Security Test: LLM Excessive Agency¶

Description¶

Default Severity:

LLM Excessive Agency happens when a language model is given too much freedom to decide what and how to do things, rather than just following clear instructions. This extra autonomy can lead to unexpected and potentially harmful behaviors, like producing biased or misleading outputs, leaking private data, or even compromising security. Developers might mistakenly let these tools operate with too little oversight, thinking they only need to generate content, but that extra decision-making power can quickly turn into a risk if not properly managed.

Reference:

https://genai.owasp.org/llmrisk/llm08-excessive-agency/
- https://owasp.org/www-project-top-10-for-large-language-model-applications/

Configuration¶

Identifier: injection/llm_excessive_agency

Examples¶

All configuration available:

checks:
  injection/llm_excessive_agency:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM08:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.2`
NIST	`SP800-53`
FedRAMP	`SI-3`
CWE	`200`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N`
CVSS Score	`5.3`