A confused deputy is a trusted system that is tricked into using its authority on behalf of an attacker. The attacker does not need the privileged credentials directly; instead, they persuade a legitimate service, app, or assistant to perform an action it is allowed to do. This matters because the real security failure is not deception alone, but a broken authorization boundary.
In cyber security, confused deputy flaws often appear in account changes, file access, API calls, or cloud workflows where a front-end accepts a request and a backend performs a privileged action. AI assistants can create the same risk if natural-language requests are treated as proof of permission. Defenses include binding every action to the authenticated user, enforcing least privilege on tools, requiring step-up verification for sensitive changes, and separating conversation from authority so chat input cannot directly trigger protected operations.