Excessive Agency refers to an AI agent having capabilities, permissions, or autonomy that surpass its intended function, creating a risk of unintended or harmful actions. A shared, high-privileged IAM role (I) grants excessive permissions. Lacking user confirmation for destructive actions (II) grants excessive autonomy. Not filtering output for command injection patterns (IV) allows the agent to be manipulated into executing unintended, privileged commands, which is a direct result of having the agency to execute commands combined with a vulnerability.

Using a Jupyter environment for prototyping (III) is a standard development practice and does not relate to the operational permissions or autonomy of the deployed agent.

1. OWASP Foundation. (2023). OWASP Top 10 for Large Language Model Applications. LLM05: Excessive Agency. Retrieved from https://owasp.org/www-project-top-10-for-large-language-model-applications/. (This document defines Excessive Agency and links it to excessive permissions and granting too much functionality).

2. Cohen, J., et al. (2024). A Taxonomy of Attacks on AI-powered Code Assistants. In Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. (Discusses how vulnerabilities like injection can lead to agents performing unintended actions, a form of excessive agency).

3. Stanford University. (2023). CS221: Artificial Intelligence: Principles and Techniques, Lecture on AI Safety. (Course materials often discuss the principle of least privilege and containment for AI agents to prevent unintended consequences, which is the core concept behind mitigating excessive agency).