What is Excessive Agency?

Excessive agency is not an attack — it's the vulnerability that makes attacks devastating. An agent that only has read access to a single database table has a limited blast radius even if fully compromised. An agent with read-write access to every database, file system, API, and communication tool is a catastrophe waiting for a trigger.

The problem is systemic. MCP servers expose all their tools to connected clients by default. Developers add servers for convenience without scoping permissions. Agent configurations accumulate tools over time as new servers are connected but old ones are never removed. The result is agents with far more capability than any single task requires.

Excessive agency violates the principle of least privilege, which security engineering has recognised as fundamental for decades. But applying least privilege to AI agents is harder than applying it to traditional software. Agents are designed to be general-purpose — their value comes from flexibility. Restricting them feels like reducing their usefulness.

This tension — flexibility vs safety — is the core design challenge. The solution isn't to make agents less capable but to enforce boundaries that constrain how those capabilities are used. An agent can have access to 50 tools but be restricted to using 5 for a given task, with argument constraints on each.

Intercept is purpose-built to address excessive agency. YAML policies define exactly which tools an agent can use, with what arguments, at what rate, and for what purposes. Tool allowlists restrict access to only the tools required for the current task. Argument validation constrains parameters to safe ranges. Rate limiting prevents bulk operations. This is least privilege enforcement at the tool call layer — the agent retains its full capability set, but Intercept ensures only the authorised subset is available for any given context.