
Key facts.
- OWASP Excessive Agency covers excess function, permission, or autonomy at any layer of the agent stack (OWASP, 2025).
- Replit added automatic dev and prod separation after its incident, least privilege enforced at the resource layer (The Register).
- Deny-by-default at each layer means an action is impossible unless explicitly allowed, the opposite of an agent that can do anything its tools expose.
Why isn't scoping the agent enough?
Because a narrowly-scoped agent holding a broadly-capable tool still inherits the tool's reach. Give a customer-support agent a database tool that can run any query, and you have scoped the agent but not the action. Real least privilege tightens all three: the agent only has the tools it needs, each tool only exposes the actions it needs, and each action only touches the resources it needs. Deny-by-default at every layer makes the catastrophic action not just discouraged but impossible.

Single-layer vs. three-layer least privilege
| Single-layer | Three-layer |
|---|---|
| Agent scoped, tools broad | Agent, tool, and action all scoped |
| A broad tool re-opens the risk | Deny-by-default at every layer |
| Excessive agency persists | Catastrophic action is impossible |
OWASP names Excessive Agency because too much permission at one layer is enough; a stronger model won't fix it: 57 on WildToolBench, none past 15%. (OWASP, 2025)
VibeModel's Pattern Intelligence Layer watches across all three layers and flags when an agent reaches for a tool or action outside its allow-listed pattern, so a gap at any layer is caught. You enforce deny-by-default at agent, tool, and action; we catch the moment something tries to exceed it. Least privilege is only as strong as its weakest layer, so tighten all three.
Frequently asked questions
Which layer is most often missed?
The action layer. Teams scope agents and tools but expose tools that can do far more than the task needs. Lock the actions too.
Is deny-by-default too restrictive?
No. It is the secure default. Start from nothing allowed and add exactly what the task requires, rather than removing dangers one at a time.

