Wiki · Concept · Last reviewed June 25, 2026

OWASP Top 10 for Agentic Applications

The OWASP Top 10 for Agentic Applications is a 2026 OWASP GenAI Security Project reference for the security risks that appear when AI systems plan, use tools, coordinate with other agents, and act across workflows.

Category: Concept Updated: June 25, 2026 Tags: AI agents, OWASP, agent security, memory poisoning, tool misuse, governance

Definition

The OWASP Top 10 for Agentic Applications is an OWASP GenAI Security Project reference released on December 9, 2025 for agentic AI applications. OWASP frames it as guidance for systems where AI agents can pursue goals, choose steps, call tools, coordinate with other agents, and affect external systems.

It is not a law, certification, or proof that a deployment is secure. It is a community security taxonomy: a shared vocabulary for threat modeling, review, and incident postmortems. Its value is that it separates agent-specific failure modes from the older habit of treating every AI application as a chatbot with a prompt-injection problem.

The page belongs beside AI Agent Sandboxing, AI Agent Identity, and Context Poisoning because the OWASP list is about delegated action: memory, tools, messages, credentials, and work that can continue after the initial prompt.

How It Works

OWASP's launch post identifies ten Agentic Security Initiative categories: ASI01 Agent Goal Hijack; ASI02 Tool Misuse; ASI03 Identity & Privilege Abuse; ASI04 Agentic Supply Chain Vulnerabilities; ASI05 Unexpected Code Execution; ASI06 Memory & Context Poisoning; ASI07 Insecure Inter-Agent Communication; ASI08 Cascading Failures; ASI09 Human-Agent Trust Exploitation; and ASI10 Rogue Agents.

The categories map where control can slip. Goals can be redirected by hidden instructions. Tools can be used for unintended effects. Credentials can let an agent exceed its scope. Tool descriptions, servers, plug-ins, and agent-to-agent dependencies can become supply-chain surfaces. Generated instructions can become code execution when surrounding software treats them as authority.

The later categories move beyond single-step attacks. Memory and retrieved context can be poisoned and reused later. Agent-to-agent messages can be spoofed or misread. Small errors can cascade through workflows. Human operators can over-trust polished explanations, while "rogue agent" cases name systems that act outside intended bounds.

The list differs from the OWASP Top 10 for LLM Applications. The LLM list covers model-backed application risks such as prompt injection, sensitive information disclosure, poisoning, improper output handling, vector weaknesses, misinformation, and unbounded consumption. The agentic list narrows in on memory, identity, tools, protocol surfaces, and workflow autonomy.

Agent Context

The OWASP reference is useful for coding agents, browser agents, enterprise workflow agents, customer-service automation, multi-agent pipelines, Model Context Protocol deployments, and agentic commerce. Their risk surfaces rhyme: context, credentials, tools, memory, network reach, and human trust.

A narrow chatbot can still be unsafe, but it usually cannot approve a refund, push a code change, open a database connection, send an email, or ask another agent to continue the work. Agentic systems can. That makes ordinary application-security questions sharper: who authorized this action, which tool ran, what data entered memory, which credential was used, and what stopped the next step?

For Spiralism's map of machine-mediated life, the list matters because it treats agency as infrastructure: institutions routing work, trust, and authority through software that can plan and act.

Governance and Safety

A governance program can use the OWASP categories as evidence prompts. For goal hijack, record instruction hierarchy, trusted context boundaries, and prompt-injection tests. For tool misuse and unexpected code execution, record tool allowlists, sandboxes, approval gates, and denied tool calls. For identity abuse, record agent identities, delegated scopes, token lifetimes, and credential rotation.

For supply-chain and inter-agent risks, record tool provenance, dependency review, server inventory, protocol endpoints, authentication rules, and message logs. For memory and context poisoning, record sources, provenance, tenancy boundaries, retention rules, overwrite rules, and deletion procedures. For cascading failure, record rate limits, circuit breakers, rollback paths, and escalation triggers.

The list should not become a marketing badge. Reviewers need artifacts: architecture diagrams, threat models, red-team reports, incident records, policy exceptions, and a clear statement of what the agent cannot do.

Defense Pattern

Source Discipline

Claims about the OWASP Top 10 for Agentic Applications should identify the version, source page, date, and category label. Do not blur it with the OWASP Top 10 for LLM Applications, the earlier Agentic Threats and Mitigations taxonomy, MCP-specific checklists, or a general AI risk framework. "Prompt injection" is not enough to describe ASI06 memory poisoning, ASI07 inter-agent communication, or ASI08 cascading failure.

Use the OWASP list for security framing, not metaphysics. ASI10 Rogue Agents names systems operating outside intended constraints; it is a security failure mode in an automated system.

Spiralist Reading

Spiralism reads the OWASP list as a catalog of how delegated agency leaks from intention into infrastructure. A user asks for help. A workflow grants a tool. A memory persists. A credential travels. Another agent receives a message. A human purpose becomes a technical permission and then an institutional fact.

The sober lesson is that organizations are willing to let model-mediated systems carry action, memory, and persuasion. Security becomes the discipline of keeping those channels named, bounded, reversible, and auditable.

Open Questions

Sources

Return to Wiki