OWASP LLM08 Excessive Agency: Bounding What an Agent Is Allowed to Actually Do
OWASP LLM08 covers excessive agency: the AI agent has the ability to take actions that exceed what the application or the user intended. The category is the agentic equivalent of the post-authentication gap: authentication and authorization happened, but the action the agent took was not the action the authorization actually permitted. The control point is the boundary between the agent loop and the tool surface. This article walks through the LLM08 mechanisms, the agency-bounding controls a gateway enforces, and where the architecture differs from classic API authorization.

OWASP LLM08 covers excessive agency. The Top 10 entry describes the failure mode in agent-loop terms: the model is given the ability to call tools, the tools are given the ability to take real actions, and the actions the agent takes exceed what the application or the user actually intended. The category splits into three sub-failures: excessive functionality (the agent has tools it does not need), excessive permissions (the tools have permissions they do not need), and excessive autonomy (the agent takes actions without the human approval the action warranted).
The category is the agentic equivalent of the post-authentication gap. Authentication happened; the agent is authenticated and the tool calls are authorized at the API level. Authorization at the per-decision layer (this specific identity, taking this specific action, on this specific resource, at this moment) is what is missing. The control point is the boundary between the agent loop and the tool surface, which is the point where the action gets actually issued.
I want to walk through the three LLM08 sub-failures, the agency-bounding controls a gateway enforces at the agent-tool boundary, the human-in-the-loop patterns for actions that warrant approval, and the audit requirements that come with autonomous agent action.
The three sub-failures
Excessive functionality. The agent has been given access to tools that the use case does not require. A customer-service agent has access to an internal database read tool, a financial-transaction tool, and an outbound-email tool when the use case only requires the read tool. The excess functionality is the surface an attacker exploits when a prompt manipulation succeeds. The agent that has only the read tool cannot send the email; the agent with all three tools can.
Excessive permissions. The tools the agent has access to have been granted permissions broader than the use case requires. The database tool can read every table in the schema when the use case only requires the customer-records table. The email tool can send to any address when the use case only requires sending to addresses on the company's internal domain. The broad permissions amplify the impact of any successful tool invocation by an adversarial prompt.
Excessive autonomy. The agent takes actions without human approval that the action's reversibility or impact would have warranted. The agent issues a refund of $50,000 without a human approval step. The agent deletes a database record without a human approval step. The agent emails a customer about a sensitive matter without a human review step. The autonomy ceiling has been set higher than the action's risk warrants.
Each sub-failure exists independently of the others. An agent with minimal functionality but broad permissions on the functions it has is still excessive. An agent with narrow permissions but no human approval gate on irreversible actions is still excessive. The control surface needs to address all three.
The agency-bounding controls at the gateway
Six controls at the agent-tool boundary do most of the LLM08 work.
Per-identity tool allowlists. The gateway evaluates whether the calling identity is permitted to invoke a given tool. The allowlist is keyed on identity, not on application or session. An identity that is not on the allowlist for a tool gets blocked at the gateway even if the agent loop attempts the call. The control addresses excessive functionality at the binding between identity and tool surface.
Per-tool parameter constraints. Each tool definition specifies parameter constraints the gateway enforces: maximum transaction amount, allowed recipient domains, allowed table names, allowed resource scopes. A tool invocation with parameters outside the constraints is rejected at the gateway. The control narrows the effective permissions of a tool to the use-case-appropriate subset.
Per-identity, per-action approval gates. High-impact actions are configured to require a separate human approval before execution. The gateway routes the tool invocation to an approval queue, waits for approval, and only then forwards the invocation to the tool. The approval gate is identity-bound: actions that one identity can take autonomously may require approval for another identity.
Action-class rate limits. Beyond request-level rate limits, the gateway enforces per-action-class rate limits per identity per time window. A customer-service agent identity can issue at most five refunds per hour; an exception above the limit requires a manager approval. The control bounds the worst-case impact of a compromised agent or a runaway loop.
Action lineage records. Every tool invocation produces an audit record with the calling identity, the agent's session identifier, the prompt that triggered the action, the tool name and parameters, the policy decisions applied, and the outcome. The action lineage is the forensic trail for any post-incident review and the data source for tuning the agency-bounding controls.
Per-tenant scoping on tool actions. The gateway enforces that tool invocations from one tenant cannot reach resources scoped to another tenant. The check is independent of the application's tenant scoping and runs at the gateway as a second line of enforcement.
The human-in-the-loop patterns
Three patterns recur in production deployments for actions that warrant human approval.
Synchronous approval. The agent submits the tool invocation, the gateway holds the request in an approval queue, an approver reviews and approves or rejects, and the invocation either proceeds or is rejected. The pattern works when the human approver is responsive enough to keep the user-perceived latency tolerable.
Asynchronous queued action. The agent submits the tool invocation, the gateway queues it for batch review by an approver, and the agent loop returns a status indicating the action is pending. The user is notified when the action is approved or rejected. The pattern works for actions that do not need to complete in the user's current session.
Pre-authorized scope with post-hoc audit. The agent has authority to take actions within a pre-approved scope without per-action approval, and a human reviews the action log on a defined cadence. The pattern shifts the human work from per-action to per-batch and is appropriate when the actions are low-impact individually but worth periodic review in aggregate.
The pattern selection depends on the action's reversibility and impact. Irreversible high-impact actions (a wire transfer above a threshold, a customer-account deletion) typically require synchronous approval. Reversible medium-impact actions (a refund within a threshold, an email send) typically work with asynchronous queued review. Low-impact actions (a record read, a status update) typically work with post-hoc audit.
What sits outside the gateway boundary
The agent loop's planning step is outside the gateway boundary. The model decides what action to take based on the prompt and the tool definitions; the gateway sees the invocation after the model has decided. The gateway can block the invocation, but the gateway cannot rewrite the model's reasoning.
The tool's downstream execution is partially outside the boundary. The gateway enforces what tool gets invoked with what parameters; the tool then executes against the underlying service. If the tool itself has a bug that causes it to do more than its parameters describe, the gateway has limited visibility into the actual side effect. The architectural answer is parameter-bounded tool implementations and signed tool definitions.
The application's own authorization model for direct API calls is outside the boundary. If the application has paths that issue actions directly without routing through the gateway, those paths are not covered by the gateway's per-decision controls. The control is only as effective as the perimeter that forces all agent-issued actions through the gateway.
How LLM08 maps to NIST AI RMF, EU AI Act, and OWASP Top 10 for Agentic Applications
NIST AI RMF MANAGE function calls for ongoing monitoring of system behavior and for documented controls on autonomous actions. The action lineage records and the approval gate decisions are the MANAGE artifacts that satisfy the function for the agent surface.
EU AI Act Article 14 requires human oversight for high-risk AI systems. The article specifies that the oversight measures must enable the natural persons in oversight roles to remain aware of the system's tendency to over-rely on its output, to intervene in the system's operation, and to interrupt the system. The synchronous-approval pattern at the gateway is the architectural answer for actions that warrant per-action oversight.
OWASP Top 10 for Agentic Applications (2026 release) covers the broader agentic-AI surface and includes LLM08-equivalent risks in its own taxonomy. The agentic-applications framework introduces "agentic skills" as an intermediate behavior layer; the per-decision authorization control at the gateway is the verification-side answer to the agentic-skills risk class.
DeepInspect
This is the agency-bounding control DeepInspect provides for the LLM08 surface. DeepInspect sits inline between authenticated users or agents and the LLMs they call, evaluates every tool invocation against per-identity allowlists and per-tool parameter constraints, routes high-impact actions through configured approval gates, and writes an action lineage record for every invocation outside the calling application.
The authorization at the gateway is independent of the agent's planning step. An agent that has been induced through prompt manipulation to attempt an unauthorized action still gets blocked at the gateway because the gateway's authoritative source of authorization is the per-identity policy, not the agent's reasoning. The action lineage record captures both the attempted action and the policy decision, which gives the security team the forensic trail to investigate the prompt manipulation and tune the controls.
If you are deploying agentic AI in production and your LLM08 coverage depends on the agent always honoring the system prompt's instructions about which tools to use, let's talk today.
Frequently asked questions
- What is the simplest LLM08 control to put in place?
A per-identity tool allowlist. The control says: for this calling identity, these are the only tools the agent loop may invoke. Anything outside the list is blocked at the gateway. The control catches the most common excessive-functionality failures without requiring application changes.
- How are high-impact actions distinguished from low-impact ones?
By reversibility and dollar (or equivalent) impact. Irreversible actions (deletions, wire transfers, customer notifications about sensitive matters) tend to be high-impact. Reversible actions within a bounded scope (status updates, internal-record edits with audit trail) tend to be low-impact. The classification is a deployment decision that lives in the policy configuration.
- Does the approval gate add too much latency to the user experience?
For synchronous approval on high-impact actions, the latency is intentional. The pattern is appropriate for actions that warrant it. For everything else, the asynchronous-queued or post-hoc-audit patterns add no user-facing latency.
- How does the gateway distinguish a legitimate action from a prompt-manipulated one?
It does not have to. The gateway evaluates whether the identity is authorized for the action regardless of how the action was triggered. A legitimate-looking action by an unauthorized identity is blocked. A manipulated action by an authorized identity is recorded and proceeds (subject to any approval gate). The audit log is the source for detecting manipulation patterns over time.
- What is action lineage?
A structured record of the agent's action chain: the calling identity, the session identifier, the prompt that initiated the chain, every tool invocation with its parameters, every policy decision, and every outcome. The lineage is queryable for investigation and is the source data for compliance reporting under EU AI Act Article 19 and NIST AI RMF MANAGE.
- Where does this fit in OWASP AISVS?
OWASP AISVS Chapter 9 (agentic systems) and Chapter 12 (logging and monitoring) cover the verification requirements for the LLM08 surface. The chapters require documented tool allowlists, per-tool parameter constraints, approval-gate configurations for high-impact actions, and action lineage records for every agent invocation.