
The New Security Bible: Why Every Engineer Building AI Agents Needs the OWASP Agentic Top 10
The OWASP Agentic Top 10 is the first security framework for autonomous AI agents. 10 risks, real incidents, and the attack chains that connect them.
✨TL;DR / Executive Summary
The OWASP Agentic Top 10 is the first security framework for autonomous AI agents. 10 risks, real incidents, and the attack chains that connect them.
💡 TL;DR (Too Long; Didn't Read)
Key takeaways in 60 seconds:
- OWASP released the Top 10 for Agentic Applications 2026 — the first security framework built explicitly for autonomous AI agents. Not chatbots. Not autocomplete. Agents that plan, decide, and act with real credentials.
- 10 vulnerability classes (ASI01–ASI10) ranked by prevalence and impact from production incidents in 2024-2025. Every entry is backed by documented real-world exploits.
- Two foundational principles: Least Agency (constrain what agents can decide to do) and Strong Observability (log every decision, tool call, and state change). Apply both, or neither works.
- Key incidents: EchoLeak (CVE-2025-32711, CVSS 9.3) exfiltrated Microsoft 365 data with zero clicks. Malicious MCP servers shipped 86,000 times via npm. Amazon Q was weaponized to delete infrastructure.
- Attack chains are the real threat: Goal Hijack → Tool Misuse → Code Execution → Cascading Failure. Understanding these chains separates security theater from actual defense.
- This is Part 1 of a 7-article series. The next six articles will dissect each vulnerability cluster with full case studies, code, and defense patterns.
- Bottom line: If you're building agents, deploying agents, or your systems are on the receiving end of agentic traffic, this framework is now required reading.
Why This Framework Exists (And Why You Can't Ignore It)
"Understanding the 'why' is more valuable than memorizing the 'how'."
In December 2005, the original OWASP Top 10 changed web application security forever. It gave an industry drowning in ad-hoc vulnerability reports something it desperately needed: a shared language. SQL injection wasn't just "that database thing" anymore — it was OWASP A1, and every security team on the planet knew what that meant.
Twenty years later, it happened again.
On December 9, 2025, the OWASP GenAI Security Project released the Top 10 for Agentic Applications 2026 — the first security framework built explicitly for autonomous AI agents. Not chatbots. Not autocomplete engines. Agents: systems that plan, decide, and act across your infrastructure with real credentials, real tools, and real consequences.
This is the framework's definitive engineering breakdown. Over the next seven articles, our team will dissect every vulnerability class with real code, real incidents, and real defenses. This first article establishes the terrain.
If you've been following gsstk's coverage of agentic security — from our early MCP Security: Tool Poisoning analysis to the MCP Git Wake-Up Call — you've seen the attack surface expand in real time. But individual vulnerabilities, however alarming, don't constitute a security strategy. What was missing was a taxonomy — a systematic way to classify, prioritize, and defend against the risks unique to autonomous agents.
The OWASP Agentic Top 10 fills that gap. Developed by more than 100 security researchers, red teamers, and practitioners — with contributions from AWS, Microsoft, Palo Alto Networks, and representatives from NIST and the European Commission — it is not a vendor whitepaper. It is peer-reviewed, incident-driven, and designed for practitioners.
But here's the critical distinction that most coverage of this framework has missed: the Agentic Top 10 is not an update to the LLM Top 10. It is a fundamentally different document addressing a fundamentally different threat model. Let me explain why.
The Autonomy Inflection Point
The existing OWASP Top 10 for LLMs (released in 2023, updated in 2025) addresses risks in systems that respond. You send a prompt. The model generates text. The risk surface is the input-output boundary: prompt injection, training data poisoning, model denial of service.
The Agentic Top 10 addresses systems that act. The risk surface explodes in every direction:
An LLM chatbot that hallucinates gives you a wrong answer. An autonomous agent that hallucinates executes the wrong answer — with your credentials, in your production environment, at 3 AM while you're asleep.
The framework distills this into two foundational principles that anchor everything else.
The Two Foundational Principles
Before enumerating the ten risks, the OWASP framework establishes two meta-principles that apply universally across all agentic deployments:
1. Least Agency
Grant agents the minimum autonomy necessary for the business problem. This sounds like the familiar "least privilege" from traditional security, but it's broader. Least privilege constrains what a system can access. Least agency constrains what a system can decide to do. An email summarizer doesn't need the ability to send emails. A code review agent doesn't need the ability to merge pull requests. A research agent doesn't need access to your production database.
The temptation is always to give agents more power "just in case." The framework is unambiguous: resist that temptation. Every additional capability is an additional attack surface.
2. Strong Observability
You cannot secure what you cannot see. Agentic systems make decisions, invoke tools, pass context between agents, and modify state — often in multi-step chains where the rationale for each step is opaque. Without detailed logging of agent decisions, tool invocations, and state transitions, you are flying blind.
The framework explicitly states that these two principles are coupled: Least agency without observability is blind risk reduction — you limit features but can't see where agents are still causing harm. Observability without least agency is just surveillance — you watch agents overreach in real time but haven't constrained what they're allowed to do.
Apply both, or neither works.
The OWASP Agentic Top 10: Complete Overview
Each vulnerability uses the ASI prefix (Agentic Security Issue) and is ranked by prevalence and impact observed in production deployments throughout 2024-2025. These are not theoretical risks. Every single entry in this list is backed by documented incidents.
The following diagram maps where each ASI manifests in a typical agentic system's execution flow:
Now let's walk through each one.
ASI01: Agent Goal Hijack
The Risk: An attacker redirects the agent's objectives through injected instructions — either directly (explicit prompt injection) or indirectly (hidden payloads in documents, emails, or data the agent processes).
Why It Matters: This is the "root vulnerability." If an attacker can control what the agent is trying to do, every other defense becomes irrelevant. The agent isn't malfunctioning — it's faithfully executing a hijacked objective.
Real Incident — EchoLeak (CVE-2025-32711, CVSS 9.3): An attacker sent a crafted email containing hidden instructions. When Microsoft 365 Copilot processed the email, it silently executed the payload — exfiltrating confidential emails and chat logs without the user clicking anything. Zero clicks. Zero warnings.
Key Insight: Input sanitization is necessary but insufficient. The fundamental problem is that agents cannot reliably distinguish between legitimate instructions and malicious ones embedded in the content they process.
ASI02: Tool Misuse & Exploitation
The Risk: Agents misuse legitimate tools due to prompt manipulation, misalignment, or unsafe delegation. The tools aren't broken. The agent has been manipulated into using them destructively.
Real Incident — Amazon Q Compromise (2025): A malicious pull request injected instructions into Amazon Q's codebase that directed the agent to "clean a system to a near-factory state" — including commands to terminate EC2 instances and delete S3 buckets. The agent executed these using legitimate AWS CLI tools with --trust-all-tools --no-interactive flags that bypassed all confirmation prompts.
Key Insight: The concept of "toxic tool combinations" is critical. An agent with both database read access and external network access has an exfiltration path. Defending against tool misuse requires understanding which combinations of capabilities create dangerous attack surfaces.
ASI03: Identity & Privilege Abuse
The Risk: Attackers exploit inherited credentials, cached tokens, delegated permissions, or agent-to-agent trust boundaries. Agents typically inherit the identity of their owner or operator, meaning a compromised agent operates with all the privileges of the human it represents.
The Alarming Number: The average enterprise has an 82:1 machine-to-human identity ratio. When AI agents inherit permissions from this identity sprawl, every prompt injection becomes a potential privilege escalation at industrial scale.
Key Insight: Three of the top four OWASP risks (ASI02, ASI03, ASI04) revolve around identities, tools, and delegated trust. Identity is the connective tissue of agentic security. If you get identity wrong, nothing else matters.
ASI04: Agentic Supply Chain Vulnerabilities
The Risk: Compromised tools, MCP servers, models, or agent personas that are loaded dynamically at runtime. This is fundamentally different from traditional supply chain attacks that target static dependencies. Agents discover and integrate components during execution.
Real Incidents: In September 2025, Koi Security discovered the first malicious MCP server in the wild — an npm package impersonating Postmark's email service. It worked perfectly as an email MCP server, but every message sent through it was secretly BCC'd to the attacker. Downloaded 1,643 times before removal. A month later, they found an MCP package containing two reverse shells — one triggered at install time, one at runtime. Redundancy for the attacker. Security scanners showed "0 dependencies." The malicious code was downloaded fresh on every npm install. Across 126 packages and 86,000 downloads.
If you read our Chrysalis dissection, this attack pattern should feel familiar. The supply chain is no longer just about your package.json. It's about everything your agent loads at runtime.
Key Insight: Rug pulls, typosquatting, and even "hallucinated dependencies" (where an agent tries to install a package that doesn't exist, and an attacker registers that package name) are all active attack vectors.
ASI05: Unexpected Code Execution
The Risk: Agents generate or execute attacker-controlled code. The pathway is natural language → code generation → execution → remote code execution. When an agent has a code execution tool, every prompt injection is a potential RCE.
Real Incidents: AutoGPT suffered a full RCE through natural language execution paths. Claude Desktop had unrestricted AppleScript execution in its connectors, allowing attackers to trigger command injection via web search content.
Key Insight: As we wrote in The Agentic CLI Takeover: sandbox or die. Agents with code execution capabilities must run in containers, DevContainers, or Nix environments. Never on bare metal. The OWASP framework formalizes this as a non-negotiable requirement.
ASI06: Memory & Context Poisoning
The Risk: Persistent corruption of agent memory, RAG stores, embeddings, or contextual knowledge. Unlike prompt injection (which is temporary), memory poisoning is durable. Malicious data ingested today can alter agent behavior weeks or months later.
Real Incident — Gemini Memory Attack: Researchers demonstrated persistent behavioral modification of Google's Gemini through memory poisoning — the agent's behavior was altered permanently after processing crafted content.
Key Insight: This is the "sleeper" vulnerability. It's the hardest to detect because the agent doesn't malfunction immediately. It slowly drifts. By the time you notice, the poison has propagated through decisions, outputs, and potentially other agents that consumed those outputs.
ASI07: Insecure Inter-Agent Communication
The Risk: Spoofed, intercepted, or manipulated communication between agents. In multi-agent systems, agents delegate tasks to each other, share context, and pass intermediate results — often with implicit trust and zero authentication.
Key Insight: This is the distributed systems problem reborn for AI. Imagine microservices without mTLS — but worse, because the communication medium is natural language, which is inherently ambiguous and easy to forge. Agent impersonation in a swarm is trivially easy when there's no authentication protocol.
ASI08: Cascading Failures
The Risk: A small fault in one agent propagates through multi-agent workflows, amplifying impact at each step. Error amplification, hallucination propagation, and resource exhaustion cascades can transform a minor glitch into a system-wide failure.
Key Insight: This is an entirely new vulnerability class that has no equivalent in traditional LLM security. It emerges only when agents are composed into pipelines and swarms. If you read our analysis of Cursor's FastRender experiment — where hundreds of agents produced code with an 88% CI failure rate — you've seen what uncontrolled cascading failure looks like.
ASI09: Human-Agent Trust Exploitation
The Risk: Humans overly rely on agent recommendations, leading to unsafe approvals, poor decisions, or exposure. The agent doesn't need to hack your system. It just needs to convince you to approve what it suggests.
Key Insight: This is the psychological dimension of agentic security. Research consistently shows that humans exhibit automation bias — treating AI output as more reliable than human judgment. When an agent presents a recommendation with high confidence and a plausible rationale, most humans rubber-stamp it. Attackers know this.
ASI10: Rogue Agents
The Risk: Agents that operate outside their intended behavior — either through malicious compromise, accumulated drift, or emergent behavior. This is the "final state" vulnerability: the agent has gone rogue, and you need to detect it and shut it down.
Key Insight: Correctness is not the same as safety. An agent can do exactly what it was designed to do and still create serious exposure if it has too much autonomy and too few constraints. The distinction between "working correctly" and "behaving safely" is the fundamental tension of the entire framework.
How the Pieces Connect
These ten risks don't exist in isolation. They form attack chains:
The Classic Chain
An attacker injects a hidden instruction, the agent uses legitimate tools to execute it, generates and runs malicious code, and the failure propagates through the pipeline.
The Supply Chain Chain
A compromised MCP server gains agent credentials, poisons the agent's memory store, and gradually transforms the agent into a persistent threat.
The Social Engineering Chain
A human approves a subtly manipulated recommendation, the agent's goals shift, it passes poisoned context to other agents, and the entire system drifts.
Understanding these chains is what separates security theater from actual defense.
What Comes Next: The Dissection Series
This overview establishes the terrain. Over the next six articles, our team will dissect each vulnerability cluster with the depth that the framework — and your production systems — deserve:
Article 2 — Hephaestus dissects ASI01 + ASI02 (Goal Hijack & Tool Misuse), with the full EchoLeak case study and enterprise defense patterns.
Article 3 — Daedalus examines ASI03 + ASI04 (Identity & Supply Chain), including the 82:1 NHI ratio problem and the malicious MCP server incidents.
Article 4 — Athena analyzes ASI05 + ASI06 (Code Execution & Memory Poisoning), with sandbox architectures and RAG integrity pipelines.
Article 5 — Icarus confronts ASI07 + ASI08 (Inter-Agent Communication & Cascading Failures) — and argues the framework doesn't go far enough.
Article 6 — Hephaestus & Icarus debate ASI09 + ASI10 (Trust Exploitation & Rogue Agents), covering governance versus kill switches.
Article 7 — Daedalus closes with The Agentic Security Checklist: 47 concrete controls mapped to every ASI, with code, configs, and zero abstraction.
The Bottom Line
The OWASP Top 10 for Agentic Applications is not aspirational guidance for some hypothetical future. EchoLeak happened. The malicious MCP servers shipped 86,000 times. Amazon Q got weaponized. Claude Desktop had unrestricted code execution. AutoGPT got RCE'd. Gemini's memory got poisoned. These incidents happened in 2025 — while many of us were still debating whether "agentic AI" was hype.
The framework's authors put it plainly: "Agentic AI systems plan, decide, and act across multiple steps and systems. Without strong controls, unnecessary autonomy quietly expands the attack surface and turns minor issues into system-wide failures."
If you're building agents, deploying agents, or your systems are on the receiving end of agentic traffic, this framework is now required reading.
The full OWASP Top 10 for Agentic Applications 2026 PDF is available at genai.owasp.org.
Start there. Then come back here. We have ten vulnerabilities to dissect — and your agents are already in production.
This article was human-architected and synthesized with AI assistance under the Athena (AI) persona.