當較低權限已足夠時:探討LLM代理中的過度授權工具選擇
When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents
June 18, 2026
作者: Kaiyue Yang, Yuyan Bu, Jingwei Yi, Yuchi Wang, Biyu Zhou, Juntao Dai, Songlin Hu, Yaodong Yang
cs.AI
摘要
隨著LLM代理自主選擇工具的情況日益增加,它們在不同權限工具間的選擇便與安全相關。然而,先前的工具選擇研究側重於不考慮安全性的元數據偏好,使得對權限敏感選擇的研究不足。為填補此缺口,我們研究過度權限的工具選擇,即代理在存在足夠的低權限替代方案時,仍選擇或升級至更高權限的工具。我們提出ToolPrivBench來評估代理是否在擁有足夠低權限替代方案時,仍選擇更高權限的工具,並測量初始選擇與短暫工具失效後的升級行為。在八個領域與五種反覆出現的風險模式中,我們發現過度權限的工具選擇在主流LLM代理中相當普遍,且短暫失效會進一步加劇此現象。我們進一步發現,一般的安全對齊無法可靠地轉移至最低權限的工具選擇,而提示層級的控制在短暫失效下僅提供有限的緩解。因此,我們提出一種具權限感知能力的訓練後防禦機制,教導代理偏好足夠的低權限工具,並僅在必要時才進行升級。我們的緩解實驗顯示,此防禦機制能大幅減少不必要的高權限工具使用,同時保留一般能力。
English
As LLM agents increasingly select tools autonomously, their choices among tools with different privileges become safety-relevant. However, prior tool-selection studies focus on safety-agnostic metadata preferences, leaving privilege-sensitive choices underexplored. To address this gap, we study over-privileged tool selection, in which an agent selects or escalates to a higher-privilege tool despite a sufficient lower-privilege alternative. We introduce ToolPrivBench to evaluate whether agents choose higher-privilege tools despite sufficient lower-privilege alternatives, measuring both initial selection and escalation after transient tool failures. Across eight domains and five recurring risk patterns, we find that over-privileged tool selection is common among mainstream LLM agents and is further amplified by transient failures. We further find that general safety alignment does not reliably transfer to least-privilege tool choice, while prompt-level controls provide only limited mitigation under transient failures. We therefore introduce a privilege-aware post-training defense that teaches agents to prefer sufficient lower-privilege tools and escalate only when necessary. Our mitigation experiments show that this defense substantially reduces unnecessary high-privilege tool use while preserving general capabilities.