OWASP_LLM_TOP10LLM06:2025voice-validated
OWASP_LLM_TOP10 LLM06: LLM06:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Excessive agency arises when LLM-based systems are granted excessive functionality, permissions, or autonomy. Damaging actions can occur in response to unexpected or ambiguous outputs from the LLM, regardless of root cause. Includes over-permissive tools/plugins, autonomous action without human confirmation for high-impact operations, and lack of fine-grained authorisation on agent-callable functions.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1059.004 | 1. LLM with excessive agency can execute arbitrary Unix shell commands, leading to system compromise. This directly exploits over-permissive tool access, as described in LLM06:2025. | 90% |
| T1059.003 | 2. LLM with excessive agency can execute arbitrary Windows command shell commands, enabling system control. This stems from insufficient authorization for agent-callable functions, as per LLM06:2025. | 90% |
| T1059.001 | 3. LLM with excessive agency can execute arbitrary PowerShell commands, facilitating system manipulation. This is due to over-permissive tools or plugins, a key concern in LLM06:2025. | 90% |
| T1485 | 4. LLM with excessive agency can delete critical data, causing irreversible damage. Autonomous action without human confirmation enables this impact, as highlighted in LLM06:2025. | 80% |
| T1490 | 5. LLM with excessive agency can inhibit system recovery by deleting backups or shadow copies. Lack of fine-grained authorization allows such destructive actions, as per LLM06:2025. | 80% |
| T1486 | 6. LLM with excessive agency can encrypt data for impact, leading to data unavailability. Over-permissive tools enable this ransomware-like behavior, a risk identified in LLM06:2025. | 70% |
| T1531 | 7. LLM with excessive agency can remove user accounts, disrupting operations and access. Autonomous action without human confirmation facilitates this, as described in LLM06:2025. | 70% |
| T1068 | 8. LLM with excessive agency can exploit system vulnerabilities to escalate privileges. Over-permissive functionality allows the LLM to attempt such exploits, as per LLM06:2025. | 70% |
| T1562 | 9. LLM with excessive agency can impair defenses by disabling security software. Lack of fine-grained authorization on agent-callable functions enables this, as noted in LLM06:2025. | 80% |
| T1070.004 | 10. LLM with excessive agency can delete logs and other indicators, hindering incident response. Over-permissive tools allow for defense evasion, a concern in LLM06:2025. | 70% |
| T1005 | 11. LLM with excessive agency can collect sensitive data from local systems. This is a direct consequence of over-permissive access to system resources, as per LLM06:2025. | 80% |
| T1039 | 12. LLM with excessive agency can collect sensitive data from network shared drives. Lack of fine-grained authorization allows unauthorized network access, as described in LLM06:2025. | 70% |
| T1071.001 | 13. LLM with excessive agency can establish command and control via web protocols. Over-permissive tools enable unauthorized external communication, a risk in LLM06:2025. | 70% |
| T1133 | 14. LLM with excessive agency can provision external remote services, creating new access points. Autonomous action without human confirmation facilitates this, as per LLM06:2025. | 60% |
| T1547.001 | 15. LLM with excessive agency can establish persistence by modifying autostart mechanisms. Over-permissive functionality allows for long-term unauthorized access, as noted in LLM06:2025. | 60% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1038 | 1. Implement least privilege for LLM agents, ensuring they operate with minimal necessary permissions. This directly counters excessive functionality and autonomy, as per LLM06:2025. | 90% |
| M1026 | 2. Strictly control privileged access granted to LLM agents, preventing unauthorized high-impact operations. This addresses over-permissive tools and lack of fine-grained authorization, as per LLM06:2025. | 90% |
| M1030 | 3. Isolate LLM environments and restrict network access to limit potential damage. This reduces the scope of excessive agency, as described in LLM06:2025. | 80% |
| M1018 | 4. Implement mandatory human review and confirmation for all high-impact actions initiated by the LLM. This prevents autonomous action without human oversight, as highlighted in LLM06:2025. | 90% |
| M1040 | 5. Monitor and block unauthorized or anomalous LLM actions in real-time. This prevents damaging actions arising from unexpected LLM outputs, as noted in LLM06:2025. | 80% |
| M1047 | 6. Log all LLM actions and tool usage for accountability and detection of excessive agency. This provides crucial audit trails for post-incident analysis, as per LLM06:2025. | 80% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-269 | 1. Improper privilege management directly leads to excessive agency, allowing LLMs to perform unauthorized actions. This is central to the issue described in LLM06:2025. | 90% |
| CWE-284 | 2. Improper access control results in a lack of fine-grained authorization for LLM agent-callable functions. This enables over-permissive tool usage, as per LLM06:2025. | 90% |
| CWE-862 | 3. Missing authorization allows LLMs to execute actions without necessary checks, facilitating autonomous high-impact operations. This is a core aspect of excessive agency, as highlighted in LLM06:2025. | 80% |
| CWE-732 | 4. Incorrect permission assignment for critical resources means tools or functions have excessive power when used by an LLM. This enables over-permissive tools, as described in LLM06:2025. | 80% |
| CWE-250 | 5. Execution with unnecessary privileges allows LLM agents to operate with more power than required, directly contributing to excessive agency. This is a key concern in LLM06:2025. | 80% |
| CWE-668 | 6. Exposure of resources to the wrong sphere makes sensitive tools or functions accessible to the LLM without proper isolation. This enables over-permissive tools/plugins, as noted in LLM06:2025. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0190 compute · voice-rubric self-validated