A confused deputy attack in agentic AI is when an attacker tricks a privileged AI agent into misusing its legitimate authority on the attacker's behalf. The agent is the "deputy": it holds credentials, tokens, and permissions, and the attacker manipulates it into accessing data or performing actions the attacker could never do directly — because the agent acts on its own authority without checking who the request is truly for. It is a decades-old access-control flaw (first described in 1988) now reappearing in AI agents and the Model Context Protocol, where agents freely forward tokens and chain tool calls. The core defense is per-tool least-privilege scoping and explicit checks on the intended audience of every credential.
A deputy is any program that acts on behalf of others while holding more privilege than the requester. It becomes "confused" when it cannot tell whose authority a given request should use. An AI agent is a powerful deputy: it has broad tool access and often carries the user's OAuth token. If an attacker (through prompt injection, a poisoned tool, or a crafted input) gets the agent to perform a privileged action, the agent uses its own permissions — not the attacker's — so access checks pass.
In MCP, the problem shows up two ways. First, token forwarding: an agent passes its user's OAuth token to an MCP server or tool that should not receive it, letting that tool act with the user's full authority. Second, tool chaining: one tool's output induces the agent to call a second, more privileged tool, laundering the request through the agent's permissions. Both exploit the agent's failure to bind authority to the true requester.
The confused deputy problem is a classic capability-security concept (Norm Hardy, 1988) and maps directly onto OWASP's agentic-AI risks around excessive agency and identity. In agentic systems, it is closely related to token theft and excessive agency, and it is catalogued in the CASURA taxonomy of AI-agent vulnerabilities. The practical lesson: an agent's authority must be bound to the real requester, not to whatever input most recently reached the model.