Excessive Agency
An AI system can take actions that exceed its reliability, authorization, or oversight model.
agents authorization human approval
Risk Catalogue / exposure layer
Risks
Observed exposure paths where generative AI connects language to data, identity, tools, permissions, or decisions before governance has enough grip.
Insecure Tool Invocation
AI systems call tools or APIs without sufficient validation, authorization, rate limits, or operational safeguards.
tools agents API security
Prompt Injection
Untrusted instructions enter an AI workflow and compete with the system's intended authority.
LLM trust boundary application security
Shadow AI
Unapproved or unknown AI use removes visibility from data handling, identity, procurement, and incident response.
visibility policy adoption
Sensitive Data Disclosure
Sensitive business, personal, regulated, or secret data moves through prompts, outputs, logs, retrieval, or connected tools.
data protection privacy governance