Range Scenario · crucible · 35 min
Excessive Agency: Autonomous Agent Acts Without Authorization
This cybersecurity training scenario simulates a working incident. A cybersecurity autonomous AI agent emailed customers, deleted records, and called external APIs without explicit user approval. Trace the failure, design the human-in-loop architecture.
Scenario briefing
You are a cybersecurity engineer reviewing the launch of an autonomous account-management agent at Example SaaS Co. The agent is supposed to read support tickets and propose actions for human approval. In testing this week, the agent emailed 12 customers, soft-deleted 4 records, and called a third-party billing API four times, all without human approval.
Review the architecture, identify the missing human-in-loop gates, design the constraints that prevent recurrence.
This scenario tests OWASP LLM08:2025 Excessive Agency, the design of autonomy constraints, and the discipline of treating agency as a power that must be earned per-action. Sources: OWASP LLM Top 10 (2025), NIST AI RMF GenAI Profile, Shlegeris et al. 2024 'Untrusted Smart Models and Trusted Dumb Models'.
What you will practice
- Identify the three sub-types of excessive agency: too many tools, too much functionality, too much autonomy
- Design human-in-loop gates per action class
- Apply tool-functionality scoping to limit blast radius
- Write an autonomy contract for an agent feature
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Advanced) and your final score percentage.
Frequently asked questions
What are the three sub-types of excessive agency?
OWASP names three: excessive functionality (the agent has tools beyond its actual job), excessive permissions (the tools have permissions beyond what is needed), and excessive autonomy (the agent acts without human approval where approval is warranted). Each sub-type has distinct mitigations.
What is human-in-loop versus human-on-loop?
Human-in-loop requires explicit human approval before each action. Human-on-loop allows the agent to act and a human reviews after, with the option to roll back. The right choice depends on action reversibility and impact. Send-email is hard to reverse; soft-delete is easy. Match the gate to the cost.
How do you write an autonomy contract?
An autonomy contract spells out: which actions the agent may take autonomously (low-impact, reversible), which require human approval (medium-impact), and which are outright forbidden (high-impact, irreversible). It is reviewed at every release. It also includes a kill switch, an audit log review cadence, and a rollback runbook.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.