Skip to main content
Sign in →

Excessive Agency Detection

Detect when AI agents operate beyond their intended scope — addressing OWASP MCP Top 10 #7 (Excessive Agency).

What Is Excessive Agency?

An AI agent exhibits excessive agency when it takes autonomous actions that go beyond what was intended or authorised. OWASP's MCP Top 10 identifies this as one of the primary risks in agentic systems: an agent that can call too many tools, chain too many calls without human oversight, or act across a wider surface area than needed is a significant security and operational risk.

ShieldAgent detects excessive agency by tracking two behavioral signals per session: how many tool calls the agent has made consecutively without a human checkpoint (call-chain depth), and what fraction of the available tools the agent has used (tool breadth).

Detection Patterns

Call Chain Depth Exceededhigh severity

Counts the number of consecutive tool calls in a session without a human checkpoint. A checkpoint resets the counter — this occurs when a human message or explicit reset signal is received. When the count exceeds the configured chain depth threshold, the agent is flagged.

Long autonomous chains without human oversight are a hallmark of agents that are either misconfigured or have been manipulated into running more steps than intended.

Tool Breadth Exceededmedium severity

Measures what fraction of the total registered tools the agent has invoked in the current session. When the ratio exceeds the configured tool breadth threshold, the agent is flagged.

A task-focused agent should use a small, predictable subset of tools. Sweeping tool access — especially to tools outside the agent's normal role — indicates scope creep or a compromised agent exploring its environment.

Agency Score (0–100)

Every tools/call produces an agency score for the current session. Agency scoring analyzes call chain depth and tool usage breadth to detect agents operating beyond their intended scope. Thresholds are configurable per tenant.

A score of 0 means the agent is operating normally within all thresholds. A score of 100 means both thresholds are fully exceeded. The score feeds into the agent's Risk Scoring Model and is included in every audit event.

Session Tracking

Session state tracks consecutive tool call depth, the set of distinct tools invoked, and activity timestamps for TTL management.

Session TTL

Sessions that have been idle for longer than the configured idle timeout are automatically expired. A new session starts fresh with depth 0 and an empty tool set on the next call.

Human Checkpoints

When a human message is received (or an explicit reset signal), the call-chain depth is reset to 0 for that session. The tool breadth (distinct tools used) is not reset — it accumulates for the full session lifetime to track cumulative scope creep.

Shadow vs Enforce Mode

The detector operates in one of two modes per tenant:

ModeshouldBlockBehavior
shadow (default)always falseDetections are logged to the audit trail but never block the call. Use to observe patterns before committing to enforcement.
enforcetrue when detectedWhen a threshold is exceeded, the tool call is rejected and the agent receives an error. The pipeline honours shouldBlock: true.
Recommended: Recommended: Run in shadow mode first to calibrate thresholds against your agents' actual usage patterns. Switch to enforce mode once you are confident the thresholds reflect intentional behavior, not false positives.

Configuration

ParameterDefaultDescription
Call chain depth limitConsecutive tool calls without human checkpoint before flagging
Tool breadth limitFraction (0–1) of registered tools that can be used before flagging
Session idle timeoutSession idle timeout in milliseconds
modeshadow"shadow" or "enforce" — whether detections block calls

Example — tighten thresholds for a high-risk agent

bash
curl -s -X PATCH https://api.shieldagent.io/tenants/:tenantId/agents/:agentId \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "excessiveAgencyConfig": {
      "mode": "enforce"
    }
  }'

API Reference

GET/tenants/:tenantId/audit-events?threatType=excessive_agencyList excessive agency events
GET/tenants/:tenantId/agents/:agentId/riskAgent risk score — includes agencyScore from latest session
POST/tenants/:tenantId/agents/:agentId/sessions/:sessionId/resetManually reset call-chain depth (human checkpoint)
DELETE/tenants/:tenantId/agents/:agentId/sessions/:sessionIdRemove a session entirely (on disconnect)

Audit event shape (excessive agency)

json
{
  "id": "ae_...",
  "agentId": "...",
  "toolName": "bash",
  "outcome": "blocked",
  "threatType": "excessive_agency",
  "findings": [
    {
      "severity": "high",
      "detail": "Agent has exceeded the configured consecutive call-chain depth limit"
    }
  ],
  "createdAt": "2026-04-24T11:47:00.000Z"
}
Excessive Agency Detection