T1-AT-005HIGH
Permission Escalation Claims
T1 · Prompt & Context Subversion →Risk score240
RatingHigh
Procedures5
Severity
Mechanism
Exploits the model's inability to verify identity or authorization claims. The model has no authentication layer — it cannot check whether "Level 5 clearance" or "IRB approval #20245847" are real. Safety training teaches the model to refuse regardless of claimed permissions, but the conflict between "be helpful to authorized users" and "refuse harmful requests" creates an exploitable decision boundary.
Detection
- Pattern match for authorization claims: "clearance," "security code," "API key," "IRB approval," "override code," "authorized," "unrestricted access"
- Flag classification markings in user input (TS//SCI, NOFORN, etc.)
- Flag claims of internal team membership ("I'm from the safety team," "Anthropic/OpenAI authorized")
Mitigation
Hard rule: no user-level claim can override safety constraintsHIGH
Constitutional ClassifiersHIGH
API-level authentication (actual role-based access control)HIGH
Chaining
Chains to T1-AT-014 (Authority Spoofing) — permission claims combine with impersonation of specific organizations. In agentic contexts (T11), permission escalation chains to ASI03 (Identity & Privilege Abuse) when the agent's tool permissions are governed by the conversation context.
Framework mapping
Open in the technique browser →OWASP LLMLLM01
MITRE ATLASAML.T0051.001