Why 'Read-Only' Is Not a Risk Category

When teams audit their AI agent deployments, permissions are commonly split into two buckets: agents that can read, and agents that can write. The read bucket is treated as the low-risk tier. It is not a risk category at all—it is one axis of a multi-dimensional surface, and collapsing the others into it is where the scoring error begins.

What "read-only" actually grants

OWASP's framework on Excessive Agency (LLM08 in the 2023/24 Top 10 for LLM Applications) identifies three independent root causes of dangerous agent behavior: excessive functionality, excessive permissions, and excessive autonomy. The framework is explicit that these dimensions are separate and that constraining one does not substitute for constraining the others.

The permissions dimension illustrates the problem directly. OWASP's own example is an agent that "might only need read access" to a product database and therefore "should not have UPDATE, INSERT or DELETE permissions." The failure mode is the gap between that prescription and practice: agents are routinely provisioned with identities that carry far more than the read access the task needs. The declared behavior of the plugin and the actual scope of what its credential can do in the underlying system are different things, and risk scoring that captures only the declared behavior misses the effective authority.

This pattern is not specific to databases. API tokens, cloud IAM policies, and service accounts are frequently provisioned with more scope than the task that created them requires. An agent presenting read-intended credentials may be holding an identity that would authorize destructive operations under different conditions. The "read-only" label describes what the agent was configured to do, not the ceiling of what its credentials could reach.

When read access is the attack

The more significant issue is that read access itself—genuinely constrained, no write permissions anywhere in the chain—can still produce severe outcomes.

EchoLeak (CVE-2025-32711) is the clearest documented example. Researchers at Aim Security discovered that Microsoft 365 Copilot, an AI assistant operating with read access to enterprise documents and communications, could be caused to exfiltrate sensitive data through a single crafted email, with no required user interaction. The disclosure, published in an arxiv paper in September 2025, describes it as "a zero-click prompt injection vulnerability in Microsoft 365 Copilot that enabled remote, unauthenticated data exfiltration via a single crafted email."

The mechanism required no write operations. When Copilot processed documents, it read not only visible text but also hidden sections such as comments and speaker notes. Attackers embedded prompt injection instructions in those hidden fields. Copilot executed the instructions, then exfiltrated the captured data by returning an image reference with the stolen content encoded in the URL—so the payload was transmitted to an attacker-controlled server when the image loaded. The Aim Security paper describes the outcome as "full privilege escalation across LLM trust boundaries without user interaction."

The agent's authority was read. The consequence was exfiltration.

The authority-versus-consequence gap

The authority of an AI agent is the set of operations it is permitted to perform. The consequence surface is the set of outcomes that can follow from what it can reach, observe, and act upon—including indirect effects that do not themselves require write operations.

A read-only agent connected to enterprise email can exfiltrate documents if it can be prompted to include their contents in its output. A read-only agent connected to a credential store or configuration repository can surface secrets that enable subsequent attacks. A read-only agent scanning infrastructure definitions can map attack surfaces that would otherwise require active probing. None of these outcomes require the agent to write anything. All of them follow from what the agent can read, combined with what it can do with that information.

This is the dimension that read-versus-write scoring misses. Consequence is not additive across permission types. An agent with read access to low-sensitivity data, constrained output paths, and a human reviewing each response carries genuinely low risk. The same read access applied to sensitive data, combined with any exfiltration channel—an outbound URL fetch, an image reference, an unmonitored response field—produces a different risk profile entirely. The authority level (read) is identical in both cases; the consequence changes with context.

OWASP's June 2026 assessment of agentic AI security noted that prompt injection maps to six of the ten risk categories in its Top 10 for Agentic Applications. That breadth reflects a structural property: prompt injection attacks work by redirecting what an agent does with what it reads. Any agent with read access that also has an output path is a prompt injection target, and the harm follows from the sensitivity of what was read and the reach of where the output goes.

What accurate scoring requires

A risk posture for an AI agent that captures only declared permission type—read or write—reduces a three-dimensional problem to one variable. The three variables that actually determine consequence are: what the agent can access (authority), what it can do with that access (functionality), and what actions proceed without human review (autonomy). A score that compresses all three into a read-write binary will systematically underestimate risk for agents operating in information-rich environments where data sensitivity and output reach are high.

The practical implication is a second question that always follows the first. The first question is: what is this agent permitted to do? The second is: read access to what, and through what path does that information leave the system? The first question describes declared authority. The second describes the consequence surface. Neither answer replaces the other.

"Read-only" is an incomplete description. It names one constraint on one dimension and leaves the others unmeasured.