An LLM assistant can delete records and send emails autonomously. How do you reduce the risk?
Short answer
Unbounded autonomy plus tool access is OWASP LLM 'excessive agency': a manipulated or mistaken model can take destructive actions. Constrain it with least-privilege tool scopes, require human confirmation for irreversible operations, and keep permissions narrow and audited. Trusting it or granting admin widens the blast radius, and hiding a UI button does nothing about the model's underlying capability to call the action.
The assistant is genuinely useful: it can resolve tickets by deleting stale records and emailing customers, all on its own. The problem is that "on its own" plus "destructive" plus "a model that can be manipulated" is a recipe for a fast, automated mistake.
The risk: excessive agency
OWASP names this excessive agency — granting an LLM too much functionality, autonomy, or permission relative to how trustworthy its decisions are. A model can be wrong, or it can be steered by prompt injection hidden in a ticket, an email, or a fetched document. When that mis-decision is wired to real tools (delete, send, pay, provision), the model becomes an automated actor executing the attacker's or its own bad intent at machine speed. The blast radius is whatever the tools can touch.
How to reduce it
- Least-privilege tools. Give the agent the smallest set of narrowly scoped tools it needs — read where read suffices, no blanket delete, no broad admin token.
- Human-in-the-loop for irreversible actions. Destructive or hard-to-undo operations (bulk delete, sending external email, payments) should require explicit human confirmation, not silent auto-execution.
- Scoped, auditable permissions. Bound each tool by scope, rate, and target; log every invocation with inputs and identity so actions are reviewable and reversible.
- Fail safe. Prefer soft-delete/queues and reversible operations so a mistake can be rolled back.
Why the distractors are dangerous
- "Trust it": intent isn't a control. A helpful design with no guardrails is exactly what gets exploited.
- "Give it admin": maximizing privilege maximizes blast radius — the opposite of what you want for a non-deterministic, manipulable actor.
- "Hide the delete button": the danger is the model's capability to call the action, not a UI affordance. Hiding the button leaves the underlying tool fully callable.
What interviewers want to hear
That you name excessive agency, connect it to prompt injection, and constrain the agent with least-privilege tool scopes, human confirmation for irreversible actions, and audited, reversible permissions — rather than trusting good intentions or hiding UI.
Likely follow-ups
- Which specific actions would you gate behind human confirmation, and why those?
- How does excessive agency combine with prompt injection to cause real damage?
- What would you log so a bad autonomous action is reconstructable afterward?