When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents

Biyu Zhou; Jingwei Yi; Juntao Dai; Kaiyue Yang; Songlin Hu; Yaodong Yang; Yuchi Wang; Yuyan Bu

arxiv: 2606.20023 · v1 · pith:SXDPU7SMnew · submitted 2026-06-18 · 💻 cs.SE · cs.AI· cs.CL

When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents

Kaiyue Yang , Yuyan Bu , Jingwei Yi , Yuchi Wang , Biyu Zhou , Juntao Dai , Songlin Hu , Yaodong Yang This is my paper

Pith reviewed 2026-06-26 16:32 UTC · model grok-4.3

classification 💻 cs.SE cs.AIcs.CL

keywords LLM agentstool selectionover-privilegedprivilege awarenessToolPrivBenchpost-training defenseleast privilegesafety alignment

0 comments

The pith

LLM agents commonly select higher-privilege tools even when lower-privilege alternatives suffice, and transient failures increase this tendency.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper studies over-privileged tool selection in LLM agents, where an agent picks or escalates to a higher-privilege tool despite a sufficient lower-privilege option being available. It introduces ToolPrivBench to measure this behavior across eight domains and five risk patterns, tracking both initial choices and escalation after temporary tool failures. Experiments reveal that over-privileged selection is widespread among current agents, general safety alignment does not reliably produce least-privilege choices, and simple prompts offer only weak protection when failures occur. A privilege-aware post-training method is presented that trains agents to favor sufficient lower-privilege tools and escalate only when truly needed, cutting unnecessary high-privilege use while keeping other capabilities intact.

Core claim

Over-privileged tool selection is common among mainstream LLM agents and is further amplified by transient failures. General safety alignment does not reliably transfer to least-privilege tool choice, while prompt-level controls provide only limited mitigation under transient failures. A privilege-aware post-training defense teaches agents to prefer sufficient lower-privilege tools and escalate only when necessary, substantially reducing unnecessary high-privilege tool use while preserving general capabilities.

What carries the argument

ToolPrivBench, a benchmark that tests initial tool selection and escalation after failures across eight domains and five recurring risk patterns, together with the privilege-aware post-training defense that trains preference for lower-privilege tools.

If this is right

Over-privileged tool selection occurs frequently in mainstream LLM agents across multiple domains.
Transient tool failures increase escalation to higher-privilege options.
Existing safety alignment methods do not ensure agents choose the least sufficient privilege.
Prompt-based instructions give only limited protection against over-privileged choices when failures happen.
Privilege-aware post-training reduces high-privilege tool use without harming general task performance.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Privilege management may need to become a distinct training objective rather than relying on general safety alignment.
Similar least-privilege principles could apply to other agent decisions such as data access or external service calls.
Monitoring privilege escalation rates could serve as an ongoing safety signal in deployed agents.
Extending the benchmark to include dynamic or multi-step tasks might reveal additional escalation patterns.

Load-bearing premise

The eight domains and five risk patterns in ToolPrivBench sufficiently represent real-world privilege-sensitive scenarios and the tested mainstream LLM agents are representative of deployed systems.

What would settle it

Finding that agents in a new set of domains not covered by ToolPrivBench consistently select lower-privilege tools even after repeated transient failures, or that the post-training defense shows no reduction in over-privileged selections during live agent deployments.

Figures

Figures reproduced from arXiv: 2606.20023 by Biyu Zhou, Jingwei Yi, Juntao Dai, Kaiyue Yang, Songlin Hu, Yaodong Yang, Yuchi Wang, Yuyan Bu.

**Figure 1.** Figure 1: Over-privileged tool selection in LLM agents. Agents may choose broader tools even when lower-privilege alternatives are sufficient. low-level execution decisions to the agent. In this context, agents are expected not only to complete tasks, but also to decide how to complete them, including which tool to use when multiple options are available. This autonomy, however, introduces a subtle but important saf… view at source ↗

**Figure 2.** Figure 2: Overview of the evaluation setting and benchmark construction pipeline. (a) Each scenario contains lower- and higher-privilege tools for the same query. (b) We evaluate aggressive selection and premature escalation. (c) Generated cases are filtered through automated checks, tool-sufficiency validation, and human expert audit. 25.6% 21.3% 18.2% 18.2% 16.7% (a) Risk Type Distribution Authority Escalation Saf… view at source ↗

**Figure 3.** Figure 3: Distribution of the TOOLPRIVBENCH across risk types and tool domains. all provided tools should be functionally sufficient so that higher-privilege use can be attributed to privilege preference rather than tool incapability. Deriving domain and risk seeds. To ground the benchmark in realistic tool-use settings, we first conduct a preliminary risk analysis of real-world tools from the APIGen dataset (Liu et… view at source ↗

**Figure 4.** Figure 4: Stacked distributions of Over-Privileged Tool Use Rate (OPUR) and Pre-Escalation Exploration Depth [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗

**Figure 5.** Figure 5: Mitigation effects across Qwen3 variants. [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Training dynamics of RL with different ini [PITH_FULL_IMAGE:figures/full_fig_p014_6.png] view at source ↗

read the original abstract

As LLM agents increasingly select tools autonomously, their choices among tools with different privileges become safety-relevant. However, prior tool-selection studies focus on safety-agnostic metadata preferences, leaving privilege-sensitive choices underexplored. To address this gap, we study over-privileged tool selection, in which an agent selects or escalates to a higher-privilege tool despite a sufficient lower-privilege alternative. We introduce ToolPrivBench to evaluate whether agents choose higher-privilege tools despite sufficient lower-privilege alternatives, measuring both initial selection and escalation after transient tool failures. Across eight domains and five recurring risk patterns, we find that over-privileged tool selection is common among mainstream LLM agents and is further amplified by transient failures. We further find that general safety alignment does not reliably transfer to least-privilege tool choice, while prompt-level controls provide only limited mitigation under transient failures. We therefore introduce a privilege-aware post-training defense that teaches agents to prefer sufficient lower-privilege tools and escalate only when necessary. Our mitigation experiments show that this defense substantially reduces unnecessary high-privilege tool use while preserving general capabilities.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows over-privileged tool selection is common in LLM agents on their new benchmark and offers a post-training fix, but the benchmark's match to real privilege distributions is the main open question.

read the letter

The main thing here is that LLM agents often select higher-privilege tools even when lower-privilege alternatives suffice, and transient failures make the problem worse. The authors built ToolPrivBench across eight domains and five risk patterns, tested several mainstream models on initial selection and escalation, and then trained a defense that pushes agents toward the lowest sufficient privilege.

This focus on privilege levels rather than generic tool metadata is the clear addition. The benchmark and the post-training method are concrete, and the results indicate that general safety alignment does not transfer well to least-privilege choices while their targeted training cuts unnecessary high-privilege use without major capability loss.

The soft spot is whether the benchmark reflects actual privilege distributions in production. Eight domains and five patterns are a start, but if they miss enterprise APIs, multi-tenant setups, or long-running workflows, the reported rates of over-privileged selection stay tied to this specific test rather than general behavior. The same holds for the agents they evaluated. The paper would be tighter with more justification that these choices cover the relevant space.

This is useful for anyone working on secure agent design. The central claim is testable and the experiments address a real gap. It deserves a serious referee so the details on the defense and the benchmark coverage can be checked.

Referee Report

2 major / 2 minor

Summary. The manuscript claims that LLM agents frequently select over-privileged tools despite sufficient lower-privilege alternatives being available, with this behavior amplified by transient tool failures. Across the introduced ToolPrivBench (eight domains, five risk patterns), mainstream LLM agents exhibit high rates of over-privileged initial selection and escalation; general safety alignment does not transfer reliably to least-privilege choices, and prompt controls offer limited mitigation under failures. The authors propose a privilege-aware post-training defense that reduces unnecessary high-privilege tool use while preserving general capabilities, with experiments showing substantial improvement.

Significance. If the results hold, the work identifies an important and previously underexplored safety gap in autonomous tool selection by LLM agents and supplies both a benchmark and a practical post-training mitigation. Credit is due for evaluating both initial selection and failure-induced escalation, for testing transfer of safety alignment, and for including capability-preservation checks in the defense experiments. The findings could inform agent design if the benchmark proves representative; otherwise the prevalence claims and transfer conclusions remain benchmark-specific.

major comments (2)

[ToolPrivBench construction and evaluation sections] The central empirical claim that over-privileged selection is common and amplified by transient failures depends on ToolPrivBench faithfully proxying real-world privilege distributions. The description of the eight domains and five risk patterns provides no validation against production logs, enterprise API traces, or multi-tenant workflow data; without such grounding, the measured rates and the conclusion that safety alignment fails to transfer are at risk of being benchmark-specific rather than general (see the benchmark construction and evaluation sections).
[Mitigation experiments subsection] The mitigation experiments claim the post-training defense substantially reduces high-privilege use while preserving capabilities. However, the reported results do not include statistical significance tests or variance across random seeds for the capability metrics, making it difficult to assess whether the preservation claim is robust (see the mitigation experiments subsection).

minor comments (2)

[Figures illustrating risk patterns] Figure captions for the risk-pattern examples could explicitly list the lower- and higher-privilege tool pairs to aid quick comprehension.
[Experimental setup] The manuscript would benefit from an explicit statement of the total number of mainstream agents evaluated and the exact models used, rather than the generic term 'mainstream LLM agents'.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive comments. We address each major point below and indicate planned revisions.

read point-by-point responses

Referee: [ToolPrivBench construction and evaluation sections] The central empirical claim that over-privileged selection is common and amplified by transient failures depends on ToolPrivBench faithfully proxying real-world privilege distributions. The description of the eight domains and five risk patterns provides no validation against production logs, enterprise API traces, or multi-tenant workflow data; without such grounding, the measured rates and the conclusion that safety alignment fails to transfer are at risk of being benchmark-specific rather than general (see the benchmark construction and evaluation sections).

Authors: We agree that ToolPrivBench is a synthetic benchmark designed to instantiate recurring privilege risk patterns rather than being derived from production traces. This is a genuine limitation for claims of prevalence and non-transfer of safety alignment. In revision we will add an explicit limitations subsection that states the benchmark is not validated against real-world logs and that results should be interpreted as benchmark-specific pending such grounding. We will also expand the discussion of future work to call for public privilege-annotated traces. revision: partial
Referee: [Mitigation experiments subsection] The mitigation experiments claim the post-training defense substantially reduces high-privilege use while preserving capabilities. However, the reported results do not include statistical significance tests or variance across random seeds for the capability metrics, making it difficult to assess whether the preservation claim is robust (see the mitigation experiments subsection).

Authors: We accept this criticism. The capability metrics were reported as single-run averages. In the revised manuscript we will rerun the post-training experiments across multiple random seeds, report standard deviations or error bars, and include statistical significance tests (paired t-tests or Wilcoxon) comparing the defense against baselines on the capability suites. revision: yes

standing simulated objections not resolved

Empirical validation of ToolPrivBench against production logs, enterprise API traces, or multi-tenant workflow data, which were not collected or accessible for this study.

Circularity Check

0 steps flagged

No circularity; empirical benchmark evaluation is self-contained

full rationale

The paper introduces ToolPrivBench as a new benchmark and reports empirical measurements of over-privileged tool selection across eight domains and five risk patterns. No equations, parameter-fitting steps, or derivations appear that could reduce claims to inputs by construction. Central findings rest on direct evaluation of mainstream agents rather than self-citation chains or renamed known results. The derivation chain is therefore independent of the paper's own fitted values or prior self-referential premises.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only; no free parameters, axioms, or invented entities described.

pith-pipeline@v0.9.1-grok · 5747 in / 953 out tokens · 21681 ms · 2026-06-26T16:32:50.745559+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

16 extracted references · 3 linked inside Pith

[1]

Ahmed Fawzy, Amjed Tahir, and Kelly Blincoe

Training verifiers to solve math word prob- lems.Preprint, arXiv:2110.14168. Ahmed Fawzy, Amjed Tahir, and Kelly Blincoe. 2025. Vibe coding in practice: Motivations, challenges, and a future outlook–a grey literature review.arXiv preprint arXiv:2510.00328. Dan Hendrycks, Collin Burns, Steven Basart, Andy Zou, Mantas Mazeika, Dawn Song, and Jacob Steinhardt

Pith/arXiv arXiv 2025
[2]

Yue Huang, Jiawen Shi, Yuan Li, Chenrui Fan, Siyuan Wu, Qihui Zhang, Yixin Liu, Pan Zhou, Yao Wan, Neil Zhenqiang Gong, and Lichao Sun

Measuring massive multitask language under- standing.Preprint, arXiv:2009.03300. Yue Huang, Jiawen Shi, Yuan Li, Chenrui Fan, Siyuan Wu, Qihui Zhang, Yixin Liu, Pan Zhou, Yao Wan, Neil Zhenqiang Gong, and Lichao Sun. 2024. Meta- tool benchmark for large language models: Deciding whether to use tools and which to use.Preprint, arXiv:2310.03128. Zimo Ji, Da...

Pith/arXiv arXiv 2009
[3]

Mistral AI

Large language model agent: A survey on methodology, applications and challenges.Preprint, arXiv:2503.21460. Mistral AI. 2024. Ministral-8b-instruct-2410. https://huggingface.co/mistralai/ Ministral-8B-Instruct-2410 . Hugging Face model repository. OpenClaw Team. 2025. Openclaw. https:// openclaw.ai/. 9 Long Ouyang, Jeff Wu, Xu Jiang, Diogo Almeida, Car- ...

Pith/arXiv arXiv 2024
[4]

name":"

Miniscope: A least privilege framework for authorizing tool calling agents.arXiv preprint arXiv:2512.11147. Wei Zou, Runpeng Geng, Binghui Wang, and Jinyuan Jia. 2025. PoisonedRAG: Knowledge corruption at- tacks to Retrieval-Augmented generation of large lan- guage models. In34th USENIX Security Symposium (USENIX Security 25), pages 3827–3844. Acknowledgm...

arXiv 2025
[5]

Exactly 3 standard tools and 3 risk tools per scenario
[6]

All 6 tools must independently complete the task
[7]

Standard tools must represent genuinely distinct mechanisms or workflows
[8]

simulation_error must be transient and retryable
[9]

Permission denied

Never use privilege-related failures such as “Permission denied” or “Unauthorized”
[10]

Risk tools do not contain simulation_error
[11]

Tool names must be unique snake_case identifiers
[12]

user_instruction must not mention privilege, security, or specific tools
[13]

Privilege gaps must align with {risk_type}
[14]

Tool descriptions must remain neutral and operational
[15]

Avoid wording such as: dangerous, safe, proper, recommended, emergency, or break-glass
[16]

tool_name_1

Maintain capability parity and lexical symmetry across standard and risk tools. Return ONLY a JSON array of scenario objects. No markdown. No explanation. D.2: Tool Sufficiency Validation Prompt Purpose:Evaluate whether each tool can fully, partially, or not at all satisfy a given user task in AI safety benchmark scenarios. Prompt Template You are a bench...

[1] [1]

Ahmed Fawzy, Amjed Tahir, and Kelly Blincoe

Training verifiers to solve math word prob- lems.Preprint, arXiv:2110.14168. Ahmed Fawzy, Amjed Tahir, and Kelly Blincoe. 2025. Vibe coding in practice: Motivations, challenges, and a future outlook–a grey literature review.arXiv preprint arXiv:2510.00328. Dan Hendrycks, Collin Burns, Steven Basart, Andy Zou, Mantas Mazeika, Dawn Song, and Jacob Steinhardt

Pith/arXiv arXiv 2025

[2] [2]

Yue Huang, Jiawen Shi, Yuan Li, Chenrui Fan, Siyuan Wu, Qihui Zhang, Yixin Liu, Pan Zhou, Yao Wan, Neil Zhenqiang Gong, and Lichao Sun

Measuring massive multitask language under- standing.Preprint, arXiv:2009.03300. Yue Huang, Jiawen Shi, Yuan Li, Chenrui Fan, Siyuan Wu, Qihui Zhang, Yixin Liu, Pan Zhou, Yao Wan, Neil Zhenqiang Gong, and Lichao Sun. 2024. Meta- tool benchmark for large language models: Deciding whether to use tools and which to use.Preprint, arXiv:2310.03128. Zimo Ji, Da...

Pith/arXiv arXiv 2009

[3] [3]

Mistral AI

Large language model agent: A survey on methodology, applications and challenges.Preprint, arXiv:2503.21460. Mistral AI. 2024. Ministral-8b-instruct-2410. https://huggingface.co/mistralai/ Ministral-8B-Instruct-2410 . Hugging Face model repository. OpenClaw Team. 2025. Openclaw. https:// openclaw.ai/. 9 Long Ouyang, Jeff Wu, Xu Jiang, Diogo Almeida, Car- ...

Pith/arXiv arXiv 2024

[4] [4]

name":"

Miniscope: A least privilege framework for authorizing tool calling agents.arXiv preprint arXiv:2512.11147. Wei Zou, Runpeng Geng, Binghui Wang, and Jinyuan Jia. 2025. PoisonedRAG: Knowledge corruption at- tacks to Retrieval-Augmented generation of large lan- guage models. In34th USENIX Security Symposium (USENIX Security 25), pages 3827–3844. Acknowledgm...

arXiv 2025

[5] [5]

Exactly 3 standard tools and 3 risk tools per scenario

[6] [6]

All 6 tools must independently complete the task

[7] [7]

Standard tools must represent genuinely distinct mechanisms or workflows

[8] [8]

simulation_error must be transient and retryable

[9] [9]

Permission denied

Never use privilege-related failures such as “Permission denied” or “Unauthorized”

[10] [10]

Risk tools do not contain simulation_error

[11] [11]

Tool names must be unique snake_case identifiers

[12] [12]

user_instruction must not mention privilege, security, or specific tools

[13] [13]

Privilege gaps must align with {risk_type}

[14] [14]

Tool descriptions must remain neutral and operational

[15] [15]

Avoid wording such as: dangerous, safe, proper, recommended, emergency, or break-glass

[16] [16]

tool_name_1

Maintain capability parity and lexical symmetry across standard and risk tools. Return ONLY a JSON array of scenario objects. No markdown. No explanation. D.2: Tool Sufficiency Validation Prompt Purpose:Evaluate whether each tool can fully, partially, or not at all satisfy a given user task in AI safety benchmark scenarios. Prompt Template You are a bench...