This study addresses the pervasive issue of over-privileging in large language model (LLM) agents, wherein they routinely invoke high-permission tools exceeding task requirements, thereby undermining permission boundaries. The work proposes FORTIS, the first systematic evaluation framework that treats skill layers as permission boundaries and implements the principle of least privilege. Leveraging a large-scale overlapping skill repository and a multi-stage assessment pipeline, FORTIS conducts non-adversarial benchmarking of ten state-of-the-art LLMs across three real-world scenarios. Results reveal that even the most capable models frequently exceed their authorized permissions, with failure rates markedly increasing under ambiguous instructions, convenience-driven prompts, or when operating near permission boundaries—highlighting significant compliance deficiencies in everyday agent interactions.

Large language model agents increasingly operate through an intermediate skill layer that mediates between user intent and concrete task execution. This layer is widely treated as an organizational abstraction, but we argue it is also a privilege boundary that current models routinely exceed. We present \textbf{FORTIS}, a benchmark that evaluates over-privilege in agent skills across two stages: whether a model selects the minimally sufficient skill from a large overlapping library, and whether it executes that skill without expanding into broader tools or actions than the skill permits. Across ten frontier models and three domains, we find that over-privileged behavior is the norm rather than the exception. Models consistently reach for higher-privilege skills and tools than the task requires, failing at both stages at rates that remain high even for the strongest available models. Failure is especially severe under the ordinary conditions of real user interaction: incomplete specification, convenience framing, and proximity to skill boundaries. None of these requires adversarial construction. The results indicate that the skill layer, far from containing agent behavior, is itself a primary source of privilege escalation in current systems.