When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents
Summary
This paper investigates over-privileged tool selection in LLM agents, introducing ToolPrivBench to evaluate and mitigate unnecessary use of high-privilege tools. It finds that safety alignment does not ensure least-privilege choices, and proposes a post-training defense that reduces excessive privilege use without sacrificing performance.
View Cached Full Text
Cached at: 06/25/26, 09:11 AM
Paper page - When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents
Source: https://huggingface.co/papers/2606.20023
Abstract
LLM agents frequently select higher-privilege tools unnecessarily, and while safety alignment doesn’t ensure least-privilege choices, a post-training defense can reduce excessive privilege use without sacrificing performance.
As LLM agents increasingly select tools autonomously, their choices among tools with different privileges become safety-relevant. However, prior tool-selection studies focus on safety-agnostic metadata preferences, leavingprivilege-sensitive choicesunderexplored. To address this gap, we studyover-privileged tool selection, in which an agent selects or escalates to a higher-privilege tool despite a sufficient lower-privilege alternative. We introduceToolPrivBenchto evaluate whether agents choose higher-privilege tools despite sufficient lower-privilege alternatives, measuring both initial selection and escalation after transient tool failures. Across eight domains and five recurring risk patterns, we find thatover-privileged tool selectionis common among mainstream LLM agents and is further amplified by transient failures. We further find that general safety alignment does not reliably transfer toleast-privilege tool choice, while prompt-level controls provide only limited mitigation under transient failures. We therefore introduce a privilege-awarepost-training defensethat teaches agents to prefer sufficient lower-privilege tools and escalate only when necessary. Our mitigation experiments show that this defense substantially reduces unnecessary high-privilege tool use while preserving general capabilities.
View arXiv pageView PDFGitHub3Add to collection
Get this paper in your agent:
hf papers read 2606\.20023
Don’t have the latest CLI?curl \-LsSf https://hf\.co/cli/install\.sh \| bash
Models citing this paper0
No model linking this paper
Cite arxiv.org/abs/2606.20023 in a model README.md to link it from this page.
Datasets citing this paper0
No dataset linking this paper
Cite arxiv.org/abs/2606.20023 in a dataset README.md to link it from this page.
Spaces citing this paper0
No Space linking this paper
Cite arxiv.org/abs/2606.20023 in a Space README.md to link it from this page.
Collections including this paper0
No Collection including this paper
Add this paper to acollectionto link it from this page.
Similar Articles
LLM Agents Already Know When to Call Tools -- Even Without Reasoning
This paper introduces When2Tool, a benchmark to study when LLM agents actually need to call tools, and reveals that models already know tool necessity from hidden states but fail to act. The proposed Probe&Prefill method reduces unnecessary tool calls by 48% with minimal accuracy loss.
FORTIS: Benchmarking Over-Privilege in Agent Skills
FORTIS benchmarks how LLM agents frequently exceed necessary privileges when selecting skills, showing over-privilege is the norm across ten frontier models and failing under realistic user interactions.
Capability Minimization as a Safety Primitive: Risk-Aware Causal Gating for Least-Privilege LLM Agents
This paper proposes Risk-Aware Causal Gating (RACG), a training-free mechanism that applies the principle of least privilege to LLM agent tool exposure, reducing attack surface from prompt injection by only exposing high-risk tools when authorized and causally necessary.
Faithful uncertainty in LLM agents: calibration vs utility tradeoff in practice[D]
A practitioner discusses the calibration vs. utility tradeoff in LLM agents, sharing experience with a verifier-based pipeline that reduces hallucinated tool calls by ~60% but introduces latency costs and drops easy correct answers.
ToolMenuBench: Benchmarking Tool-Menu Filtering Strategies for Reliable and Efficient LLM Agents
ToolMenuBench is a benchmark for evaluating tool-menu filtering strategies in multi-step LLM agents. It shows that causal minimal tool filtering significantly improves task success and reduces token usage compared to unfiltered exposure.