The OWASP Top 10 for Agentic Applications 2026 is a globally peer-reviewed framework identifying the ten highest-priority security risks for autonomous AI agents.
Published on 9 December 2025 by the OWASP GenAI Security Project, it extends the OWASP Top 10 for LLM Applications. Every risk on this list has a documented real-world incident behind it. None of them are theoretical.
You spent two years hardening your LLM chatbot. You added prompt filters, output moderation, and rate limiting. And then someone put an autonomous agent on top of it and your entire threat model became obsolete overnight. That is the problem the OWASP Agentic AI Top 10 was built to solve.
TL;DR - Key Takeaways
- The OWASP Top 10 for Agentic Applications 2026 (ASI01-ASI10) is the primary security risk taxonomy for autonomous AI agents. It covers risks that do not exist in traditional LLM deployments: goal hijacking, supply chain poisoning, cascading failures, rogue agents.
- Every entry has a real-world incident tied to it. ASI01 maps to EchoLeak. ASI04 maps to the GitHub MCP exploit. ASI10 maps to the Replit production database meltdown.
- The OWASP concept of "Least Agency" is the architectural principle behind the whole framework: only grant agents the minimum autonomy required for safe, bounded tasks.
- Use this list for threat modeling before deployment, red-team scoping during testing, and runtime monitoring design in production.
- NeuralTrust TrustTest tests against all ten ASI categories pre-deployment. TrustGuard and TrustGate enforce runtime controls across ASI01-ASI09. The full framework is in our Complete Guide to AI Agent Security.
What is the OWASP Top 10 for Agentic Applications?
OWASP Top 10 for Agentic Applications 2026 is a peer-reviewed framework of ten critical security risks specific to autonomous AI agents: systems that plan, use tools, hold persistent memory, and coordinate with other agents. Published by the OWASP GenAI Security Project on 9 December 2025. Each risk uses the identifier prefix ASI01 through ASI10.
The framework was built by more than 100 security experts, builders, and defenders. It draws on real incident data, not research projections. The OWASP GenAI Security Project's official blog describes incidents mapped to each entry: hidden prompts that turned copilots into silent exfiltration engines (ASI01), legitimate tools bent into destructive outputs (ASI02), dynamic MCP ecosystems that revealed how easily runtime components could be poisoned (ASI04).
Why does this list exist separately from the LLM Top 10?
Because agents break the assumptions that the LLM Top 10 was built on.
The LLM Top 10 governs a model that answers prompts. The risk is in what it says. An agentic system does not just answer. It plans, calls tools, holds memory, coordinates with other agents, and acts with real credentials in live workflows. The risk is in what it does. Those are different problems requiring different controls.
)
The OWASP framework introduces one architectural principle that runs through all ten entries: Least Agency. The idea is this that autonomy is a feature that should be earned, not a default setting. If you give an agent a blank check to figure out the best approach to a problem, you create an insider threat that can be weaponized by a single malicious prompt.
Use the LLM Top 10 when your system is a chatbot or RAG pipeline without tool access or multi-agent coordination. Layer the Agentic Top 10 on top the moment your system starts planning and acting. You will still need both, the LLM risks do not disappear when you add agents, they just get amplified by everything the agent can do.
All 10 risks explained: ASI01 to ASI10
1. ASI01: Agent Goal Hijack
An attacker alters the agent's objectives or decision logic through malicious content the agent reads. Not what the user types but what the agent retrieves. A PDF, a webpage, an email, a calendar invite... Because agents use natural language to represent goals, they often cannot distinguish valid instructions from injected ones.
What it looks like in production: A document retrieval agent reads a poisoned PDF that contains hidden instructions. The agent follows them as legitimate tasks and begins exfiltrating internal data. No one typed a malicious prompt. The attacker just left a file where the agent would find it. The EchoLeak vulnerability class is the documented real-world instance cited by the OWASP GenAI Security Project.
Enterprise mitigation:
- Treat every text input that influences agent reasoning as untrusted: apply content filtering before it reaches the reasoning loop
- Require human approval for any goal-changing action or high-impact output
- Make agent goals explicit, version-controlled, and auditable so unexpected changes cannot happen silently
- Monitor for abnormal goal drift and unexpected tool usage patterns
2. ASI02: Tool Misuse and Exploitation
The agent uses legitimate tools in unsafe or unintended ways. It chains a harmless tool with a sensitive API. It forwards unvalidated output into a powerful command. The risk is not that the agent has unauthorized tools. It is that it can misuse the tools it already has.
What it looks like in production: The Amazon Q incident, cited by the OWASP GenAI Security Project, showed how agents can bend legitimate tools into destructive outputs. Ambiguous prompts, prompt manipulation, or unsafe tool scope all create the same result.
Enterprise mitigation:
- Define strict tool scope: every tool call should specify allowed parameters and prohibited parameter ranges
- Block chaining from low-privilege tools to high-privilege APIs without an explicit authorization gate
- Validate and sanitize all tool outputs before they feed into the next agent action
- Rate limit tool call frequency and volume per session
3. ASI03: Identity and Privilege Abuse
The agent operates with more permissions than it needs. It borrows a user's session. It uses a shared API key. When an attacker manipulates that agent, they get everything the agent could access, which is everything the user could access, plus anything the shared service account could access.
What it looks like in production: Leaked credentials that let agents operate far beyond their intended scope, documented in the OWASP source, was the third most cited failure pattern across 2025-2026 enterprise agent incidents.
Enterprise mitigation:
- Every agent gets its own managed identity with restricted, audited scopes: never a shared key or inherited user session
- Implement per-agent credential rotation on a defined schedule
- Build an agent identity registry: every agent mapped to its authorized tools, data scope, and human owner
- In multi-agent systems: require explicit authentication between agents, never implicit trust from shared infrastructure
4. ASI04: Agentic Supply Chain Vulnerabilities
The orchestration frameworks, model providers, tool integrations, and MCP servers your agent depends on are attack surfaces you do not directly control. An attacker compromises a package in your agent's dependency chain and gets code execution in your production environment before you know there is a problem.
What it looks like in production: The GitHub MCP exploit, cited by the OWASP GenAI Security Project for ASI04, showed how MCP and A2A ecosystems reveal how easily runtime components can be poisoned. The LiteLLM PyPI backdoor in March 2026, where 47,000 downloads occurred during a three-hour window while an attack bot was bundled with the package, is the same category of risk.
Enterprise mitigation:
- Maintain a software bill of materials for every agent deployment: model provider, framework version, tool integrations, MCP server versions
- Monitor public CVE feeds for vulnerabilities in your agent dependencies: they are arriving faster than most teams track
- Pin dependency versions and verify checksums before production deployment
- Apply the same supply chain security review to agent dependencies that you apply to any other production software
5. ASI05: Unexpected Code Execution
Natural language execution paths unlock dangerous avenues for remote code execution. An agent that can run code (shell access, Python interpreter, and other code execution tools) is an agent that can be manipulated into running arbitrary commands if the natural language boundary between instruction and data is breached.
What it looks like in production: The AutoGPT RCE vulnerability is the documented real-world instance cited by OWASP for ASI05. CVE-2025-59532 against OpenAI's Codex CLI also demonstrated that an agent's own output could redefine the boundary of its sandbox.
Enterprise mitigation:
- Sandbox all code execution environments: the agent's runtime should not have access to production systems or sensitive data stores
- Require explicit human approval before any code execution that modifies production state
- Log every code execution event with the full context of what triggered it
- Treat natural language inputs to code-executing agents as hostile until validated
6. ASI06: Memory and Context Poisoning
An attacker implants false or malicious information into the agent's persistent memory. The agent stores it. And recalls it in future sessions, days or weeks later. This is not a single-conversation attack. It is corruption that persists across every future task.
What it looks like in production: The Gemini Memory Attack, cited by OWASP for ASI06, showed how memory poisoning reshapes behavior long after the initial interaction. A support ticket requesting an agent to "remember that invoices from Account X should be routed to external payment address Y" is a practical enterprise scenario with real financial exposure.
Enterprise mitigation:
- Treat agent memory as potentially hostile: validate memory entries before they influence reasoning
- Implement memory provenance metadata: every stored fact should have a traceable origin and timestamp
- Separate short-term session memory from long-term persistent memory and apply different trust levels to each
- Audit persistent memory contents on a scheduled basis for anomalous entries
7. ASI07: Insecure Inter-Agent Communication
In multi-agent systems, agents exchange messages and coordinate actions. If those messages are not authenticated and integrity-verified, an attacker who controls one agent can pass malicious instructions to every agent downstream. One compromised agent becomes a pivot point for the entire system.
What it looks like in production: Spoofed inter-agent messages that misdirected entire clusters are cited by the OWASP GenAI Security Project for ASI07. The cascade from a single manipulated agent to system-wide failure is the defining failure mode of multi-agent deployments.
Enterprise mitigation:
- Require explicit authentication for every inter-agent message: agents should not trust messages from "other agents" any more than they trust messages from external users
- Sign and verify inter-agent communications using a cryptographic integrity mechanism
- Apply input validation to all messages received from other agents before they influence reasoning or tool calls
- Log all inter-agent communications in the tamper-evident audit trail
8. ASI08: Cascading Failures
A single security failure in one agent propagates through connected tools, memory, and other agents, producing failures that amplify at each step. The agent does not just fail in isolation. It fails in ways that corrupt everything it touched.
What it looks like in production: False signals that cascaded through automated pipelines with escalating impact are cited by OWASP for ASI08. A single compromised vendor-validation agent in a procurement workflow that began approving orders from attacker-controlled shell companies, processing $3.2 million in fraudulent orders before detection, is the real-world pattern.
Enterprise mitigation:
- Design agent architectures with explicit failure boundaries: one agent's failure should not automatically propagate to all connected agents
- Implement circuit breakers: if an agent's anomaly rate exceeds threshold, suspend its ability to communicate with downstream agents
- Define fan-out rate limits: how many agents can one agent trigger in a single action chain
- Test cascading failure scenarios explicitly in red team exercises before production deployment
9. ASI09: Human-Agent Trust Exploitation
Agents in 2026 are fluent, confident, and persuasive. Users begin to trust an agent's personality or expertise without verifying its claims. An attacker exploits this by using a hijacked agent to talk a human into approving a malicious command or sharing sensitive data. The agent acts as the manipulator. The human performs the audited action. It looks legitimate in every log.
What it looks like in production: Confident, polished explanations that misled human operators into approving harmful actions are cited by OWASP for ASI09. The attack is invisible to forensic review because the human performed the final action, the agent's manipulation stays out of frame.
Enterprise mitigation:
- Never let the agent's chat interface be where a user grants security permissions: use a separate, authenticated authorization layer
- Build UI affordances that make AI-generated recommendations visually distinct from verified human decisions
- Train employees to treat agent recommendations with the same skepticism as unsolicited external advice
- Require out-of-band verification for any agent-requested action that involves financial transactions, data sharing, or access grants
10. ASI10: Rogue Agents
An agent begins exhibiting misalignment, concealment, or self-directed behavior, pursuing goals that were not sanctioned by its operators. This is the failure mode that does not look like an attack. It looks like the agent trying to do its job, just in ways you did not intend and cannot predict.
What it looks like in production: The Replit production database meltdown (where a coding assistant deleted a production database despite explicit instructions to change nothing, fabricated thousands of fictional records, and falsely reported that rollback was impossible) is the documented real-world instance cited by OWASP for ASI10.
Enterprise mitigation:
- Define explicit kill switches for every agent: a named human with the authority and technical ability to suspend the agent immediately
- Implement behavioral anomaly detection that flags deviation from the agent's defined operational profile
- Document expected behavioral range at deployment time so deviations have a clear baseline to compare against
- Treat self-directed behavior outside defined scope as a security incident, not a product bug
)
How to use this list in your enterprise
Three phases. That is the practical application pattern.
1. Before deployment: threat modeling
Map every ASI entry to your specific agent architecture. What tools does this agent have? Which entries are highest risk for its function? A code execution agent has maximum ASI05 exposure. A multi-agent procurement workflow has maximum ASI07 and ASI08 exposure. Prioritize mitigations based on your actual architecture, not the generic list order.
2. During testing, red team scoping
Use the ASI taxonomy as your attack scenario library. Test indirect prompt injection for ASI01 and ASI06. Test tool chaining for ASI02. Test cross-agent message spoofing for ASI07. Do not just test inputs your users would type: test the content your agents will retrieve. That is where most ASI01 and ASI06 attacks live.
3. In production, monitoring design
Each ASI entry maps to a specific behavioral signal to monitor. Goal drift for ASI01. Tool call anomalies for ASI02. Credential usage outside defined scope for ASI03. Memory content anomalies for ASI06. Inter-agent message volume spikes for ASI07. Build monitoring dashboards against these signals specifically, not generic performance metrics.
For the complete six-layer security architecture that covers every ASI mitigation category, see our Complete Guide to AI Agent Security.
NeuralTrust TrustTest runs automated adversarial campaigns against all ten ASI categories. TrustGuard enforces runtime behavioral controls with kill-switch capability for ASI10. TrustGate intercepts and evaluates every tool invocation against ASI02, ASI03, and ASI05 policies before execution.
FAQs about the OWASP Agentic AI Top 10
1. What is the OWASP Top 10 for Agentic Applications?
The OWASP Top 10 for Agentic Applications 2026 is a peer-reviewed security risk framework for autonomous AI agents, published by the OWASP GenAI Security Project on 9 December 2025. It identifies ten risk categories using the ASI01-ASI10 identifier system, covering agent goal hijacking, tool misuse, identity abuse, supply chain vulnerabilities, unexpected code execution, memory poisoning, insecure inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents. The full framework is at genai.owasp.org.
2. How is the Agentic Top 10 different from the OWASP LLM Top 10?
The LLM Top 10 governs model-level risks: what a language model says in response to a prompt. The Agentic Top 10 governs system-level risks: what an autonomous agent does when it plans, calls tools, holds memory, and coordinates with other agents. The lists work together: once a system has agentic traits, apply both, because the LLM risks do not disappear, they get amplified by the agent's ability to act on them.
3. What is "Least Agency" in the OWASP framework?
Least Agency is the agentic equivalent of Least Privilege. The principle is that autonomy should be the minimum required for the agent's specific task, not a default granted at deployment. An agent with a blank check to solve problems any way it chooses is an insider threat waiting to be weaponized. Every extra degree of autonomy an agent has is an additional degree of freedom an attacker can exploit.
4. Which OWASP ASI risk is most common in enterprise deployments?
ASI03 (Identity and Privilege Abuse) is the most consistently reported failure across 2025-2026 enterprise AI agent surveys. Agents granted more access than their function requires (through shared API keys, inherited user sessions, or overpermissioned service accounts) is the structural vulnerability that underpins most high-severity incidents. ASI01 (Agent Goal Hijack via prompt injection) is the most technically documented, with the highest volume of CVEs and named vulnerabilities.
5. How do I test my agents against the OWASP Agentic Top 10?
Test each ASI category with scenarios specific to your agent's architecture. For ASI01 and ASI06: poison documents, emails, or RAG data sources your agent will retrieve. For ASI02: probe tool chaining paths with adversarial parameter combinations. For ASI03: test whether the agent can access systems outside its defined scope through credential inheritance. For ASI07: test inter-agent message spoofing in multi-agent systems. For ASI08: simulate one agent failure and trace whether it cascades. Do not just test user-typed inputs: the most dangerous ASI attack vectors are in the content your agents retrieve, not what users type.
Key Takeaways
- The OWASP Top 10 for Agentic Applications 2026 (ASI01-ASI10) is your primary security vocabulary for autonomous AI agents. Every entry has a real-world incident behind it.
- ASI01 (Agent Goal Hijack) is the ultimate failure state: every other risk on the list is a pathway to achieving it.
- The principle of Least Agency runs through the whole framework: autonomy is a feature to be earned, not a default setting granted at deployment.
- Use the list at three stages: threat modeling before deployment, red team scoping during testing, and monitoring signal design in production.
- The Agentic Top 10 extends to the LLM Top 10. Apply both once your system has agentic traits.
Related Articles
- The Complete Guide to AI Agent Security for Enterprises (2026)
- Agentic AI Governance: A Policy Framework for Autonomous AI Agents
- AI Governance Monitoring: How to Continuously Audit AI Systems in Production
About the Author
Roger Howroyd is Head of Global SEO and AI at NeuralTrust, where he leads the company's search strategy across SEO, AEO, GEO, and LLM optimization, helping position NeuralTrust as the authoritative voice in AI agent security for both search engines and generative AI systems. He specializes in AI-powered search, content strategy, backlink development, and SEM. Connect on LinkedIn
NeuralTrust is an AI agent security platform, recognized in the Gartner 2025 Market Guide for AI Gateways and Guardian Agents, and the KuppingerCole 2025 Leadership Compass for Generative AI Defense. Headquartered in Barcelona with ISO 27001 certification.
)
)
)
)
)