Last week, cybercriminals took over high-profile Instagram accounts, including the Obama’s White House handle and the US Space Force's chief master sergeant. No malware. No 0-day. All it took was attackers to open the Meta's AI support assistant and “ask it politely” to hand over the keys to the kingdom. This is by no means an exaggeration.
If this is the state of AI security at Meta, you bet this is the state of AI deployed in your enterprise, in your production environment and within your infrastructure. What happened with Meta’s AI hack and takeover of multiple high-profile instagram accounts is the textbook example of 'excessive agency', or in other words 'failure or complete lack of least agency'. What the heck is that?
Welcome to The Predictability Factor by Monica Talks Cyber, a weekly deep dive and POV at the intersection of AI, Security, Privacy and Tech, written by a hacker and CISO, to help you Go From Chaos to Resilience in The World of AI. If you haven’t already, do me a favour, hit subscribe and help me make an even bigger impact.
What The Heck is Excessive vs. Least Agency
A surgeon works with the instruments laid out on a surgical tray. Have you ever seen a surgical tray? That tray does not contain a chainsaw.
That’s precisely the problem with agentic AI. You are giving it a tray with the chainsaw as one of the tools on it.
That is exactly what happens when you give an AI agent an email-send tool with no scope boundary, or a delete function with no confirmation gate, or write access to database while it can process any and all information. This is practically like giving a surgeon (your AI systems) a chainsaw as a part of its tooling (permissions to take action) and then wondering what the heck went wrong.
OWASP Top 10 for LLMs lists "excessive agency" as one of the primary risks: Granting AI agents overly broad permissions that allows it to take irreversible or damageable actions without any deterministic control or human confirmation. This is documented, named, and widely circulated guidance. It exists precisely because this scenario was predictable.
The agent is not intentionally rogue. The authorisation was the given. The chainsaw was handed. That tool should have never been on that tray in the first place. Not during configuration and definitely not during execution. Excessive agency can lead to damaging actions in response to unintended, unexpected, ambiguous or manipulated output of LLMs. The key root cause of excessive agency is one or more of the following:
excessive functionality
excessive permissions
excessive autonomy
You are giving your AI systems access to “the chainsaw” and then wondering why AI used it. If it got the chainsaw, it will use the chainsaw. That's exactly how the Meta’s AI assistant got hacked. That’s exactly how McKinsey’s AI system got hacked. That’s highly likely what’s happening with your AI systems in your enterprise, even if you don’t yet know about it. You AI agents are running amok with excessive agency.
Your zero-trust implementation is protecting you from the wrong threat. Not because it was poorly built. Because it was built for a different actor. That is the problem of "failure or complete lack of least agency". Above are classic textbook and yet very real-world examples of that failure.
These are some of the kind of AI governance pillars and controls I talked about in my keynote in Slovakia, and a part of one of the 6-sessions I’ll be running in my next LIVE AI governance and security accelerator (registrations closing soon).
Let’s look at the them in details.
How The Hack Really Worked
Upgrade to Continue Reading
Become a paying subscriber of The Predictability Factor to get access to this post and other premium-only content including bonuses
A subscription gets you:
• Free access to premium content
• The Ultimate Enterprise AI Governance and Security Maturity Playbook
• My 7-Step enterprise AI roadmap with 50+ real-world examples, actionable insights, 5 key pillars for governance and security, and more
