Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Excessive Agency
Abstract
Allowing an agent too much freedom without proper control or human validation can result in harmful actions such as unauthorized system changes, financial transactions, or sensitive data exposure, posing significant security threats.
Explanation
Excessive agency arises when an autonomous agent (such as an AI model or chatbot) is granted the ability to perform tasks, make decisions, or execute commands without sufficient restrictions, validation, or human oversight. This can lead to unintended consequences, including security risks, data leaks, or even malicious behavior.
When the agent has too much freedom, it can inadvertently interact with critical systems, perform high-risk actions, or expose sensitive data. The most severe consequences can occur when the agent is allowed to perform actions such as transferring money, modifying system configurations, or sending emails without requiring authorization or approval from an authorized user.
Example 1: An AI assistant is granted the ability to perform critical tasks and coordinate with a user proxy agent, but without robust checks or limited privileges, it can autonomously act on sensitive instructions:
By granting the AI assistant autonomy to “Perform critical task” with minimal oversight, the AI can potentially execute commands or manipulate data without human review. The termination condition is triggered only if the user explicitly mentions “APPROVE,” but otherwise the agent can continue to operate, posing a risk if its actions are not adequately monitored or constrained.
When the agent has too much freedom, it can inadvertently interact with critical systems, perform high-risk actions, or expose sensitive data. The most severe consequences can occur when the agent is allowed to perform actions such as transferring money, modifying system configurations, or sending emails without requiring authorization or approval from an authorized user.
Example 1: An AI assistant is granted the ability to perform critical tasks and coordinate with a user proxy agent, but without robust checks or limited privileges, it can autonomously act on sensitive instructions:
model_client = OpenAIChatCompletionClient(model="gpt-4")
assistant = AssistantAgent("assistant", model_client=model_client)
# Create the termination condition which ends the conversation when the user says "APPROVE".
termination = TextMentionTermination("APPROVE")
team = RoundRobinGroupChat([assistant], termination_condition=termination)
# Run the conversation and stream to the console.
stream = team.run_stream(task="Perform critical task.")
By granting the AI assistant autonomy to “Perform critical task” with minimal oversight, the AI can potentially execute commands or manipulate data without human review. The termination condition is triggered only if the user explicitly mentions “APPROVE,” but otherwise the agent can continue to operate, posing a risk if its actions are not adequately monitored or constrained.
References
[1] OWASP Top 10 for Large Language Model Applications OWASP
[2] UserProxyAgent Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
desc.structural.python.excessive_agency