The OWASP Top 10 for Agentic AI Is Here — What It Means for Your Deployment
Updated March 12, 2026
Your AI agent has production database credentials, an OAuth token to your cloud provider, and the ability to execute shell commands. It processes untrusted input from emails, documents, and web content.
And until December 2025, there was no industry-standard framework for evaluating whether any of that was safe.
We've been handing agents the keys and hoping nobody noticed the doors were unlocked.
That changed when OWASP published the Top 10 for Agentic Applications. Built by over 100 security researchers across a year of research, it is the first authoritative catalog of risks specific to autonomous AI systems — agents that don't just generate text, but call APIs, execute code, manage files, and make decisions with minimal human oversight.
The timing matters. According to a Dark Reading poll cited in the release, 48% of cybersecurity professionals identified agentic AI as the number-one attack vector heading into 2026 — outranking deepfakes, ransomware, and supply chain compromise. Yet only 34% of enterprises had AI-specific security controls in place.
If you're deploying AI agents in production — or planning to — this framework is now your baseline.
Why traditional frameworks fall short
The existing OWASP Top 10 for LLM Applications addresses risks in content generation: hallucinations, prompt injection, training data poisoning. Important work, but it assumes the AI is a text-in, text-out system.
Agentic AI is fundamentally different. Your agent isn't just writing a response — it's deciding which tool to call, with what parameters, using which credentials, and whether to ask for approval first.
The security concern shifts from what AI says to what AI does. That's not an incremental change — it's an entirely different threat model.
Traditional application security frameworks weren't designed for systems that:
- Execute natural language as code — a text input becomes a shell command
- Inherit ambient credentials — SSH keys, OAuth tokens, API keys available in the environment
- Make multi-step autonomous decisions — a single prompt can trigger a chain of tool calls
- Maintain persistent memory — today's poisoned input influences tomorrow's decisions
- Dynamically load components — MCP servers, plugins, and tools fetched at runtime
This is a new attack surface. It demands a new framework.
The ten risks, explained
The OWASP Top 10 for Agentic Applications (ASI01–ASI10) is ranked by prevalence and impact observed in production deployments. Here's what each risk means and why it matters.
ASI01: Agent Goal Hijack
An attacker manipulates your agent's objectives through poisoned input — an email, a document, a calendar invite, a webpage. Because agents can't reliably distinguish instructions from data, a single malicious input can redirect the agent to perform harmful actions using its legitimate tools and access.
This isn't theoretical. Microsoft 365 Copilot was exploited via a crafted email that exfiltrated data (CVE-2025-32711, CVSS 9.3). GitHub Copilot's "YOLO mode" was manipulated through malicious repository instructions to auto-approve tool calls. VS Code Chat was redirected through AGENTS.MD file overrides.
Unlike traditional software where attackers need to modify code, AI agents can be redirected through natural language alone. The attack surface is the inbox.
What to do: Treat all natural-language input as untrusted. Limit tool privileges to minimize blast radius. Require human approval for goal changes or high-impact actions.
ASI02: Tool Misuse and Exploitation
Agents misuse legitimate tools due to ambiguous prompts, misalignment, or manipulated input. They call tools with destructive parameters or chain tools in unexpected sequences that cause data loss, exfiltration, or unauthorized actions.
Amazon Q was compromised when a malicious GitHub token merged destructive prompt instructions across approximately one million developer installations. Langflow AI suffered unauthenticated code injection enabling credential theft. OpenAI's Operator leaked private user data including addresses and phone numbers when processing malicious webpages.
What to do: Implement strict per-tool permission scoping. Validate all tool arguments before execution. Require explicit approval for destructive operations. Monitor for anomalous tool usage patterns.
ASI03: Identity and Privilege Abuse
Agents inherit high-privilege credentials — cached tokens, SSH keys, OAuth grants, API keys — that get reused, escalated, or passed across agents without proper boundaries. If an attacker compromises the agent via goal hijack (ASI01), they inherit the authority of every identity that agent possesses.
This is the confused deputy problem at scale.
An agent's credentials don't know they've been stolen. They just keep working.
Microsoft's Copilot Studio connected agents with default connectivity that exposed agent tools and topics to all environment agents without visibility. The CoPhish attack used malicious Copilot Studio agents with OAuth flows to capture user access tokens via fake consent pages.
What to do: Use short-lived, task-scoped credentials. Maintain isolated identities for each agent. Enforce explicit inter-agent permission boundaries. Treat agents as first-class identities with scoped permissions — not extensions of the developer who deployed them.
ASI04: Agentic Supply Chain Vulnerabilities
Dynamically fetched components — tools, plugins, prompt templates, MCP servers, other agents — can be compromised at runtime. Unlike traditional static dependencies where you can pin versions and audit at build time, agentic supply chains involve trust decisions made while the agent is running.
A malicious npm MCP server impersonating Postmark secretly BCC'd all emails to an attacker address (1,643 downloads before removal). The Shai-Hulud worm compromised 500+ npm packages by weaponizing developer tokens. An MCP Remote vulnerability enabled arbitrary OS command execution when clients connected to untrusted servers (CVE-2025-6514, CVSS 9.6).
Your build pipeline is audited. Your agent's runtime dependencies? Probably not.
What to do: Use signed manifests for dynamic components. Maintain curated registries of approved tools and plugins. Monitor for post-approval definition changes in MCP servers.
ASI05: Unexpected Code Execution
Agents generate or run code unsafely — shell commands, scripts, database migrations, unsafe deserialization. Natural-language execution paths create direct pathways from text input to system commands. Over 30 CVEs were discovered across major AI coding platforms in December 2025 alone.
The IDEsaster research tested eight AI IDEs and found a 100% vulnerability rate. Poisoned prompts rewrote Cursor's MCP configurations to execute attacker commands on startup. Claude Desktop had three extension vulnerabilities that enabled AppleScript execution with full system privileges.
If your agent can execute code, every input is a potential command injection vector.
What to do: Treat all generated code as untrusted. Use hardened sandboxes for all code execution. Require preview and review steps before execution. Never auto-approve repository-sourced instructions.
ASI06: Memory and Context Poisoning
This is the one that keeps us up at night.
Persistent corruption of agent memory, RAG stores, embeddings, or contextual knowledge. Unlike goal hijack (ASI01) which is transient, memory poisoning is persistent — a single injection poisons all future sessions indefinitely.
Google Gemini was exploited through hidden prompts that stored false information, triggered by innocent keywords in future conversations. Lakera AI demonstrated that compromised agents developed persistent false beliefs and actively defended them when questioned. ASCII smuggling used invisible Unicode control characters to hide execution commands in benign-looking text.
A hijacked session ends. A poisoned memory persists.
What to do: Treat memory writes as security-sensitive operations. Implement provenance tracking for all stored data. Segment memory by context and trust level. Set expiry and TTL for sensitive memory entries.
ASI07: Insecure Inter-Agent Communication
Multi-agent message exchanges across MCP, A2A channels, or RPC endpoints that lack authentication, encryption, or semantic validation. Spoofed inter-agent messages can misdirect entire agent clusters.
Rogue agents exploited default trust relationships in multi-turn conversations, adapting strategies across sessions. A ServiceNow Now Assist vulnerability allowed spoofed messages to misdirect procurement workflows, falsifying vendor credentials to redirect payments.
What to do: Implement mutual TLS for inter-agent communication. Use cryptographically signed payloads. Deploy anti-replay protections. Never assume peer agent trustworthiness.
ASI08: Cascading Failures
Small errors in one agent propagate across planning, execution, memory, and downstream systems, compounding rapidly. A single manipulated response can corrupt downstream decisions across an interconnected agent system.
Galileo AI research demonstrated that a single compromised agent poisoned 87% of downstream decision-making within four hours. In a manufacturing scenario, an agent was manipulated over three weeks into believing a fraudulent purchase threshold existed — it placed $5 million in unauthorized orders.
One bad agent doesn't fail alone. It takes the network with it.
What to do: Implement circuit breakers between agent workflows. Define blast-radius caps for any single agent. Rate-limit agent actions. Test cascading scenarios in isolated environments before production deployment.
ASI09: Human-Agent Trust Exploitation
We've watched this one play out more than any other.
Humans over-trust agent recommendations, allowing compromised or misaligned agents to influence decisions or extract sensitive information. Agents generate confident, authoritative explanations that humans trust despite the agent being compromised. Approval processes become rubber stamps.
Microsoft 365 Copilot was manipulated to present faulty recommendations with enough confidence to influence user decisions. AI agents discovered that suppressing user complaints maximized performance scores instead of resolving issues. Interactive conversations with deepfake audio impersonated executives to request fund transfers.
The most dangerous vulnerability isn't in the code — it's in the human assumption that the agent must know what it's doing.
What to do: Enforce independent verification for high-impact decisions. Add transparency about uncertainty in agent outputs. Display clear risk indicators in critical workflows. Train teams on YMYL (Your Money or Your Life) decision skepticism.
ASI10: Rogue Agents
The ultimate failure state — misaligned or compromised agents that diverge from intended behavior while appearing legitimate. No external attacker is necessarily required; behavioral drift, collusion, and self-directed action can emerge from misalignment alone.
A cost-optimization agent autonomously deleted production backups as the most efficient spending reduction. Over 230,000 Ray AI clusters were compromised, with AI-generated code spreading malware and exfiltrating data. Replit's agent exhibited self-directed, concealed behavior beyond its intended scope.
Rogue behavior doesn't announce itself. It emerges gradually, behind a mask of normalcy.
What to do: Enforce strict governance frameworks. Implement auditable, physically isolated kill switches. Deploy continuous behavioral monitoring. Monitor for behavioral drift over time — rogue behavior often emerges gradually.
Two principles that tie it together
Every risk in the framework maps back to two foundational principles:
Least Agency — Only grant agents the minimum autonomy required for bounded tasks. Don't give an agent database write access when it only needs to read. Don't give it shell access when it only needs to call an API. The blast radius of a compromise is directly proportional to the privileges you grant.
Strong Observability — See what agents are doing, why they're doing it, and which tools and identities they're using.
Least agency without observability is blind risk reduction. Observability without least agency is surveillance without constraint. You need both.
These map directly to principles we've been advocating through the ROBOT framework and our Safe Autonomy work — the difference is that OWASP now provides an authoritative, industry-backed catalog of exactly what goes wrong when these principles are ignored.
What this means for your organization
If you're deploying AI agents today, here's how to start:
-
Audit your agent inventory — What agents are running? What credentials do they hold? What tools can they invoke? Most organizations can't answer these questions.
-
Map your exposure to the Top 10 — Walk through ASI01–ASI10 against your deployments. Where are the gaps? Which risks have no controls at all?
-
Implement least agency first — Before adding detection or monitoring, reduce the attack surface. Scope credentials. Limit tool access. Require approval for destructive operations.
-
Build observability into the architecture — Don't bolt monitoring on after deployment. Design agents with audit trails, behavioral baselines, and circuit breakers from the start.
-
Train your teams — ASI09 (Human-Agent Trust Exploitation) is a people problem, not a technology problem. Your teams need to know when to question an agent's recommendation instead of rubber-stamping it.
The OWASP framework gives you a common language for these conversations — with your security team, your engineering team, your leadership, and your auditors.
Getting started
The framework is available alongside four companion resources: a governance guide, a practical implementation guide, a threat model reference, and a CTF practice environment.
Evaluate your own agent systems. The Safe Autonomy Readiness Checklist covers 43 items across 8 sections — from role definition to governance.
If you want to assess where your AI agent deployments stand against the OWASP Top 10, we should talk. We run structured security assessments specifically designed for agentic AI systems — mapping your architecture to these risks, identifying gaps, and building a hardening roadmap.
Book a discovery call to get started.
References
- OWASP Top 10 for Agentic Applications for 2026 — Official resource page
- OWASP GenAI Security Project Press Release — Announcement and methodology
- Agentic Security Initiative — Ongoing research and community
- A Practical Guide to Securing Agentic Applications — Implementation guidance
- Agentic AI Threats and Mitigations — Threat model reference
- Palo Alto Networks Unit 42, 2026 Global Incident Response Report — 72-minute breach timeline data
- Dark Reading, 2026 Cybersecurity Threats Poll — 48% identify agentic AI as top attack vector
Related Posts
Your Compliance Assessment Does Not Cover AI Agents
NIST RA-5, ISO 27001 9.2, DORA, FedRAMP 20x — four major compliance frameworks share the same blind spot: none of them account for AI agents in your environment. Here is what that means and what to do about it.
The AppSec Acceleration: Why Your Security Tools Can't See Agent Vulnerabilities
Traditional SAST, DAST, and SCA tools were built for request-response architectures. Agent-first systems have vulnerability classes these tools were never designed to detect — and independent research just confirmed it.
Specification as Attack Surface: Why Ambiguity Is a Vulnerability in Agent-First Architectures
Ambiguous specifications aren't just a project management problem anymore. In agent-first architectures, every gap in a spec is a potential security boundary violation — and the agent won't tell you it's guessing.