What is a Confused Deputy Attack?

The confused deputy problem is a classic security concept: a program with elevated privileges is tricked into misusing those privileges on behalf of an unauthorised party. AI agents are the quintessential confused deputy — they have broad tool access, they follow instructions, and they can be manipulated through their context.

In the MCP ecosystem, the agent holds credentials for multiple servers and tools. It's authorised to read databases, send messages, modify files, and call APIs. An attacker who can influence the agent's context — through tool poisoning, indirect injection, or a malicious server — can redirect these privileges toward harmful actions. The agent performs the actions using its own legitimate credentials, making attribution difficult.

The attack is especially potent because AI agents lack the human intuition to question suspicious requests in context. A human administrator might pause before deleting a production database because an email told them to. An agent processes the instruction, verifies it has the required tool access, and executes — all in milliseconds.

Every other attack vector in this glossary ultimately aims to create a confused deputy scenario. Tool poisoning, context poisoning, indirect injection — they're all techniques to manipulate the deputy. The confused deputy is the end state where the agent's own privileges become the weapon.

Intercept directly addresses the confused deputy problem by separating authorisation from execution. The agent may be confused about its intent, but Intercept's YAML policies enforce ground-truth rules on what actions are permitted. Destructive operations require explicit policy allowance, argument validation constrains parameters to safe ranges, and tool denylists prevent access to dangerous operations regardless of the agent's reasoning. The deputy may be confused, but the policy layer is not.