Excessive Agency Detection

Detect when AI agents operate beyond their intended scope — addressing OWASP MCP Top 10 #7 (Excessive Agency).

What Is Excessive Agency?

An AI agent exhibits excessive agency when it takes autonomous actions that go beyond what was intended or authorised. OWASP's MCP Top 10 identifies this as one of the primary risks in agentic systems: an agent that can call too many tools, chain too many calls without human oversight, or act across a wider surface area than needed is a significant security and operational risk.

ShieldAgent detects excessive agency by tracking two behavioral signals per session: how many tool calls the agent has made consecutively without a human checkpoint (call-chain depth), and what fraction of the available tools the agent has used (tool breadth).

Detection Patterns

Call Chain Depth Exceededhigh severity

Counts the number of consecutive tool calls in a session without a human checkpoint. A checkpoint resets the counter — this occurs when a human message or explicit reset signal is received. When the count exceeds the configured chain depth threshold, the agent is flagged.

Long autonomous chains without human oversight are a hallmark of agents that are either misconfigured or have been manipulated into running more steps than intended.

Tool Breadth Exceededmedium severity

Measures what fraction of the total registered tools the agent has invoked in the current session. When the ratio exceeds the configured tool breadth threshold, the agent is flagged.

A task-focused agent should use a small, predictable subset of tools. Sweeping tool access — especially to tools outside the agent's normal role — is a hallmark of excessive agency: the agent operating beyond its intended permissions or having been manipulated into exploring its environment.

Agency Score (0–100)

Every tools/call produces an agency score for the current session. Agency scoring analyzes call chain depth and tool usage breadth to detect agents operating beyond their intended scope. Thresholds are configurable per tenant. A score of 0 means normal operation; a score of 100 means both thresholds are fully exceeded. The score feeds into the agent's Risk Scoring model and is included in every audit event.

Session Tracking

Each unique combination of tenant, agent, and connection ID forms a session. The detector tracks state per session:

Session state tracks consecutive tool call depth, the set of distinct tools invoked, and activity timestamps for TTL management.

Session TTL

Sessions that have been idle for longer than the configured session idle timeout are automatically expired. A new session starts fresh with depth 0 and an empty tool set on the next call.

Human Checkpoints

When a human message is received (or an explicit reset signal), the call-chain depth is reset to 0 for that session. The tool breadth (distinct tools used) is not reset — it accumulates for the full session lifetime to track cumulative scope creep.

Shadow vs Enforce Mode

The detector operates in one of two modes per tenant:

Mode	shouldBlock	Behavior
shadow (default)	always false	Detections are logged to the audit trail but never block the call. Use to observe patterns before committing to enforcement.
enforce	true when detected	When a threshold is exceeded, the tool call is rejected and the agent receives an error. The pipeline honours shouldBlock: true.

Recommended: Run in shadow mode first to calibrate thresholds against your agents' actual usage patterns. Switch to enforce mode once you are confident the thresholds reflect intentional behavior, not false positives.

Configuration

Parameter	Default	Description
Call chain depth limit	—	Consecutive tool calls without human checkpoint before flagging
Tool breadth limit	—	Fraction of registered tools that can be used before flagging
Session idle timeout	—	Duration of inactivity before a session is expired
mode	shadow	"shadow" or "enforce" — whether detections block calls

Example — tighten thresholds for a high-risk agent

bash

curl -s -X PATCH https://api.shieldagent.io/tenants/:tenantId/agents/:agentId \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "excessiveAgencyConfig": {
      "mode": "enforce"
    }
  }'

API Reference

GET/tenants/:tenantId/audit-events?threatType=excessive_agency—List excessive agency events

GET/tenants/:tenantId/agents/:agentId/risk—Agent risk score — includes agencyScore from latest session

POST/tenants/:tenantId/agents/:agentId/sessions/:sessionId/reset—Manually reset call-chain depth (human checkpoint)

DELETE/tenants/:tenantId/agents/:agentId/sessions/:sessionId—Remove a session entirely (on disconnect)

Audit event shape (excessive agency)

json

{
  "id": "ae_...",
  "agentId": "...",
  "toolName": "bash",
  "outcome": "blocked",
  "threatType": "excessive_agency",
  "findings": [
    {
      "severity": "high",
      "detail": "Agent has exceeded the configured consecutive call-chain depth limit"
    }
  ],
  "createdAt": "2026-04-24T11:47:00.000Z"
}