TL;DR
- OWASP released the first Top 10 for Agentic Applications in December 2025, built specifically for autonomous, multi-step AI agents rather than single-turn LLM responses.
- The list spans ten categories, from Agent Goal Hijack (ASI01) to Rogue Agents (ASI10), covering identity, tools, memory, supply chain, and inter-agent communication.
- Every category maps back to one root problem: agents making decisions and taking actions without reliable checks on intent, authorization, or context.
- For enterprises, this is a governance and architecture problem as much as a technical one; least privilege, least agency, and observability are the recurring mitigations.
What Is the OWASP Top 10?
OWASP, the Open Worldwide Application Security Project, has published Top 10 lists for over two decades to help security teams prioritize the risks that matter most. The original OWASP Top 10 for web applications became the industry’s default checklist for application security. When large language models moved into production, OWASP followed with the Top 10 for LLM Applications, addressing risks like prompt injection and sensitive information disclosure in single-turn model responses.
Agentic AI systems broke that model. Agents plan, chain tool calls, retain memory, delegate tasks to other agents, and act on real systems with real credentials. A single manipulated response no longer captures the risk. That gap is what the OWASP GenAI Security Project’s Agentic Security Initiative built the new list to close, drawing on the project’s foundational taxonomy, Agentic AI – Threats and Mitigations, and cross-referencing it against the LLM Top 10, the AI Vulnerability Scoring System (AIVSS), and the Non-Human Identities Top 10.
The 10 OWASP Agentic AI Risk Categories
Each entry follows the familiar OWASP format: a description, common vulnerability patterns, real attack scenarios, and mitigation guidance. Here is the full list.
| ID | Category | Core Risk |
| ASI01 | Agent Goal Hijack | Attackers redirect an agent’s objectives or decision path through prompt injection, forged messages, or poisoned external data. |
| ASI02 | Tool Misuse and Exploitation | An agent applies a legitimate tool in an unsafe way, deleting data, over-invoking APIs, or exfiltrating information within its authorized scope. |
| ASI03 | Identity and Privilege Abuse | Dynamic trust and delegation let attackers escalate access through inherited credentials, cached secrets, or cross-agent confused-deputy patterns. |
| ASI04 | Agentic Supply Chain Vulnerabilities | Malicious or compromised tools, MCP servers, agent cards, and third-party agents enter the execution chain at runtime. |
| ASI05 | Unexpected Code Execution (RCE) | Prompt injection or unsafe serialization converts generated text into executable behavior, leading to host or container compromise. |
| ASI06 | Memory and Context Poisoning | Adversaries seed stored memory or retrievable context with malicious data, biasing future reasoning and tool use across sessions. |
| ASI07 | Insecure Inter-Agent Communication | Weak authentication or integrity controls on agent-to-agent messages allow interception, spoofing, or manipulation of intent. |
| ASI08 | Cascading Failures | A single fault propagates and amplifies across interconnected agents, turning one error into system-wide impact. |
| ASI09 | Human-Agent Trust Exploitation | Anthropomorphic, confident agent output drives humans to approve harmful actions without independent verification. |
| ASI10 | Rogue Agents | An agent’s behavior diverges from its intended scope, appearing individually legitimate while acting harmfully at the system level. |
Why This Matters for Enterprises Today
Agentic AI is moving from pilot to production across finance, healthcare, defense, and critical infrastructure. That shift changes the stakes of every AI security decision.
- Agents act on real systems with real credentials; a hijacked goal or misused tool can mean an actual fraudulent transfer, not just a bad chat response.
- Autonomy removes the stepwise human checks that used to catch errors before they compounded.
- Agents increasingly compose tools and peers at runtime through MCP and A2A protocols, which means the attack surface changes with every session, not just at deployment.
- Traditional perimeter and endpoint controls miss agent misuse by design, commands run through trusted binaries under valid credentials, so EDR and XDR tooling see nothing abnormal.
The OWASP authors introduce a useful frame for this: Least-Agency, an extension of least-privilege. The guidance is direct: don’t deploy autonomous behavior where it isn’t needed. Unnecessary agency expands the attack surface without adding business value, and it quietly turns minor issues into system-wide failures once observability gaps let them go unnoticed.
The thread connecting all ten categories
Every entry in the Agentic Top 10 ultimately comes back to one question: can the system verify that an action reflects legitimate intent, held by an authorized identity, executed within approved boundaries? That is a business logic question, not just a model or infrastructure question and it is why enforcement has to happen at the decision layer, not just the network or model layer.
How the Agentic Top 10 Shapes Agentic AI Security Programs
The framework gives enterprise security teams three practical shifts to build around.
1. Move enforcement to the decision layer
Traditional API security validates requests at the network edge. Agentic risks like ASI01, ASI02, and ASI03 originate deeper in what an agent decides to do and which identity it borrows to do it. Mitigating them means validating intent and authorization at the point of tool invocation, not just at the perimeter.
2. Treat every input, tool, and peer as untrusted by default
Indirect prompt injection, tool descriptor poisoning, and forged agent cards all exploit the same gap: agents trusting content they should verify. Content disarm and reconstruction, signed tool manifests, and mutual authentication between agents close that gap.
3. Build for containment, not just prevention
ASI08, Cascading Failures, is a reminder that prevention will fail sometimes. Blast-radius guardrails: short-lived credentials, circuit breakers between planner and executor, rate limiting, and immutable audit logs determine whether a single compromised agent stays contained or takes the workflow down with it.
4. Keep humans meaningfully in the loop
ASI09 shows that a human approval step only works if the human can actually evaluate what they’re approving. Fabricated rationales and persuasive, anthropomorphic explanations can turn a review step into a rubber stamp. Effective human-in-the-loop design needs plain-language risk summaries and provenance data, not just a confirmation button.
Request a demo to see how business logic security maps to the OWASP Agentic Top 10.
Frequently Asked Questions
What is the OWASP Top 10 for Agentic Applications?
How is it different from the OWASP Top 10 for LLMs?
Do the ten categories replace the LLM Top 10?
Why does MCP show up so often in this framework?
Where should a security team start?





