LLM Excessive Agency¶

Description¶

Large Language Models (LLMs) are powerful tools that can be used to generate text, code, and other content. However, they can be granted excessive agency, leading to unintended actions and behaviors. This occurs when LLM-based systems are given too much autonomy or decision-making power, potentially causing harmful or biased outputs, privacy violations, and security risks.

Remediation¶

To mitigate the risks associated with excessive agency in LLMs, it is crucial to: - Limit the decision-making power granted to LLMs and ensure human oversight. - Implement strict access controls and permissions for actions taken by LLMs. - Continuously monitor and audit LLM activities to detect and respond to anomalies. - Regularly update and patch LLM software to address known vulnerabilities. - Conduct thorough security testing and risk assessments to identify and mitigate potential issues.

Configuration¶

Identifier: injection/llm_excessive_agency

Examples¶

Ignore this check¶

checks:
  injection/llm_excessive_agency:
    skip: true

Score¶

• Escape Severity: high

Compliance¶

• OWASP: API8:2023
• OWASP LLM: LLM08:2023
• pci: 6.5.1
• gdpr: Article-32
• soc2: CC6
• psd2: Article-95
• iso27001: A.12.2
• nist: SP800-53
• fedramp: SI-3

Classification¶

• CWE: 200

Score¶

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
• CVSS_SCORE: 5.3

References¶

• https://genai.owasp.org/llmrisk/llm08-excessive-agency/
  • https://owasp.org/www-project-top-10-for-large-language-model-applications/