Skip to content
ATR-2026-00099lowExcessive Autonomyexperimental

High-Risk Tool Invocation Without Human Confirmation

Detects when an AI agent invokes high-risk tools (financial, destructive, communication, or permission-altering) without evidence of human confirmation in the current interaction turn. This is a defense-in-depth rule that complements specific attack detection -- even if no injection is detected, certain tool categories should ALWAYS require human-in-the-loop. High-risk tool categories: 1. Financial: payments, transfers, purchases, subscriptions 2. Destructive: file deletion, database drops, account deletion 3. Communication: sending messages, emails, posts on behalf of user 4. Permission: granting access, changing roles, modifying auth 5. System: process execution, system commands, network operations This rule enforces the principle of least privilege for agent tool access. Any tool matching these categories should trigger an "ask" verdict regardless of confidence score.

Severity
low
Category
Excessive Autonomy
Scan Target
mcp
Author
ATR Community

Response Actions

block toolalert

References

OWASP Agentic
ASI08:2026 - Excessive AutonomyASI09:2026 - Inadequate Access ControlsASI10:2026 - Insufficient Human Oversight
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise
View full YAML on GitHub →

More Excessive Autonomy Rules

ATR-2026-00050highRunaway Agent Loop DetectionATR-2026-00051highAgent Resource Exhaustion DetectionATR-2026-00052highCascading Failure Detection in Agent PipelinesATR-2026-00098criticalUnauthorized Financial Action by AI Agent