Lesson 4 · 11 min
Excessive agency and insecure output handling
The two most fixable OWASP LLM risks. Excessive agency gives attackers leverage by over-permissioning the model. Insecure output handling lets model output execute as code in downstream systems.
LLM06: Excessive Agency
An LLM has excessive agency when it can take actions whose impact exceeds what the task requires. The principle is identical to the principle of least privilege in traditional security — but engineers frequently violate it for LLMs because adding a capability is easy and the blast radius isn't obvious until an attack happens.
Common excessive agency examples:
| Feature | Over-permissioned | Correctly scoped |
|---|---|---|
| Customer support bot | Read + write access to the user's account | Read-only; write actions require explicit user confirmation |
| Email assistant | Send emails without confirmation | Draft emails, user must press Send |
| Code assistant | Execute any shell command | Execute only in an isolated sandbox with no network |
| Data analyst | Run any SQL query on the production DB | Read-only on a shadow replica |