When AI Gets Too Much Power: The Danger of Excessive Agency in LLMs

AI is supposed to help, not take over. We allow Large Language Models (LLMs) more freedom when they can perform tasks like sending emails. They also run code or make financial transactions. This increased freedom means we’re stepping into risky territory. This growing concern is what OWASP identifies as LLM06: Excessive Agency in its Top 10 for LLM Applications (2025).

So what does it mean when an AI system has “too much agency”? And how can this freedom go wrong?

Let’s break it down in plain language.

What Is “Excessive Agency”?

Excessive agency refers to situations where an LLM is given too much control over real-world actions. This happens without proper checks or human oversight. It could mean giving a chatbot access to:

• Run operating system commands
• Modify databases or files
• Trigger payments or emails
• Call powerful APIs
• Interact with smart devices

LLMs are not inherently secure, and they don’t always understand the consequences of their actions. They respond to prompts based on probability, not logic. This leads to unpredictable and possibly dangerous outcomes.

Real-World Examples of Excessive Agency Gone Wrong

1. Code Execution Without Review

A chatbot was connected to a server with permission to run shell commands. When asked to “clean up temp files,” it accidentally deleted important system folders—causing a full application outage.

2. Unverified Financial Actions

An LLM-powered assistant was linked to a payment API. A crafted prompt tricked it into sending refunds to unintended users, exploiting a lack of rule-based validation.

3. Overreach in DevOps Tools

In one case, an LLM integrated with GitHub Actions merged pull requests automatically. It did this even when they included unsafe changes. This happened because it misunderstood a vague prompt.

Why It Happens

Excessive agency often occurs when:

• Developers overestimate AI’s understanding of intent and security.
• The system lacks role-based access control or privilege separation.
• There's no human-in-the-loop validation before executing tasks.
• Integration with tools or plugins happens without proper sandboxing.

This isn’t about “bad AI.” It’s about systems that were given too much trust too soon.

How to Prevent It

1. Use the Principle of Least Privilege

Grant your LLM the minimum access necessary to complete its job. Don’t give it file write permissions if it only needs read access.

2. Add a Human-in-the-Loop

For high-risk actions like code execution or financial transfers, require human approval before proceeding.

3. Isolate High-Impact Functions

Run potentially dangerous commands in sandboxed environments. That way, even if the model gets tricked, it can’t do real damage.

4. Add Logging and Rate Limits

Track every action initiated by your AI. Throttle how often it can call APIs or issue commands—especially destructive ones.

5. Use Policy Enforcement

Wrap your AI actions in clearly defined rules. For example, “this bot can only send emails to internal domains” or “never transfer money without two-factor review.”

Conclusion

AI is powerful—but it’s not wise.

As we integrate LLMs deeper into business operations, it's tempting to let them automate everything. But without limits, they become liabilities. Excessive agency is not just a design flaw—it’s a security threat.

Before giving your AI the keys to the kingdom, ask yourself: Would I trust a junior intern with this power? If not, don’t give it to the bot either.