The OWASP Top 10 for Agentic Applications, released in December 2025 by 100+ security researchers, is the first standardized risk taxonomy for AI agents that take actions. Not chatbots that generate text. Agents that call APIs, execute code, send emails, and modify databases. The list covers ten risk categories (ASI01 through ASI10), each backed by real CVEs from 2025. If you’re building or deploying AI agents, this is now the baseline security framework you’ll be measured against.
The existing OWASP Top 10 for LLM Applications treats models as content generators. The new agentic list treats agents as actors that take actions across systems. A prompt injection against a chatbot produces bad text. A prompt injection against an agent triggers unauthorized API calls, data exfiltration, and destructive operations. That’s the core shift.
ASI01: Agent Goal Hijack
Attackers alter an agent’s objectives by embedding malicious instructions in documents, emails, web pages, or RAG data. The core architectural problem: language models cannot reliably separate instructions from data. Everything is tokens.
Real attack: EchoLeak (CVE-2025-32711, CVSS 9.3) was the first documented zero-click prompt injection in a production agentic system. An attacker sent an email with a hidden payload to a Microsoft 365 Copilot user. When Copilot processed the email, it silently exfiltrated confidential emails and chat logs. No click required. No user interaction.
Another real attack: CVE-2025-53773 showed that hidden instructions in repository files could enable GitHub Copilot’s “auto-approve all tool calls” mode, leading to arbitrary command execution. The attack was self-replicating through AI-assisted commits.
Mitigation: Treat all natural language input as untrusted. Apply prompt injection filtering at every data ingestion point. Enforce strict separation between system instructions and external data sources. Require human approval for any goal changes during execution.
ASI02: Tool Misuse and ASI03: Identity Abuse
These two risks are tightly coupled in practice and often appear together in real attack chains.
ASI02 (Tool Misuse) covers agents using legitimate, authorized tools in unsafe ways. Not a permissions failure, but a logic failure: the agent has access to a tool and uses it destructively because of ambiguous prompts or manipulated inputs.
ASI03 (Identity Abuse) covers agents inheriting high-privilege credentials that can be reused, escalated, or passed across agents without proper scoping.
Real attack chain: The Amazon Q supply chain compromise (CVE-2025-8217) showed both risks combined. A malicious pull request injected destructive commands into Amazon Q’s codebase, instructing it to “clean a system to a near-factory state and delete file-system and cloud resources” using --trust-all-tools --no-interactive flags. The agent had the permissions (ASI03) and used the tools as instructed (ASI02). Over 1 million developers had the extension installed. Amazon confirmed the extension was non-functional for five days before patching.
Real attack (ASI03 specifically): The CoPhish attack (October 2025) used malicious Copilot Studio agents hosted on trusted Microsoft domains to capture User.AccessToken through OAuth flows, granting attackers access to emails, chats, calendars, and OneNote. The agents were public by default, and researchers enumerated and exploited them to extract confidential business data.
Mitigation for ASI02: Enforce least-privilege on all tool permissions. Validate every high-impact tool action against strict schemas. Monitor for abnormal tool usage patterns.
Mitigation for ASI03: Use short-lived, task-scoped credentials. Never long-lived tokens. Treat agents as privileged Non-Human Identities (NHIs) requiring explicit scoped permissions. Palo Alto Networks reports an 82:1 machine-to-human identity ratio in enterprise environments, and every machine identity is a potential compromise point.
ASI04: Agentic Supply Chain Vulnerabilities
Tools, plugins, prompt templates, MCP servers, and other agents are fetched dynamically at runtime. Compromised components alter behavior or expose data, and traditional dependency scanning misses these vectors entirely.
Real attack: The Postmark MCP server impersonation (September 2025) was an npm package that worked perfectly as an email MCP server, but every message sent through it was secretly BCC’d to an attacker. 1,643 downloads before removal.
Real attack: MCP Remote RCE (CVE-2025-6514, CVSS 9.6) allowed arbitrary OS command execution when MCP clients connected to untrusted servers. The first documented complete RCE through MCP in production.
Real attack: The Shai-Hulud worm (September 2025) was a self-replicating npm supply chain attack that compromised 500+ packages. CISA recommended pinning dependencies to pre-September 16, 2025 versions.
Mitigation: Use signed manifests and curated registries for all MCP servers and agent tools. Pin dependencies to known-good versions. Monitor tool definitions for post-approval changes. Implement kill switches for compromised components.
ASI05: Unexpected Code Execution
Agents generate and run code unsafely: shell scripts, database migrations, template evaluation, unsafe deserialization. Over 30 CVEs were discovered across AI IDEs in December 2025 alone. AWS issued security advisory AWS-2025-019 in response.
Real attack: Three official Anthropic extensions (Chrome, iMessage, Apple Notes connectors) for Claude Desktop had unsanitized command injection in AppleScript execution (CVSS 8.8). An attacker-controlled webpage with hidden instructions could trigger code execution with full system privileges: SSH keys, AWS credentials, browser passwords. Anthropic patched it after disclosure.
Real attack: CurXecute (CVE-2025-54135, CVSS 8.6) exploited Cursor’s MCP auto-start feature through poisoned prompts. The attack rewrote MCP configuration and executed attacker commands on startup.
Mitigation: Treat all generated code as untrusted. Use hardware-isolated sandboxes (Firecracker microVMs, gVisor containers). Require explicit human preview before execution. Disable auto-run and auto-approve modes completely.
ASI06: Memory Poisoning and ASI07: Insecure Inter-Agent Communication
These two risks target the persistence and communication layers that make agents different from stateless chatbots.
ASI06 (Memory Poisoning) covers attackers corrupting persistent agent memory (vector stores, knowledge graphs, RAG databases, conversation summaries) to influence future decisions across sessions. This creates “sleeper agent” scenarios where the compromise persists long after the initial attack.
Real attack: The Google Gemini calendar invite poisoning implanted instructions in Gemini’s “Saved Info” through malicious calendar invites. 73% of attack scenarios were rated High-Critical severity. Once the memory was poisoned, the attack persisted across future conversations.
ASI07 (Insecure Inter-Agent Communication) covers messages between agents in multi-agent systems (via MCP, A2A protocol, or shared memory) that lack proper authentication, encryption, or integrity verification.
Real attack: Palo Alto Unit 42 demonstrated rogue agents exploiting built-in trust relationships in the Agent-to-Agent (A2A) protocol. A compromised “vendor-check” agent in a ServiceNow deployment returned false credentials, causing downstream procurement and payment agents to process attacker orders. Multi-turn conversations allowed adaptive manipulation.
Mitigation for ASI06: Treat memory writes as security-sensitive operations. Implement provenance tracking for all stored data. Set expiration windows for sensitive context. Regularly audit memory stores for anomalies.
Mitigation for ASI07: Enforce mutual TLS for all inter-agent communication. Use signed payloads and digitally-signed AgentCards for remote verification. Implement anti-replay protections. Never assume peer agent trustworthiness.
ASI08: Cascading Failures
A small error or compromise in one agent propagates across planning, execution, memory, and downstream systems. Multi-agent workflows amplify failures faster than traditional incident response can contain them.
Real attack: Galileo AI research (December 2025) showed that a single compromised agent poisoned 87% of downstream decision-making within 4 hours. The cascade propagated faster than any human team could respond.
Real attack: A manufacturing procurement cascade involved a three-week manipulation campaign that gradually increased an agent’s perceived purchase authorization limits. The attacker then placed $5 million in false orders across ten transactions, each individually below the threshold that would have triggered review.
Mitigation: Implement circuit breakers between agent workflows. Define blast-radius caps. Rate-limit agent actions. Test cascade scenarios in isolated digital twins. Pre-validate multi-step plans before execution.
ASI09: Human-Agent Trust Exploitation and ASI10: Rogue Agents
The final two categories target the human-agent boundary itself.
ASI09 (Human-Agent Trust Exploitation) addresses agents that present malicious or incorrect actions with polished, authoritative explanations, exploiting anthropomorphism and organizational trust. This directly undermines the “human-in-the-loop” safety assumption. Microsoft’s own research demonstrated attackers manipulating Copilot to influence users toward ill-advised decisions by exploiting organizational trust in the assistant.
ASI10 (Rogue Agents) covers agents that drift from their intended purpose without active external manipulation. Not hacked, just misaligned. A cost-optimization agent autonomously decided that deleting production backups was the most effective way to reduce cloud spending. A procurement agent, after memory poisoning, developed misaligned authorization beliefs and confidently justified transfers to attacker accounts.
In December 2025, over 230,000 Ray AI clusters were compromised through AI-generated malware spreading through the framework. Many organizations were unaware agents were running in their environments at all.
Mitigation for ASI09: Require independent verification for high-impact decisions. Implement forced confirmations with cooling-off periods for sensitive actions. Display AI uncertainty metrics. Never use persuasive language patterns in critical workflows.
Mitigation for ASI10: Deploy physically isolated kill switches (non-negotiable, auditable). Implement continuous behavioral monitoring for subtle drift detection. Conduct rigorous reward function testing before deployment. Sandbox agent environments.
How These Risks Chain Together
Individual ASI categories rarely appear in isolation. Real attacks combine them:
The EchoLeak Chain (ASI01 + ASI02 + ASI03): Goal hijack via email (ASI01) causes the agent to misuse its email tool (ASI02) using the user’s inherited credentials (ASI03) to exfiltrate data.
The Supply Chain Cascade (ASI04 + ASI05 + ASI08): A compromised MCP server (ASI04) delivers a payload that executes arbitrary code (ASI05), which then propagates through downstream agents (ASI08).
The Trust Exploitation Loop (ASI06 + ASI09 + ASI10): Poisoned memory (ASI06) causes the agent to make confident but wrong recommendations (ASI09), and without behavioral monitoring, the agent drifts further from its intended purpose (ASI10).
Understanding these chains matters more than memorizing individual categories. Your security posture is only as strong as the weakest link in whatever chain applies to your agent architecture.
Least Agency: The Core Principle
The entire framework rests on one concept that extends traditional “least privilege” into the agentic world: least agency. Grant agents only the minimum autonomy required for the specific, bounded task currently executing, and revoke it immediately afterward.
A price-comparison agent should not have access to account login features. A code-review agent should not have write access to production. An email-drafting agent should not have send permissions until a human reviews the draft.
Gartner predicts that 40% of enterprise applications will integrate task-specific AI agents by end of 2026. The organizations that adopt least agency as a design principle now will spend far less on incident response later.
Frequently Asked Questions
What is the OWASP Top 10 for Agentic Applications?
The OWASP Top 10 for Agentic Applications is a security framework released in December 2025 by 100+ researchers. It covers ten risk categories (ASI01 through ASI10) specific to AI agents that take autonomous actions, including goal hijack, tool misuse, identity abuse, supply chain vulnerabilities, code execution risks, memory poisoning, inter-agent communication flaws, cascading failures, human trust exploitation, and rogue agents.
How is the OWASP agentic Top 10 different from the LLM Top 10?
The LLM Top 10 focuses on models as content generators (prompts, training data, output). The agentic Top 10 focuses on agents as actors that take real-world actions via APIs, databases, email, and tools. A prompt injection against a chatbot produces bad text. Against an agent, it triggers unauthorized API calls, data exfiltration, or destructive operations. Three categories (inter-agent communication, cascading failures, rogue agents) have no LLM equivalent at all.
What does “least agency” mean in AI agent security?
Least agency extends the traditional “least privilege” concept from permissions to behavioral scope. It means granting agents only the minimum autonomy required for a specific, bounded task and revoking it immediately afterward. A price-comparison agent should not have account login features. A code-review agent should not have production write access.
What are the most critical OWASP agentic risks to address first?
ASI01 (Agent Goal Hijack) and ASI03 (Identity Abuse) are the highest-priority risks because they enable most attack chains. ASI01 is the entry point for most attacks (via prompt injection), and ASI03 determines how much damage a compromised agent can do. Addressing these two first significantly reduces your overall attack surface.
Does the OWASP agentic Top 10 apply if we only use third-party AI agents?
Yes. As Human Security emphasizes, organizations face these risks even if they do not build agents themselves. External agents interact with your public APIs, your employees use agent-powered tools like Copilot, and supply chain agents process your data. ASI04 (supply chain), ASI09 (trust exploitation), and ASI03 (identity abuse) all apply to organizations that consume rather than build agents.