Confused Deputy (AI)

The confused deputy is a classic security concept now central to agent threat modeling. Because agents act with broad delegated authority, even small manipulations can convert a routine task into a privileged operation on the attacker's behalf.

Confused deputy patterns in agentic AI include:

• Argument tampering: Crafted inputs that change the meaning of a permitted tool call.
• Implicit delegation: Agents extending user trust to actions the user never sanctioned.
• Cross-tenant pivot: Agents that read attacker content while holding victim privileges.
• Privilege amplification: Combining low-risk tools to perform a high-risk action.
• Approval bypass: Convincing the agent to skip human checkpoints under cover of speed.

The most reliable defense pattern combines intent capture at the user interface with intent validation at the runtime layer. Together they ensure that agents only ever act on user authority for the actions the user actually authorized.

Programs that handle confused deputy well also instrument tool calls with intent metadata captured at the user surface, giving auditors a clean record of authorization paths.

How PointGuard AI Helps

PointGuard's Agent Governance Mesh enforces intent-to-action validation that catches confused-deputy patterns where tool calls technically pass policy but contradict user intent. The combined intent-based checks defeat confused-deputy attacks even when individual tool calls would otherwise look benign in isolation.

Learn More

• Norm Hardy: The Confused Deputy paper
• OWASP Top 10 for Agentic Applications
• MITRE ATLAS