OWASP Top 10 for Agentic Applications
Security risks specific to autonomous AI agents and multi-step AI workflows (2026)
🤖
Agentic AI Security
Unlike traditional LLMs, agentic AI systems plan, decide, delegate, and take actions across tools and systems. This creates new attack surfaces requiring specialized security approaches.
ASI01
Critical
Agent Goal Hijack
Attackers manipulate an agent's objectives, planning logic, or decision path through malicious content in inputs like emails, documents, RAG data, or web content.
Attack Vectors
- Indirect prompt injection via poisoned documents
- Calendar/meeting invites altering goal priorities
- RAG document injection to redirect agent objectives
- Cross-session goal persistence manipulation
Real-World Examples
- Malicious email changes finance agent spending priorities
- Poisoned GitHub issue/PR content injected into agent context
- Meeting invites subtly changing agent task hierarchies
Mitigation Strategies
- Implement prompt firewalls to detect goal manipulation
- Validate and sanitize all external content before processing
- Use goal boundary enforcement and monitoring
- Implement chain-of-thought verification
ASI02
Critical
Tool Misuse and Exploitation
Legitimate tools or functions are abused within their granted privileges, leading to unauthorized actions or data access.
Attack Vectors
- SQL injection through database tools
- File system access for unauthorized read/write
- API abuse through granted integrations
- Tool parameter manipulation
Real-World Examples
- Code execution tool used to run malicious commands
- Database tool exploited for data exfiltration
- File system tool used to access sensitive directories
Mitigation Strategies
- Implement strict tool use authorization and audit logs
- Validate all tool parameters before execution
- Apply least privilege to tool permissions
- Use sandboxed execution environments
ASI03
High
Identity and Privilege Abuse
Agents inherit or delegate credentials without proper scoping, creating attribution gaps and privilege escalation risks.
Attack Vectors
- Credential delegation without proper scoping
- Role confusion between human and agent actions
- Privilege escalation through agent actions
- Identity spoofing in multi-agent systems
Real-World Examples
- Agent using developer credentials for production changes
- Agent actions appearing as human in audit logs
- Multi-tenant isolation bypass through agent identity
Mitigation Strategies
- Implement agent-specific identity and access management
- Use short-lived tokens with limited scope
- Separate agent permissions from human credentials
- Enforce attribution in all agent action logs
ASI04
High
Agentic Supply Chain Vulnerabilities
Compromised or vulnerable components in the agent tool ecosystem, including malicious tools, plugins, and compromised agent frameworks.
Attack Vectors
- Malicious tool injections into agent workflows
- Compromised tool providers or registries
- Poisoned tool definitions with backdoors
- Framework vulnerabilities in orchestration layers
Real-World Examples
- Trojaned npm/pypi package in agent dependencies
- Malicious MCP server with data exfiltration
- Compromised LangGraph or similar framework
Mitigation Strategies
- Verify tool integrity through signatures and checksums
- Maintain SBOM for all agent components
- Use trusted registries and verify tool provenance
- Scan dependencies for known vulnerabilities
ASI05
Critical
Unexpected Code Execution
Agents execute code or commands that were not intended by the system design, leading to remote code execution vulnerabilities.
Attack Vectors
- Dynamic code generation without proper sandboxing
- Command injection through agent-generated calls
- Unsafe deserialization in agent workflows
- Arbitrary file write via agent actions
Real-World Examples
- Agent generating and executing malicious SQL queries
- Code interpreter tool running attacker payloads
- Shell commands injected into agent output
Mitigation Strategies
- Sandbox all code execution environments
- Implement strict input validation for generated code
- Use allow-lists for permitted operations
- Apply timeout and resource limits to execution
ASI06
High
Memory and Context Poisoning
Attackers poison the agent's memory, context, or retrieval systems to influence future behavior or extract information.
Attack Vectors
- Poisoning vector database with malicious embeddings
- RAG retrieval manipulation for goal drift
- Long-term memory injection of false data
- Cross-session context contamination
Real-World Examples
- Malicious documents ranked higher in RAG results
- False information stored in agent memory
- Vector DB injection changing retrieval behavior
Mitigation Strategies
- Validate and sanitize all data before memory storage
- Implement retrieval ranking with security signals
- Use encryption for sensitive memory contents
- Monitor memory for anomalous modifications
ASI07
Medium
Insecure Inter-Agent Communication
Communication between agents lacks proper security controls, enabling interception, manipulation, or impersonation.
Attack Vectors
- Message interception in agent communication
- Agent impersonation in multi-agent systems
- Message tampering between agents
- Lack of authentication between agents
Real-World Examples
- One agent impersonating another to bypass controls
- Man-in-middle attack between agent communications
- Message replay attacks in agent workflows
Mitigation Strategies
- Implement mutual TLS for agent communications
- Use signed messages between agents
- Authenticate agent identities in all communications
- Apply message validation and integrity checks
ASI08
Medium
Cascading Failures
Failure in one agent, tool, or component propagates through the system, causing widespread disruption or security gaps.
Attack Vectors
- Single point of failure in agent orchestration
- Error handling exposing sensitive data
- Fallback mechanisms bypassing security controls
- Recursive agent loops consuming resources
Real-World Examples
- Failed validation allowing all requests through
- Error messages exposing system prompts
- Fallback agent bypassing approval workflows
Mitigation Strategies
- Implement circuit breakers for agent components
- Design graceful degradation with security preserved
- Validate error handling doesn't expose sensitive data
- Set execution limits to prevent infinite loops
ASI09
Medium
Human-Agent Trust Exploitation
Agents exploit user trust through manipulation, social engineering, or by presenting misleading information as factual.
Attack Vectors
- Presenting false information as confident facts
- Manipulating users through persuasive outputs
- Concealing uncertainty or errors
- Exploiting human overreliance on agent outputs
Real-World Examples
- Agent fabricating information with high confidence
- Code with security flaws presented as secure
- Hiding limitations or errors from users
Mitigation Strategies
- Implement uncertainty quantification and communication
- Require human approval for high-risk actions
- Add confidence scores to agent outputs
- Educate users about agent limitations
ASI10
High
Rogue Agents
Agents operate beyond their intended scope, persist inappropriately, or take unauthorized actions across sessions or systems.
Attack Vectors
- Agent continuing tasks after authorization expires
- Unauthorized agent spawning or replication
- Agent actions persisting across user sessions
- Agent escalation to admin-level functions
Real-World Examples
- Background agent continuing after user logout
- Unauthorized agent accessing other user data
- Agent maintaining access after task completion
Mitigation Strategies
- Implement session lifecycle management
- Enforce task expiration and cleanup
- Monitor for unauthorized agent spawning
- Apply strict termination conditions
Model Context Protocol (MCP) Security
MCP enables AI assistants to connect to external tools and data sources, introducing new security considerations.
MCP Security Risks
- Untrusted MCP servers with malicious capabilities
- Data exfiltration through MCP tool access
- Tool definition poisoning
- Excessive permissions granted to MCP servers
MCP Security Best Practices
- Verify MCP server authenticity and provenance
- Apply least privilege to MCP tool permissions
- Audit all MCP server communications
- Use network isolation for MCP servers
Agentic Security Architecture
Layer 1: Input Validation
- Prompt firewalls for goal hijacking detection
- Input sanitization to prevent injection
- Rate limiting to prevent resource abuse
- Content filtering for external data
Layer 2: Agent Sandbox
- Isolated execution environments
- Resource limits (CPU, memory, network)
- Network segmentation
- Containerized tool execution
Layer 3: Tool Authorization
- Fine-grained permission scoping
- Tool use approval workflows
- Audit logging of all tool invocations
- Time-limited tool access
Layer 4: Monitoring & Response
- Real-time agent behavior monitoring
- Anomaly detection for agent actions
- Automated threat response
- Comprehensive audit trails