High-privilege user invokes low-privilege agent, which inherits the user's access level. The agent's effective authority exceeds its design-time configuration.
When a human user with broad permissions (e.g., a compliance director with access to all customer records, transaction systems, and screening APIs) initiates an agent to perform a task, the agent inherits the user's permission level rather than operating within its own constrained scope. This inheritance is often implicit: the agent runs in the context of the user's session, uses the user's API credentials, or is invoked through the user's application session. From the agent's perspective, it has access to everything the user has access to, regardless of whether the user intended to grant that scope.
This is fundamentally an agentic risk because agents are decision-making systems that invoke operations autonomously. A human user with director-level access may consciously self-limit their actions (knowing they have access to sensitive systems but choosing not to query certain data). An agent, by contrast, will invoke operations as part of its reasoning chain if those operations help accomplish its assigned task. The agent has no concept of "I could access this system but I should not." It only knows whether the operation is available and whether it contributes to the goal.
A compliance director at an investment bank creates an agent to investigate a suspected money laundering alert. The director has access to customer accounts, transaction history, wire transfer systems, sanctions screening results, and internal investigation notes. Instead of manually reviewing the case, the director delegates the investigation to an autonomous agent, providing it with the alert ID and asking it to "determine if this transaction should be blocked and document the reasoning."
The agent, running under the director's identity, automatically invokes the sanctions screening API to cross-check the customer against updated watchlists. It then decides it needs deeper context and queries the customer's full transaction history for the past 18 months, pulling data on transactions that have no connection to the original alert. It then accesses the internal investigation database to see if similar patterns have triggered previous investigations, and in doing so, reads case notes on unrelated customers that are protected under attorney-client privilege (the investigation database stores privileged communications alongside operational notes).
The agent synthesizes all this data and concludes the transaction is suspicious. It generates a blocking recommendation and logs the investigation summary. A junior compliance analyst finds the log and, following the chain of investigation breadcrumbs, discovers that privileged attorney notes were accessed and included in the reasoning. The bank's general counsel is notified. The incident is reported to regulators as a potential control failure and breach of attorney-client privilege protections.
The post-incident review concludes that the agent should have been constrained to only the data necessary for the specific alert (current customer profile, current transaction, current screening result), but the compliance director's high privilege level made that constraint technically difficult to enforce. The director's identity was the authorization source, so the system had no way to restrict the agent without restricting the director.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Escalation occurs through normal authentication. No unusual access pattern is visible unless authority composition is explicitly audited. |
| A - Autonomy Sensitivity | 5 | Agent invokes operations independently without human approval per operation, and escalates scope autonomously during task execution. |
| M - Multiplicative Potential | 4 | Impact scales with the privilege level of the delegating user. Director-level delegation has higher impact than analyst-level. |
| A - Attack Surface | 4 | Escalation vector is the user delegation mechanism. High-privilege user identities are often the target of compromise or manipulation. |
| G - Governance Gap | 5 | No standard framework (OWASP, NIST, EU AI Act) requires separation of user privilege from agent authority scope. |
| E - Enterprise Impact | 5 | Regulatory breach notification, potential privilege waiver, control failure under SR 11-7, reputational damage. |
| Composite DAMAGE Score | 3.8 | High. Requires priority remediation and continuous monitoring. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Assistant queries data. Human reviews all results before taking action. Human privilege does not translate to assistant autonomy. |
| Digital Apprentice | Medium | Apprentice can invoke APIs on behalf of user. Governance model requires proof of apprentice-specific scope narrowing. |
| Autonomous Agent | Critical | Agent operates independently under user identity. User cannot monitor each operation. Escalation is invisible. |
| Delegating Agent | Critical | Agent invokes tools dynamically. Each tool access inherits user privilege. Scope expansion is not metered. |
| Agent Crew / Pipeline | Critical | Multiple agents in sequence each inherit user privilege. Scope expands at each handoff. Final agent may have maximally escalated access. |
| Agent Mesh / Swarm | Critical | Agents delegate to peers under the original user identity. Privilege inheritance propagates through peer network. No single point of scope control. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| GLBA | Addressed | 16 CFR Part 314 (Safeguards Rule), Section 501(b) | Requires safeguards for customer information and systems controls. | Does not account for delegation of high-privilege user authority to agents. |
| SR 11-7 / MRM | Addressed | Enterprise-wide access controls (Section 3) | Expects segregation of duties and justification for high-privilege access. | Does not require explicit authorization revocation when user delegates to agent. |
| NIST AI RMF 1.0 | Partial | GOVERN.3, GOVERN.4 | Recommends access control review and testing. | Does not address privilege inheritance through user delegation. |
| OWASP Agentic Top 10 | Partial | A02:2024 Unsafe Tool Use, A06:2024 Excessive Agency | Addresses unauthorized tool use and over-delegation. | Assumes human operator has consciously decided to grant access, not inherited escalation. |
| MAS AIRG | Partial | Operational Resilience (Section 3.2) | Expects clear authority structures. | Does not address agent authority as distinct from user authority. |
| EU AI Act | Partial | Article 10 (High-Risk Systems), Article 14 (Transparency) | Requires documentation of system access and decision-making. | Does not define boundaries between user delegation and agent scope. |
Regulatory frameworks in financial services assume a clear separation between authorization (who can access what) and responsibility (who is accountable for what action). When a human user with director-level access manually reviews a case, the human is responsible for any decisions they make and any information they access. When a user delegates to an agent, regulators expect that delegation to be scoped: the agent should only have access to the data and systems needed for its specific task.
However, in most systems, the technical mechanism for delegation is simply running the agent under the user's identity. This creates an enforcement gap: the agent has all the user's access, but the user has no visibility into what the agent will actually access. Under GLBA and SR 11-7, institutions must maintain effective access controls and must be able to justify why any individual has access to any system. Privilege escalation via delegation makes this justification impossible: the director's high-privilege access is justified by their role, but the agent's high-privilege access is not justified independently. It is merely inherited.
The regulatory consequence is a control failure that can trigger breach investigation (if the escalated access resulted in unauthorized data access), potential enforcement action under the Safeguards Rule, and requirement to implement separation of duties or technical controls to prevent future escalation.
Privilege Escalation via Delegation requires architectural controls that enforce scope narrowing independently of user identity. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing