High-Risk Tool Invocation Without Human Confirmation
Detects when an AI agent invokes high-risk tools (financial, destructive, communication, or permission-altering) without evidence of human confirmation in the current interaction turn. This is a defense-in-depth rule that complements specific attack detection -- even if no injection is detected, certain tool categories should ALWAYS require human-in-the-loop. High-risk tool categories: 1. Financial: payments, transfers, purchases, subscriptions 2. Destructive: file deletion, database drops, account deletion 3. Communication: sending messages, emails, posts on behalf of user 4. Permission: granting access, changing roles, modifying auth 5. System: process execution, system commands, network operations This rule enforces the principle of least privilege for agent tool access. Any tool matching these categories should trigger an "ask" verdict regardless of confidence score.