Excessive Agency is typically one or more of:

excessive functionality;
excessive permissions;
excessive autonomy

Common Examples of Excessive Agency Risks

Excessive Functionality

An LLM agent has access to extensions which include functions that are not needed for the intended operation of the system.

Excessive Permissions

An LLM extension that is designed to perform operations in the context of an individual user accesses downstream systems with a generic high-privileged identity.

Excessive Autonomy

An LLM-based application or extension fails to independently verify and approve high-impact actions.

Real-World Attack Scenarios

Scenario 1: AI Email Assistant Exfiltrates Sensitive Data

OWASP describes a scenario where an AI email assistant with both read and send permissions can be manipulated into forwarding sensitive information to an attacker.

Security researcher Johann Rehberger demonstrated multiple prompt injection attacks against AI assistants and plugins that could access user data and perform actions beyond their intended purpose.

Scenario 2: Slack AI accesses private conversations

AI-powered workplace assistants often have broad access to collaboration platforms, which can pose risks if permissions are not tightly controlled.

Researchers from PromptArmor demonstrated how Slack AI could be manipulated to retrieve information from private channels through prompt injection techniques.

Scenario 3: AI Agent deletes business data

An AI agent intended only to read documents may also possess modify or delete permissions, creating opportunities for accidental or malicious actions.

The broader “Confused Deputy” problem has become increasingly relevant in AI agent architectures, where an agent is tricked into using its elevated permissions on behalf of an attacker.

The confused deputy problem is a classic security vulnerability where a trusted program is tricked by a less-privileged user into misusing its higher privileges. The “deputy” is the trusted service, and it acts improperly because it confuses the attacker’s intent with its own authorized capabilities.

Scenario 4: AI Agent makes unauthorized financial transactions

As AI agents are integrated into ERP, procurement, and finance systems, unauthorized actions are becoming a growing concern.

Twilio’s security research highlighted how autonomous AI agents connected to APIs can be manipulated into performing actions that users never intended.

Prevention and Mitigation Strategies

The following actions can prevent Excessive Agency:

Minimize extensions

Limit the extensions that LLM agents are allowed to call to only the minimum necessary.

Minimize extension functionality

Limit the functions that are implemented in LLM extensions to the minimum necessary.

Avoid open-ended extensions

Avoid the use of open-ended extensions where possible (e.g., run a shell command, fetch a URL, etc.) and use extensions with more granular functionality.

Minimize extension permissions

Limit the permissions that LLM extensions are granted to other systems to the minimum necessary in order to limit the scope of undesirable actions.

Execute extensions in user’s context

Track user authorization and security scope to ensure actions taken on behalf of a user are executed on downstream systems in the context of that specific user, and with the minimum privileges necessary.

Require user approval

Utilise human-in-the-loop control to require a human to approve high-impact actions before they are taken. This may be implemented in a downstream system (outside the scope of the LLM application) or within the LLM extension itself.

Complete mediation

Implement authorization in downstream systems rather than relying on an LLM to decide if an action is allowed or not. Enforce the complete mediation principle so that all requests made to downstream systems via extensions are validated against security policies.

Sanitize LLM inputs and outputs

Follow secure coding best practices, such as applying OWASP’s recommendations in ASVS (Application Security Verification Standard), with a particular focus on input sanitization. Use Static Application Security Testing (SAST) and Dynamic and Interactive application testing (DAST, IAST) in development pipelines.

AI should never be more privileged than the user

The rise of AI agents is changing cybersecurity. Historically, users initiated actions and systems enforced permissions. Today, AI agents can act on behalf of users across multiple systems, creating a new category of security risk.

At Reputiva, we believe organizations should apply Zero Trust principles to AI agents:

Grant AI agents the minimum permissions necessary.
Eliminate unnecessary plugins and integrations.
Avoid open-ended actions such as unrestricted shell commands.
Require human approval for high-impact activities.
Ensure AI actions are logged, monitored, and auditable.
Enforce authorization controls in downstream systems—not inside the AI model.

AI should assist decision-making, not bypass governance

Assess your AI Agent security before scaling AI Adoption

Many organizations are rapidly deploying AI assistants, copilots, and autonomous agents without fully understanding the security implications. Reputiva helps organizations assess and secure AI-enabled environments through: