Application security, AI/ML, Generative AI

Excessive agency in AI: Why LLMs still need a human teammate

(Adobe Stock)

(Adobe Stock)

As large language models (LLMs) become central to enterprise automation, security experts are sounding the alarm about a growing risk: excessive agency. The term refers to the unchecked autonomy granted to AI systems — especially when they’re allowed to act independently through plugins or extensions with broad capabilities.

This vulnerability is not just hypothetical. Recent examples and expert warnings underscore why fully autonomous AI is still not ready to "go solo" — and why human oversight remains essential.

When too much power backfires

LLMs are often deployed with access to plugins that allow them to read files, modify data, or trigger real-world actions. While this expands their utility, it also introduces serious security risks if not carefully controlled.

For example, a plugin designed to read a user’s email inbox might also have the ability to send or delete messages. In a system vulnerable to indirect prompt injection — where a malicious email tricks the AI into forwarding sensitive data — this level of access can lead to serious breaches. That’s excessive agency in action: the AI does exactly what it was allowed to do, but in ways no one intended.

[Editor's Note: This is part SC Media's partnership to unpack OWASP's Top 10 for LLM Applications.] 

These vulnerabilities stem from excessive functionality, permissions, and autonomy. Plugins may retain dangerous capabilities long after they’re needed. LLMs may execute commands without user confirmation. And systems may operate with high-level credentials that give them more access than necessary.

Echoes from the battlefield: Why solo AI fails

This over-reliance on autonomous AI mirrors what Radiant Logic CEO Dr. John Pritchard warned about at Identiverse 2025. In his keynote, “Ready Player Two: Why Multiplayer AI Beats Going Solo in Identity Security,” he argued for a collaborative approach that tightly integrates humans and AI systems.

Pritchard recalled OpenAI’s Dota 2 bots, which, despite deep training, were beaten by human teams due to the bots’ inability to adapt in real-time. "AI is great at responding to what it knows," he said, “but when something unexpected happens, it collapses.”

That same weakness applies to autonomous LLM agents. When hallucinations or malicious prompt injections trigger an unintended action, overly permissive systems can’t recognize the danger — because they weren’t trained to.

Real-world ramifications

In a 2023 CISA-led red team exercise, poor coordination between Solaris IT and the Security Operations Center allowed a simulated breach to go undetected for months. Pritchard used the example to show that disjointed human teams are already a problem — but when AI agents are thrown into the mix without shared context or oversight, the consequences can be far worse.

This aligns with one of the biggest dangers of Excessive Agency: LLMs making unsupervised decisions across siloed systems with high impact, low visibility, and little to no human intervention.

Building safer, smarter systems

To mitigate excessive agency, experts recommend:

  • Limiting functionality: Only enable what’s strictly needed.
  • Reducing permissions: Use least-privilege access and scoped credentials.
  • Avoiding open-ended tools: Replace general-purpose shell or scripting plugins with task-specific ones.
  • Requiring human approval: Especially for high-risk actions like posting content or deleting files.
  • Ensuring execution in user context: Actions should reflect the identity and authorization of the human user.

Pritchard’s concept of “agentic AI” envisions systems with multiple specialized agents that communicate, collaborate, and learn from humans — enhancing adaptability and resilience. This is echoed in new standards like the Model Context Protocol and Agent-to-Agent interoperability, which allow diverse AI systems to work together safely and effectively.

A multiplayer future

Gartner research supports the collaborative approach, finding that human-AI teams outperform either group working alone — especially in fast-moving cybersecurity environments.

“Let’s stop grinding alone,” Pritchard concluded. “Let’s embrace this multiplayer world. Let’s team up and win this together.”

When it comes to AI in cybersecurity, the message is clear: autonomy needs boundaries. And success isn’t about building a smarter AI — it’s about building a smarter team.

This article is part of SC Media’s 10-part editorial series on the OWASP Top 10 for LLM Applications 2025. Produced in partnership with the OWASP Generative AI Security Project, the series highlights actionable steps for secure, transparent GenAI application development.

OWASP GenAI Security Project Team
Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AlgorithmBannerBrowserCache CrammingCommon Gateway Interface (CGI)ClientCookieDLL InjectionDynamic Link Library

You can skip this ad in 5 seconds