Skip to main content

Documentation Index

Fetch the complete documentation index at: https://hydroxai.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

What is Excessive Agency?

Excessive Agency occurs when an AI agent takes autonomous actions that exceed its intended scope, permissions, or mandate. This includes making decisions without human approval, taking irreversible actions without confirmation, accessing resources beyond what the task requires, and acting on incomplete or ambiguous instructions by defaulting to action rather than asking for clarification.

Why It Matters

Excessive agency risks are amplified by the trend toward more autonomous AI systems:
  • Irreversible actions — Agents that delete data, send communications, or make financial transactions without confirmation can cause irreversible damage.
  • Scope creep — Agents that interpret ambiguous instructions broadly may perform unintended and harmful actions.
  • Authorization bypass — Agents acting beyond their mandate effectively bypass the authorization model.
  • Liability — Organizations are responsible for all actions taken by their AI agents, even unintended ones.
  • User trust — Users lose trust in AI systems that take unexpected autonomous actions.
  • OWASP recognition — Excessive Agency is listed as a top risk in the OWASP LLM Top 10.

How the Attack Works

Ambiguity Exploitation

Giving vague instructions that the agent interprets too broadly:
  • “Clean up the project” — agent deletes files instead of organizing them
  • “Optimize the system” — agent modifies production configurations without approval
  • “Handle the customer complaint” — agent issues refunds and makes commitments without authorization

Permission Creep Through Tool Chaining

Agents combining multiple tools to achieve more than any single tool allows:
  • Using read access to discover data, then using write access to exfiltrate it
  • Combining email and calendar access to impersonate users
  • Chaining database queries with API calls to bypass access controls

Default-to-Action Bias

Exploiting the agent’s tendency to act rather than ask:
  • Providing instructions with critical ambiguity, knowing the agent will choose the most active interpretation
  • Setting up scenarios where the “safe” action is to do nothing, but the agent acts anyway
  • Creating time pressure that causes the agent to skip confirmation steps

Example Scenarios

ScenarioRisk
Agent deletes production database records when asked to “clean up old data”Data loss
AI assistant sends emails to customers without human reviewUnauthorized communication
Agent modifies cloud infrastructure when asked to “improve performance”System disruption
AI makes financial commitments when resolving a customer complaintUnauthorized spending

Mitigation Strategies

  • Human-in-the-loop — Require explicit human approval for irreversible, high-risk, or high-value actions
  • Action classification — Categorize actions by risk level and apply proportionate approval requirements
  • Scope boundaries — Define precise operational boundaries for each agent and enforce them technically
  • Confirmation prompts — Agent should seek clarification when instructions are ambiguous rather than assuming
  • Undo capability — Where possible, prefer reversible actions and maintain rollback capability
  • Principle of least privilege — Grant agents only the minimum tools and permissions needed for their specific task
  • Regular testing — Use Know Your AI to evaluate agents for excessive autonomy across ambiguous scenarios