Tool Over-Broad Scope

also known as Excessive Tool Permissions, Over-Privileged Tool Loadout

Anti-pattern: grant the agent tools scoped so broadly that a single hallucinated argument can escalate into a privilege incident.

This pattern helps complete certain larger patterns —

specialisesAuthorized Tool Misuse✕— Anti-pattern: grant the agent a tool with broad authorization and trust the agent to use it in benign ways.

Context

An agent is shipped with a tool that wraps a high-privilege underlying API (database admin, IAM, payments). The wrapper is given the union of permissions the agent might ever need across all tasks, instead of the minimum the current task needs.

Problem

The agent now needs only one wrong argument — a wrong table name, a wrong customer id, a wrong amount — for the call to commit damage that the agent had no business doing. Hallucinated tool arguments become privilege escalations. The audit log shows agent identity calling an in-scope tool with in-scope credentials; no permission check fires because the broad scope made the call legal.

Forces

Per-task narrow scoping is operationally expensive — provisioning many short-lived credentials adds latency and complexity.
Hallucinated arguments are not bugs to be eliminated; they are the steady-state failure mode of LLM tool use.
Broad-scope wrappers are easier to demo and seem more 'capable' to stakeholders.

Example

A customer-service agent has one `crm_update(customer_id, fields)` tool whose backing IAM role can write every field on every customer. The agent hallucinates a customer id while resolving a ticket and overwrites another customer's billing address. The CRM audit trail shows the agent identity wrote the field — which it had permission to do — so no security alert fires.

Diagram

flowchart TD Task[Sub-task needs 1 permission] --> Wrapper[Tool wrapper holds 50 permissions] Wrapper -->|hallucinated arg| BadAct[Out-of-scope action commits] BadAct --> Audit[Audit log: in-scope identity, in-scope tool — no alert] classDef bad fill:#fee,stroke:#c33; class Wrapper,BadAct,Audit bad;

Solution

Therefore:

Narrow tool scope to the smallest unit the task can use: per-resource, per-action, per-tenant. Use just-in-time credential issuance bound to the run id. Prefer many small tools over one configurable mega-tool, so that argument-hallucination cannot widen the blast radius. Pair with tool-loadout-hotswap so the agent sees only the tools relevant to the current sub-task.

What this pattern forbids. No useful constraint; the missing constraint is per-task least-privilege at the tool boundary.

And the patterns that stand alongside it, or against it —

alternative-toTool Loadout★★— Select a small task-relevant subset of available tools per request rather than exposing the full registry to the model.
complementsTool Loadout Hot-Swap✕— Anti-pattern: add or remove tool definitions during a running task so the tool set the model sees changes from turn to turn.
complementsAgent Privilege Escalation✕— Anti-pattern: let an agent's effective permissions be the union of its own identity, the identities of its tools, and the identities of the services those tools call.
complementsPolicy-as-Code Gate★— Evaluate every proposed agent action against externally-managed machine-readable policies before dispatch, so compliance authorship lives outside the prompt and outside the agent code.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

Agentic Workflow Anti-Patterns: Orchestration Mistakes (2026)
blog

Provenance

Source: patterns/tool-over-broad-scope.md on GitHub · commit 0f962e5 · view history
Added to catalog: 2026-05-23
Last updated: 2026-05-23
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.