Agent Goal Hijack
Untrusted content or context redirects the agent away from the intended objective.
First controls
- Separate instructions from data.
- Track goal changes.
- Require policy validation before action.
The OWASP Top 10 for Agentic Applications 2026 is a security framework for AI systems that can plan, use tools, retain memory, communicate and take actions. It expands beyond ordinary LLM risks to cover goals, identities, privileges, supply chains, code execution, persistent context, cascading failures, human trust and rogue behavior.
The framework identifies ten important risk areas for agentic applications. These systems do more than generate text: they may plan multi-step tasks, select tools, access private data, act through APIs, store memory, coordinate with other agents, and continue working with limited supervision.
A conventional chatbot mainly produces output. An agent can create operational impact. A wrong answer is a quality issue; a wrong tool call can delete data, expose records, send a message, change permissions, spend money, or start a cascading workflow. Agent security therefore requires identity, execution, recovery and governance controls beyond prompt filtering.
Use this catalogue to scan the full framework. Each risk keeps its plain-language meaning visible, while the first defensive controls remain available without turning the article into ten permanently expanded panels.
Untrusted content or context redirects the agent away from the intended objective.
A legitimate tool is used in an unsafe, excessive or unintended way.
Agents or users act with excessive, inherited or confused authority.
Models, tools, skills, plugins, MCP servers or dependencies introduce risk.
Agent workflows cause code or command execution outside intended boundaries.
Persistent context stores unsafe, stale or attacker-controlled information.
Agents trust messages, identities or requests from other agents without sufficient checks.
One incorrect decision or compromised agent triggers failures across connected systems.
People approve or trust agent output without understanding the action or evidence.
An agent operates outside intended governance, policy or ownership.
| Group | Risks |
|---|---|
| Goal, tool and identity risks | 3 |
| Supply chain and execution | 2 |
| Memory and communication | 2 |
| Systemic, human and rogue risks | 3 |
| LLM application focus | Agentic addition |
|---|---|
| Prompt and output risk | Goal and action risk |
| Sensitive information | Persistent memory and cross-agent flow |
| Excessive agency | Detailed tool, identity and privilege failures |
| Supply-chain weakness | Dynamic agents, skills, tools and MCP ecosystems |
| Improper output handling | Cascading operational actions |
| Misinformation | Human trust and approval failures |
Milestones showing how the agentic framework, standards work, research and incident evidence developed.
OWASP GenAI Security Project
The framework consolidated risks unique to systems that plan, use tools, retain memory and act with delegated authority.
OWASP releaseNIST
The initiative added standards, interoperability, identity and secure-agent infrastructure to the public policy agenda.
NIST announcementUnit 42
Security researchers documented malicious web content targeting AI review and agent workflows, demonstrating that external content is an active control boundary.
Unit 42 reportOWASP GenAI Security Project
The Q1 round-up connected agent failures, identity abuse, tool misuse and MCP exploitation to concrete defensive lessons.
OWASP incident round-upThree recent incident patterns highlight recurring controls for destructive actions, inherited identity and executable configuration boundaries.
Destructive permissions need hard confirmation, reliable stop controls and reversible actions. A natural-language request should never be the only safety boundary.
Agent deployments can inherit powerful service credentials. Review default scopes, cross-project access and resource-level authorization.
Agent configuration is a code and supply-chain boundary. Validate, patch and restrict orchestration features that can execute or load custom capabilities.
| Window | Priority actions |
|---|---|
| First 30 days | Inventory agents, tools, identities and data; classify actions by impact; remove unnecessary write/delete access; require approval for privileged operations. |
| By 60 days | Add deterministic policy enforcement; validate tool arguments; separate memory by user and tenant; centralize tool-call and approval logs. |
| By 90 days | Test indirect prompt injection, identity and scope boundaries, rollback and kill switches; review third-party agent components and MCP servers. |