When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents

The Privilege Paradox in LLM Tool Selection

A new arXiv paper (2606.20023v1) tackles an underexplored safety dimension in LLM agents: the tendency to select over-privileged tools when lower-privilege alternatives would suffice. The research examines how autonomous agents choose among tools with varying access levels, revealing that current selection mechanisms prioritize metadata convenience over privilege awareness.

What the Research Uncovers

The study identifies a systematic bias in LLM tool selection. When presented with multiple tools capable of achieving the same outcome—but with different privilege requirements—agents consistently gravitate toward higher-privilege options. This isn't merely a theoretical concern. In practice, an agent might choose an admin-level API call to read a file when a read-only endpoint exists, or select a database write operation for a query that only requires read access.

The root cause appears to be that current tool selection frameworks optimize for functional correctness and user intent alignment, but lack explicit privilege-cost modeling. The agent evaluates "can this tool achieve the goal?" without adequately weighing "should this level of access be used for this task?"

Why This Matters for AI Safety

This privilege-blind selection creates a subtle but dangerous attack surface. Consider three scenarios:

• Accidental privilege escalation: An agent performing routine tasks might inadvertently use high-privilege tools, increasing blast radius if compromised.
• Reduced auditability: Over-privileged actions muddy the distinction between necessary and excessive access, making security monitoring harder.
• Exploitation vectors: Malicious prompts could exploit this tendency to trigger privileged operations under the guise of legitimate requests.

The paper's contribution is reframing tool selection as a privilege-minimization problem rather than just a capability-matching problem. This aligns with the principle of least privilege from cybersecurity—but applied to AI agent behavior. Implications for AI Practitioners

For those building LLM agent systems, this research signals several actionable considerations:

• Tool registration should include privilege metadata: Beyond function signatures, tools need explicit privilege levels and context-appropriate usage policies.
• Selection algorithms require privilege-aware ranking: Current cosine similarity or semantic matching approaches are insufficient. Agents need cost functions that penalize over-privileged selections.
• Runtime privilege enforcement remains necessary: Even with better selection, agents should operate under constrained execution environments that enforce least privilege at the system level.
• Testing should include privilege-variant scenarios: Evaluation suites need test cases where multiple tools can achieve the same result but with different privilege levels, measuring whether agents choose appropriately.

The paper highlights that as agents gain autonomy, their tool selection logic becomes a critical safety boundary. Privilege-aware selection isn't just a security nicety—it's a fundamental requirement for deploying LLM agents in production environments where access control matters.

Key Takeaways

• LLM agents systematically over-select high-privilege tools even when lower-privilege alternatives exist, creating unnecessary security risks.
• Current tool selection frameworks lack privilege-cost modeling, optimizing for functional correctness over access minimization.
• Practitioners should add privilege metadata to tool registrations and implement privilege-aware ranking in selection algorithms.
• Runtime enforcement of least privilege remains essential, as selection logic alone cannot guarantee safe tool usage.