Skip to main content

OWASP Top 10 for Agentic Applications 2026

OWASP Top 10 for Agentic Applications 2026

Table of Contents

Quick Answer

The OWASP Top 10 for Agentic Applications 2026 is a security framework for AI systems that can plan, use tools, retain memory, communicate and take actions. It expands beyond ordinary LLM risks to cover goals, identities, privileges, supply chains, code execution, persistent context, cascading failures, human trust and rogue behavior.

What Is the OWASP Agentic Applications Top 10?

The framework identifies ten important risk areas for agentic applications. These systems do more than generate text: they may plan multi-step tasks, select tools, access private data, act through APIs, store memory, coordinate with other agents, and continue working with limited supervision.

Why AI Agents Need a Separate Risk List

A conventional chatbot mainly produces output. An agent can create operational impact. A wrong answer is a quality issue; a wrong tool call can delete data, expose records, send a message, change permissions, spend money, or start a cascading workflow. Agent security therefore requires identity, execution, recovery and governance controls beyond prompt filtering.

The 10 Agentic Application Risks

Use this catalogue to scan the full framework. Each risk keeps its plain-language meaning visible, while the first defensive controls remain available without turning the article into ten permanently expanded panels.

ASI01

Agent Goal Hijack

Untrusted content or context redirects the agent away from the intended objective.

First controls
  • Separate instructions from data.
  • Track goal changes.
  • Require policy validation before action.
ASI02

Tool Misuse

A legitimate tool is used in an unsafe, excessive or unintended way.

First controls
  • Least privilege.
  • Argument validation.
  • Approval for high-impact tools.
ASI03

Identity and Privilege Abuse

Agents or users act with excessive, inherited or confused authority.

First controls
  • Separate user, agent and service identities.
  • Use short-lived credentials.
  • Recheck resource authorization.
ASI04

Agentic Supply-Chain Vulnerabilities

Models, tools, skills, plugins, MCP servers or dependencies introduce risk.

First controls
  • Approved sources.
  • Version pinning.
  • Change review and revocation.
ASI05

Unexpected Code Execution

Agent workflows cause code or command execution outside intended boundaries.

First controls
  • Sandboxing.
  • No raw model-to-shell path.
  • Restricted interpreters and filesystems.
ASI06

Memory and Context Poisoning

Persistent context stores unsafe, stale or attacker-controlled information.

First controls
  • Source provenance.
  • Tenant isolation.
  • Review, quarantine and deletion.
ASI07

Insecure Inter-Agent Communication

Agents trust messages, identities or requests from other agents without sufficient checks.

First controls
  • Authenticate agents.
  • Authorize messages and resources.
  • Validate message schemas.
ASI08

Cascading Failures

One incorrect decision or compromised agent triggers failures across connected systems.

First controls
  • Limit blast radius.
  • Use circuit breakers.
  • Design rollback and recovery.
ASI09

Human-Agent Trust Exploitation

People approve or trust agent output without understanding the action or evidence.

First controls
  • Clear approval screens.
  • Show impact and data.
  • Avoid dark patterns and urgency.
ASI10

Rogue Agents

An agent operates outside intended governance, policy or ownership.

First controls
  • Strong inventory.
  • Behavior monitoring.
  • Kill switch and credential revocation.

Agentic risk coverage map

GroupRisks
Goal, tool and identity risks3
Supply chain and execution2
Memory and communication2
Systemic, human and rogue risks3
Insecure Lab grouping of the OWASP Agentic Top 10 categories. This is an editorial coverage map, not an OWASP severity score.

OWASP LLM Top 10 vs Agentic Applications Top 10

LLM application focusAgentic addition
Prompt and output riskGoal and action risk
Sensitive informationPersistent memory and cross-agent flow
Excessive agencyDetailed tool, identity and privilege failures
Supply-chain weaknessDynamic agents, skills, tools and MCP ecosystems
Improper output handlingCascading operational actions
MisinformationHuman trust and approval failures

Agent-Security Standards and Incident Timeline

Milestones showing how the agentic framework, standards work, research and incident evidence developed.

  1. Framework

    OWASP GenAI Security Project

    OWASP released the Agentic Applications Top 10

    The framework consolidated risks unique to systems that plan, use tools, retain memory and act with delegated authority.

    OWASP release
  2. Standard

    NIST

    NIST launched an AI Agent Standards Initiative

    The initiative added standards, interoperability, identity and secure-agent infrastructure to the public policy agenda.

    NIST announcement
  3. Research

    Unit 42

    In-the-wild indirect prompt injection was reported

    Security researchers documented malicious web content targeting AI review and agent workflows, demonstrating that external content is an active control boundary.

    Unit 42 report
  4. Incident

    OWASP GenAI Security Project

    OWASP mapped real incidents to agentic risks

    The Q1 round-up connected agent failures, identity abuse, tool misuse and MCP exploitation to concrete defensive lessons.

    OWASP incident round-up

Recent Agent-Security Incident Lessons

Three recent incident patterns highlight recurring controls for destructive actions, inherited identity and executable configuration boundaries.

  1. Lesson 01Destructive actions

    Inbox deletion failure

    Destructive permissions need hard confirmation, reliable stop controls and reversible actions. A natural-language request should never be the only safety boundary.

  2. Lesson 02Identity and privilege

    Inherited cloud identity

    Agent deployments can inherit powerful service credentials. Review default scopes, cross-project access and resource-level authorization.

  3. Lesson 03Supply chain and execution

    CustomMCP exploitation

    Agent configuration is a code and supply-chain boundary. Validate, patch and restrict orchestration features that can execute or load custom capabilities.

Control Priorities

  • Separate user, agent and service identities.
  • Keep authorization and business policy outside the model.
  • Use least-privilege tools with strict argument schemas.
  • Isolate memory by user and tenant, with provenance and deletion controls.
  • Require explicit approval for high-impact and irreversible actions.
  • Log plans, tool calls, approvals, results and policy decisions.
  • Provide circuit breakers, revocation, rollback and a tested kill switch.

30/60/90-Day Adoption Plan

WindowPriority actions
First 30 daysInventory agents, tools, identities and data; classify actions by impact; remove unnecessary write/delete access; require approval for privileged operations.
By 60 daysAdd deterministic policy enforcement; validate tool arguments; separate memory by user and tenant; centralize tool-call and approval logs.
By 90 daysTest indirect prompt injection, identity and scope boundaries, rollback and kill switches; review third-party agent components and MCP servers.

Explore AI Security Topics

FAQs

It is an OWASP security framework for applications where AI agents can plan, use tools, retain memory, communicate, and take actions. It highlights ten important risk areas for agentic systems.

The LLM Top 10 focuses on language-model application risks. The Agentic Top 10 adds deeper coverage of goals, tools, identity, privileges, memory, inter-agent communication, cascading actions, human trust, and rogue behavior.

Agent goal hijacking occurs when untrusted content, context, memory, or instructions redirect an agent away from the user’s intended objective.

A rogue agent behaves outside intended governance or policy, whether because of compromised instructions, unsafe autonomy, faulty controls, or deliberate misuse.

Some risks may apply, but the framework is most relevant when a system can use tools, memory, identities, workflows, or autonomous actions beyond text generation.

Start by inventorying agents, tools, identities and data, then remove unnecessary permissions, require approval for high-impact actions, validate tool calls outside the model, and centralize logging and rollback.

Sources and further reading