What is the confused deputy problem in AI agents?

The confused deputy problem occurs when an AI agent executes queries or actions with higher privileges than the end user intended — because the agent inherits broad service account credentials rather than user-scoped permissions.

In traditional computing, a "confused deputy" is a program that is tricked into misusing its authority. With AI agents, this problem is amplified because:

• Agents inherit developer credentials: Most agents run under service accounts with admin-level database access — regardless of what the end user should be able to do
• No per-user scoping: If User A asks the agent to "show my data," the agent queries with admin privileges and could inadvertently expose User B's data
• LLMs generate raw queries: Models generate SQL, API calls, and function arguments without understanding the authorization context of the requesting user
• Privilege confusion scales with autonomy: The more autonomous the agent, the more likely it is to execute actions that exceed the user's authorization level

Industry guidance is unambiguous: "Use frameworks that prevent the LLM from generating raw SQL. Instead, allow it to interact only through pre-defined, safe REST API endpoints." And: "Never grant an LLM administrative or write access unless strictly required and heavily controlled."

Exogram prevents confused deputy attacks through Agent Identity Gating (Gate 0 of the EAAP protocol). Every action is evaluated with the requesting user's authorization context, not the agent's service account privileges. The agent's broad credentials are constrained to the user's specific permissions at execution time.