SAIL 2.0

/

Deploy - Runtime Guardrails

/

Privilege Amplification via Confused-Deputy Agent

5.20

.

Privilege Amplification via Confused-Deputy Agent

sail
5.20
Risk

Privilege Amplification via Confused-Deputy Agent

Description

An agent holds broad shared or group-level access, and a lower-privileged user invokes it to read or act on data and systems they are not personally authorized to reach. A dedicated, well-scoped agent identity does not prevent this. The agent acts as a confused deputy, amplifying the caller's effective privileges up to its own.

Example

An analyst with no HR access asks a shared research assistant agent which holds org-wide read access for indexing to "summarize the compensation bands," and the agent returns data the analyst could never open directly.

Assets Affected

AI Agent

Agent Identity

Tool

Mitigation
  • Enforce per-user authorization at execution time
  • intersect the agent's permissions with the requesting user's entitlements (effective scope = agent ∩ user)
  • scope tool and data access to the caller, not the agent
  • attribute and audit every action to the requesting user, not only the agent identity
  • red-team for confused-deputy and privilege-amplification scenarios. Aligns with build-time posture (SAIL 3.13, 3.14) and runtime action authorization (SAIL 5.13).
Standards Mapping
  • ISO: A.9.4, A.9.2
  • OWASP agentic: ASI03, ASI02
  • OWASP LLM: LLM06:2025
  • EU AI Act: Art. 14, Art. 15(5)
  • DASF: Agents-Core 13.3, Agents-Core 13.2
  • AIUC-1: B006, B007