...

OWASP Top 10 for Agentic Applications 2026: What It Means for Enterprise AI Security 

Picture of Shikha Patra
Shikha Patra
Product Marketing Manager

TL;DR 

  • OWASP released the first Top 10 for Agentic Applications in December 2025, built specifically for autonomous, multi-step AI agents rather than single-turn LLM responses. 
  • The list spans ten categories, from Agent Goal Hijack (ASI01) to Rogue Agents (ASI10), covering identity, tools, memory, supply chain, and inter-agent communication. 
  • Every category maps back to one root problem: agents making decisions and taking actions without reliable checks on intent, authorization, or context. 
  • For enterprises, this is a governance and architecture problem as much as a technical one; least privilege, least agency, and observability are the recurring mitigations. 

What Is the OWASP Top 10? 

OWASP, the Open Worldwide Application Security Project, has published Top 10 lists for over two decades to help security teams prioritize the risks that matter most. The original OWASP Top 10 for web applications became the industry’s default checklist for application security. When large language models moved into production, OWASP followed with the Top 10 for LLM Applications, addressing risks like prompt injection and sensitive information disclosure in single-turn model responses. 

Agentic AI systems broke that model. Agents plan, chain tool calls, retain memory, delegate tasks to other agents, and act on real systems with real credentials. A single manipulated response no longer captures the risk. That gap is what the OWASP GenAI Security Project’s Agentic Security Initiative built the new list to close, drawing on the project’s foundational taxonomy, Agentic AI – Threats and Mitigations, and cross-referencing it against the LLM Top 10, the AI Vulnerability Scoring System (AIVSS), and the Non-Human Identities Top 10. 

The 10 OWASP Agentic AI Risk Categories 

Each entry follows the familiar OWASP format: a description, common vulnerability patterns, real attack scenarios, and mitigation guidance. Here is the full list. 

ID Category Core Risk 
ASI01 Agent Goal Hijack Attackers redirect an agent’s objectives or decision path through prompt injection, forged messages, or poisoned external data. 
ASI02 Tool Misuse and Exploitation An agent applies a legitimate tool in an unsafe way, deleting data, over-invoking APIs, or exfiltrating information within its authorized scope. 
ASI03 Identity and Privilege Abuse Dynamic trust and delegation let attackers escalate access through inherited credentials, cached secrets, or cross-agent confused-deputy patterns. 
ASI04 Agentic Supply Chain Vulnerabilities Malicious or compromised tools, MCP servers, agent cards, and third-party agents enter the execution chain at runtime. 
ASI05 Unexpected Code Execution (RCE) Prompt injection or unsafe serialization converts generated text into executable behavior, leading to host or container compromise. 
ASI06 Memory and Context Poisoning Adversaries seed stored memory or retrievable context with malicious data, biasing future reasoning and tool use across sessions. 
ASI07 Insecure Inter-Agent Communication Weak authentication or integrity controls on agent-to-agent messages allow interception, spoofing, or manipulation of intent. 
ASI08 Cascading Failures A single fault propagates and amplifies across interconnected agents, turning one error into system-wide impact. 
ASI09 Human-Agent Trust Exploitation Anthropomorphic, confident agent output drives humans to approve harmful actions without independent verification. 
ASI10 Rogue Agents An agent’s behavior diverges from its intended scope, appearing individually legitimate while acting harmfully at the system level. 

Why This Matters for Enterprises Today 

Agentic AI is moving from pilot to production across finance, healthcare, defense, and critical infrastructure. That shift changes the stakes of every AI security decision. 

  • Agents act on real systems with real credentials; a hijacked goal or misused tool can mean an actual fraudulent transfer, not just a bad chat response. 
  • Autonomy removes the stepwise human checks that used to catch errors before they compounded. 
  • Agents increasingly compose tools and peers at runtime through MCP and A2A protocols, which means the attack surface changes with every session, not just at deployment. 
  • Traditional perimeter and endpoint controls miss agent misuse by design, commands run through trusted binaries under valid credentials, so EDR and XDR tooling see nothing abnormal. 

The OWASP authors introduce a useful frame for this: Least-Agency, an extension of least-privilege. The guidance is direct: don’t deploy autonomous behavior where it isn’t needed. Unnecessary agency expands the attack surface without adding business value, and it quietly turns minor issues into system-wide failures once observability gaps let them go unnoticed.

The thread connecting all ten categories

Every entry in the Agentic Top 10 ultimately comes back to one question: can the system verify that an action reflects legitimate intent, held by an authorized identity, executed within approved boundaries? That is a business logic question, not just a model or infrastructure question and it is why enforcement has to happen at the decision layer, not just the network or model layer.

How the Agentic Top 10 Shapes Agentic AI Security Programs

The framework gives enterprise security teams three practical shifts to build around. 

1. Move enforcement to the decision layer 

Traditional API security validates requests at the network edge. Agentic risks like ASI01, ASI02, and ASI03 originate deeper in what an agent decides to do and which identity it borrows to do it. Mitigating them means validating intent and authorization at the point of tool invocation, not just at the perimeter. 

2. Treat every input, tool, and peer as untrusted by default 

Indirect prompt injection, tool descriptor poisoning, and forged agent cards all exploit the same gap: agents trusting content they should verify. Content disarm and reconstruction, signed tool manifests, and mutual authentication between agents close that gap. 

3. Build for containment, not just prevention 

ASI08, Cascading Failures, is a reminder that prevention will fail sometimes. Blast-radius guardrails: short-lived credentials, circuit breakers between planner and executor, rate limiting, and immutable audit logs determine whether a single compromised agent stays contained or takes the workflow down with it. 

4. Keep humans meaningfully in the loop 

ASI09 shows that a human approval step only works if the human can actually evaluate what they’re approving. Fabricated rationales and persuasive, anthropomorphic explanations can turn a review step into a rubber stamp. Effective human-in-the-loop design needs plain-language risk summaries and provenance data, not just a confirmation button.

Request a demo to see how business logic security maps to the OWASP Agentic Top 10.

Frequently Asked Questions

What is the OWASP Top 10 for Agentic Applications? +

It’s a community-developed list of the ten highest-impact security risks specific to AI agents; systems that plan, decide, and act autonomously across multiple steps and tools. OWASP’s GenAI Security Project published the first version in December 2025.

How is it different from the OWASP Top 10 for LLMs?+

The LLM Top 10 covers risks in a single model response. The Agentic Top 10 covers risks that emerge from autonomy: multi-step planning, tool use, memory, delegation, and inter-agent communication, where one manipulated input can cascade into system-wide impact.

Do the ten categories replace the LLM Top 10? +

No. Each ASI entry explicitly maps back to one or more LLM Top 10 risks and extends them into multi-step, multi-tool agentic behavior. Agentic apps are still built on top of LLM apps, so both lists apply together.

Why does MCP show up so often in this framework? +

MCP servers are how many agents discover and load tools at runtime, which makes them a natural target for supply chain and tool misuse attacks. ASI02 and ASI04 both cover MCP-specific patterns, including poisoned tool descriptors and impersonated MCP servers.

Where should a security team start? +

The framework itself points to least-agency and least-privilege as the starting mitigations: scope every tool to the minimum access it needs, require human approval for high-impact actions, and build observability into agent goal state and tool-use patterns before scaling autonomy further.

Table of Contents

Related Content