Excessive Agency Detection
Detect when AI agents operate beyond their intended scope — addressing OWASP MCP Top 10 #7 (Excessive Agency).
What Is Excessive Agency?
An AI agent exhibits excessive agency when it takes autonomous actions that go beyond what was intended or authorised. OWASP's MCP Top 10 identifies this as one of the primary risks in agentic systems: an agent that can call too many tools, chain too many calls without human oversight, or act across a wider surface area than needed is a significant security and operational risk.
ShieldAgent detects excessive agency by tracking two behavioral signals per session: how many tool calls the agent has made consecutively without a human checkpoint (call-chain depth), and what fraction of the available tools the agent has used (tool breadth).
Detection Patterns
Counts the number of consecutive tool calls in a session without a human checkpoint. A checkpoint resets the counter — this occurs when a human message or explicit reset signal is received. When the count exceeds the configured chain depth threshold, the agent is flagged.
Long autonomous chains without human oversight are a hallmark of agents that are either misconfigured or have been manipulated into running more steps than intended.
Measures what fraction of the total registered tools the agent has invoked in the current session. When the ratio exceeds the configured tool breadth threshold, the agent is flagged.
A task-focused agent should use a small, predictable subset of tools. Sweeping tool access — especially to tools outside the agent's normal role — indicates scope creep or a compromised agent exploring its environment.
Agency Score (0–100)
Every tools/call produces an agency score for the current session. Agency scoring analyzes call chain depth and tool usage breadth to detect agents operating beyond their intended scope. Thresholds are configurable per tenant.
A score of 0 means the agent is operating normally within all thresholds. A score of 100 means both thresholds are fully exceeded. The score feeds into the agent's Risk Scoring Model and is included in every audit event.
Session Tracking
The detector monitors call-chain depth and the set of distinct tools used across each session.
Session Lifecycle
Sessions are automatically managed. Idle sessions expire on their own, and new sessions start with a clean slate.
Human Checkpoints
When a human intervenes in the conversation (or an explicit reset signal is sent), the call-chain depth counter resets for that session. The tool breadth continues to accumulate for the full session to track cumulative scope creep.
Shadow vs Enforce Mode
The detector operates in one of two modes per tenant:
| Mode | shouldBlock | Behavior |
|---|---|---|
| shadow (default) | always false | Detections are logged to the audit trail but never block the call. Use to observe patterns before committing to enforcement. |
| enforce | true when detected | When a threshold is exceeded, the tool call is rejected and the agent receives an error. The pipeline honours shouldBlock: true. |
Configuration
| Parameter | Default | Description |
|---|---|---|
| Call chain depth limit | — | Consecutive tool calls without human checkpoint before flagging |
| Tool breadth limit | — | Fraction (0–1) of registered tools that can be used before flagging |
| Session idle timeout | — | Session idle timeout in milliseconds |
| mode | shadow | "shadow" or "enforce" — whether detections block calls |
Example — tighten thresholds for a high-risk agent
// Tighten excessive agency thresholds for a high-risk agent
await client.agents.update(agentId, {
excessiveAgencyConfig: {
mode: 'enforce',
},
});API Reference
Audit event shape (excessive agency)
{
"id": "ae_...",
"agentId": "...",
"toolName": "bash",
"outcome": "blocked",
"threatType": "excessive_agency",
"findings": [
{
"severity": "high",
"detail": "Agent has exceeded the configured consecutive call-chain depth limit"
}
],
"createdAt": "2026-04-24T11:47:00.000Z"
}