Risk
Privilege Amplification via Confused-Deputy Agent
Description
An agent holds broad shared or group-level access, and a lower-privileged user invokes it to read or act on data and systems they are not personally authorized to reach. A dedicated, well-scoped agent identity does not prevent this. The agent acts as a confused deputy, amplifying the caller's effective privileges up to its own.
Example
An analyst with no HR access asks a shared research assistant agent which holds org-wide read access for indexing to "summarize the compensation bands," and the agent returns data the analyst could never open directly.
Assets Affected
AI Agent
Agent Identity
Tool
Mitigation
- Enforce per-user authorization at execution time
- intersect the agent's permissions with the requesting user's entitlements (effective scope = agent ∩ user)
- scope tool and data access to the caller, not the agent
- attribute and audit every action to the requesting user, not only the agent identity
- red-team for confused-deputy and privilege-amplification scenarios. Aligns with build-time posture (SAIL 3.13, 3.14) and runtime action authorization (SAIL 5.13).
Standards Mapping
- ISO: A.9.4, A.9.2
- OWASP agentic: ASI03, ASI02
- OWASP LLM: LLM06:2025
- EU AI Act: Art. 14, Art. 15(5)
- DASF: Agents-Core 13.3, Agents-Core 13.2
- AIUC-1: B006, B007