LLM06: Excessive Agency
OWASP LLM Top 10 (2025)
Agents granted overbroad tool, identity, or permission scopes cause harm.
What this risk means
When LLM-driven agents are granted permissions beyond what is necessary — broad function-calling, persistent memory, third-party authentication — incorrect agent behaviour produces real-world consequences. The vendor's agent-permission model determines blast radius.
How TrustAtlas dimensions address it
Dependency-chain reflects integration breadth (more tools = bigger blast radius); transparency reflects how clearly the vendor documents agent permission boundaries; jurisdiction matters because cross-border agent actions invoke divergent regulatory regimes.
See methodology for how each dimension is scored across the catalog.
Questions to ask vendors
Drop these into RFPs, due-diligence questionnaires, or a procurement scorecard. Each question maps back to evidence visible on the vendor's TrustAtlas profile.
- What is the default permission scope for agent tool-use, and what is the supported mechanism for a customer to narrow it?
- Do you log every tool call with enough detail (inputs, outputs, identity, timestamp) to support forensic replay?
- Are agent actions geofenced — can a customer prevent an agent in one region from invoking endpoints in another?
- What is the kill-switch posture if an agent loops, escalates, or invokes unauthorised tools — who has the authority, and how fast does it take effect?
Related
- Back to the full OWASP LLM Top 10 cross-walk
- NIST AI RMF cross-walk — the U.S. enterprise companion framework
- TrustAtlas methodology — how the 8 risk dimensions are scored
- Browse the vendor directory and filter by the dimensions tied to this risk