A defence is too strict when it starts rejecting benign requests, shortening useful answers, or preventing core tasks from being completed. Those are signs that the model’s utility has been reduced past the point where the security gain is worth the operational cost.
Why This Matters for Security Teams
An LLM defence is too strict when it changes the system from safely useful to cautiously unusable. Security teams usually spot this through support tickets, failed workflows, and user workarounds rather than through a formal tuning process. In agentic environments, that matters because a blocked answer can be just as harmful as an exposed one if it breaks summarisation, triage, or customer-facing automation.
The real risk is overcorrecting after a prompt-injection scare or data leakage test and then putting a blanket filter in front of every request. That approach can suppress legitimate outputs, interrupt escalation paths, and hide the difference between a malicious request and a normal business task. Guidance from the OWASP Agentic AI Top 10 and NIST AI Risk Management Framework both point toward balancing harm reduction with utility, not treating every control as a hard fail gate. NHIMG research on the AI Agents: The New Attack Surface report shows why that balance matters: 80% of organisations say their AI agents have already acted beyond intended scope.
In practice, many security teams encounter excessive blocking only after users have already routed around the control and reintroduced risk elsewhere.
How It Works in Practice
The most reliable test is operational: measure whether the defence still allows the model to complete approved tasks with acceptable quality, latency, and coverage. A defence that is “safe” on paper but rejects benign prompts, truncates answers, or strips necessary context is usually too strict for production.
Practitioners should look at three signals together. First, task completion rate: can the model still answer, classify, or summarise the same requests it handled before the control was added? Second, false positive rate: how often are safe prompts blocked, rewritten, or over-redacted? Third, recovery cost: how much manual intervention is needed when the defence refuses a valid request?
- Compare blocked prompts against a baseline of known-good use cases.
- Review whether refusals are specific or blunt, since blanket refusals often signal overreach.
- Check whether the control degrades answer quality by removing context, code, or operational detail.
- Measure downstream effects, such as failed ticket handling or broken agent tool calls.
For agentic or tool-using systems, this becomes even more important because the model may need to pass context into downstream actions. An over-strict filter can block the prompt before policy can evaluate intent, which defeats runtime controls such as policy-as-code or context-aware authorisation. Current guidance suggests combining NIST AI Risk Management Framework style governance with threat patterns covered in the OWASP NHI Top 10, so that the organisation can distinguish safety enforcement from utility loss. NHIMG’s Ultimate Guide to NHIs also reinforces that short-lived, well-scoped identity controls are more adaptable than static blanket restrictions.
These controls tend to break down when the model serves mixed workloads, because a rule that is acceptable for one use case can cripple another.
Common Variations and Edge Cases
Tighter defences often reduce leakage but increase friction, so teams have to balance security gain against the operational cost of false refusals. That tradeoff becomes sharper in regulated workflows, support automation, and multi-agent pipelines where one blocked response can stop an entire chain of work.
One common edge case is “useful refusal.” A model may refuse direct disclosure but still provide a safe alternative that preserves task completion. That is usually preferable to a hard block. Another is selective redaction: removing only the sensitive span rather than suppressing the full answer. Best practice is evolving here, and there is no universal standard for exactly how much redaction is too much.
Teams should also watch for hidden strictness in moderation layers, policy prompts, and retrieval filters. A system can look permissive at the chat interface while quietly preventing tool use, source access, or multi-step reasoning underneath. This is especially visible in environments where agents depend on external context, such as code assistants and workflow orchestrators. The Analysis of Claude Code Security and the NIST AI 600-1 Generative AI Profile both support a measured approach: enforce guardrails, but validate that the system still performs the job it was approved to do.
In practice, the control is too strict when users keep asking for manual overrides because the model can no longer complete routine work on its own.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Overblocking often masks unsafe prompt handling and tool misuse. |
| CSA MAESTRO | GOV-2 | Policy tuning must preserve agent utility while reducing harmful actions. |
| NIST AI RMF | AI RMF balances risk treatment against utility and operational impact. |
Tune controls with business workflows so agent governance does not break approved operations.
Related resources from NHI Mgmt Group
- How can teams tell whether workload access is still too secret-driven?
- How can security teams tell whether their CIAM stack is becoming too expensive to govern?
- How can security teams tell whether their remote access model is still too dependent on perimeter trust?
- How can security teams tell whether AI-generated package suggestions are being trusted too much?