OWASP LLM06 controls for AI agents
Map OWASP LLM06 excessive agency to AI agent policy, approval, and tool allowlists, argument constraints, and approval rules before execution.
Page audit
- Cited source ledger with May 27, 2026 access dates.
- Action-time policy, approval, and evidence model.
- Primary conversion path points to a demo; developer pages also point to install.
OWASP LLM06 excessive agency becomes operational for agents when it is connected to a protected action, a policy decision, and evidence a reviewer can inspect.
Evidence pattern
| Evidence item | Why it helps |
|---|---|
| Actor and tenant | Shows which human, agent, customer, or workspace the action belonged to. |
| Tool and arguments summary | Shows the actual side effect under review without storing unnecessary sensitive content. |
| Policy version | Shows which rule set was active at decision time. |
| Verdict and reviewer | Produces tool allowlists, argument constraints, and approval rules. |
Implementation note
Do not wait for a quarterly evidence scramble. Generate the action record at the same point that allows, denies, or pauses the action.
{
"actor_id": "agent_support_01",
"tool": "protected_action",
"policy_version": "policy_2026_05_27",
"verdict": "require_approval",
"reviewer": "risk_owner",
"recorded_at": "2026-05-27T12:00:00Z"
}Sources
FAQ
What should a team authorize before owasp llm06 excessive agency?⌄
Authorize the exact tool name, arguments, actor, tenant, environment, and review requirement before the side effect reaches the upstream system.
Why not rely on prompts for this?⌄
Prompts guide model behavior, but they do not reliably stop a tool dispatch. Runtime authorization sits after the model proposes an action and before the tool executes.
What evidence should the page produce?⌄
Keep a decision record with the actor, tool, arguments summary, policy version, verdict, reviewer when required, timestamp, and source system context.
Related paths
Govern the next agent action