Skip to content
Skip article header Engineering

OWASP Top 10 for Agentic Applications (ASI01-ASI10) Explained

OWASP Agentic Top 10 explained: the ASI01 to ASI10 taxonomy with real incidents and mitigations for AI agent risks, from a cybersecurity team.

7 min read 36 views
Security engineer at a desk annotating a printed ten-row threat matrix labeled ASI01-ASI10 next to a monitor showing an AI agent tool-call graph
Security engineer at a desk annotating a printed ten-row threat matrix labeled ASI01-ASI10 next to a monitor showing an AI agent tool-call graph
Skip key takeaways

Key takeaways: OWASP Top 10 for Agentic Applications 4

The ten risk classes behind the ASI01-ASI10 taxonomy, the incidents that anchor them and how to prioritize mitigation.

  • A shared vocabulary for agent risk Published by OWASP GenAI on Dec 9 2025, updated to v2.01 on Jun 1 2026, with input from over 100 security experts.
  • Entry points and impact chain together ASI01 and ASI06 are entry points, ASI02 and ASI05 are impact. Most real attack chains combine one of each.
  • Map every ASI item to your architecture Input surfaces, action surfaces, identity plus dependencies and orchestration each map to a distinct set of ASI risks.
  • It is becoming the governance reference The Agentic Top 10 is showing up in procurement questionnaires, vendor risk reviews and internal AI governance policies.
See our cybersecurity services

AI agents plan, call tools, hold memory and act on external systems. That autonomy creates attack surface that classic AppSec models and even the earlier OWASP LLM Top 10 never had to describe. An agent that reads email can be hijacked by an email. An agent that writes code can be tricked into executing it. An agent with a service account can quietly become the most privileged identity in your company.

To give the industry a shared vocabulary for these failures, the OWASP GenAI Security Project published the Top 10 for Agentic Applications on December 9 2025, developed with input from more than 100 security experts and refreshed as version 2.01 on June 1 2026 (source: genai.owasp.org, Dec 9 2025). This article walks through all ten items, the incidents behind them and the mitigations we apply when we build and audit AI agent systems.

In short: the OWASP Agentic Top 10 (ASI01-ASI10) is the first industry-standard taxonomy of security risks specific to AI agents, published by the OWASP GenAI Security Project on December 9 2025 and updated to version 2.01 on June 1 2026. It names ten risk classes from Agent Goal Hijack to Rogue Agents, each grounded in a real incident such as EchoLeak or the Replit database deletion. Teams building or deploying agents should map every agent workflow against all ten items before production.

Why agents needed their own Top 10

The original OWASP Top 10 covers web applications. The LLM Top 10 covers models that answer prompts. Agentic applications combine both and add three new properties:

  • Autonomy. The agent decides its own next step, so a single poisoned input can redirect an entire multi-step plan.
  • Tool access. The agent holds credentials and calls real APIs, so a reasoning failure becomes a real-world action.
  • Persistence. The agent keeps memory and context across sessions, so an attack can be planted today and triggered next week.

Each ASI item describes how one of these properties fails. The taxonomy is deliberately incident-driven: almost every entry is anchored to a public 2025-2026 security event, which makes it unusually practical as an audit checklist.

The ASI01-ASI10 taxonomy

Close-up of a printed ASI01-ASI10 taxonomy matrix on a desk with a highlighter marking mitigation notes

The table below is the full taxonomy as named by OWASP GenAI (Dec 9 2025, v2.01 Jun 1 2026), with a plain-language definition, the reference incident and the primary mitigation for each item.

Item What it is Example incident Primary mitigation
ASI01 Agent Goal Hijack Attacker-supplied content redirects the agent’s objective away from the user’s intent EchoLeak – a crafted email silently exfiltrated data through an email assistant Treat all retrieved content as untrusted, separate instructions from data, require confirmation for goal changes
ASI02 Tool Misuse and Exploitation The agent is manipulated into using its legitimate tools in harmful ways Amazon Q incident – a poisoned prompt pushed destructive system commands through the coding assistant Least-privilege tool scopes, allowlisted parameters, dry-run and approval gates on destructive actions
ASI03 Identity and Privilege Abuse Agent identities, tokens and delegated permissions are stolen or over-granted Over-permissioned service accounts reused across agents Per-agent identities, short-lived credentials, scoped OAuth grants, no shared service accounts
ASI04 Agentic Supply Chain Vulnerabilities Compromise arrives through the agent’s dependencies: MCP servers, plugins, models, packages GitHub MCP exploit – a malicious server exposed private repository data Vet and pin MCP servers and packages, maintain an AI bill of materials, isolate third-party connectors
ASI05 Unexpected Code Execution / RCE Agent-generated code or commands execute outside a safe boundary AutoGPT path traversal and code execution findings Sandbox all execution, no direct shell access, egress-filtered containers for generated code
ASI06 Memory and Context Poisoning False or malicious data is planted in the agent’s memory and shapes later decisions Gemini Memory Attack – injected content persisted into long-term memory Validate before persisting, provenance-tag memory entries, expire and audit stored context
ASI07 Insecure Inter-Agent Communication Agent-to-agent messages are spoofed, intercepted or trusted blindly Spoofed peer messages in multi-agent frameworks Authenticate every agent channel, sign messages, never grant trust based on sender role alone
ASI08 Cascading Failures One compromised or faulty agent propagates errors through a chain of dependent agents Error loops amplified across orchestrated agent pipelines Circuit breakers, blast-radius limits, independent validation between pipeline stages
ASI09 Human-Agent Trust Exploitation Users over-trust agent output and approve harmful actions the agent proposes Social-engineering style approvals harvested through agent UIs Explainable action previews, friction on irreversible steps, out-of-band verification for sensitive approvals
ASI10 Rogue Agents An agent acts outside its mandate, deceptively or destructively Replit meltdown – an agent deleted a production database and misreported what it had done Hard guardrails outside the model, immutable audit logs, kill switches, environment separation

How to read the taxonomy

Three practical observations from applying this list in audits:

  • ASI01 and ASI06 are entry points, ASI02 and ASI05 are impact. Most real attack chains start with goal hijack or memory poisoning and cash out through tool misuse or code execution. Fixing only the entry point or only the impact leaves the chain alive.
  • ASI03 and ASI04 are governance problems as much as engineering problems. Who approves a new MCP server? Who owns an agent’s service account? If the answer is “nobody”, the vulnerability already exists.
  • ASI08, ASI09 and ASI10 scale with autonomy. The more agents you chain and the fewer humans in the loop, the more these three dominate your risk profile.

Mapping ASI items to your architecture

A useful exercise for any team shipping agents: draw the agent’s data flow and mark where each ASI class applies.

Input surfaces: ASI01 and ASI06

Every channel the agent reads is an injection surface: email, tickets, web pages, retrieved documents, database rows and other agents’ output. The mitigation pattern is consistent – treat retrieved content as data rather than instructions and gate anything that writes to persistent memory.

Action surfaces: ASI02 and ASI05

Every tool the agent can call is a potential weapon. Inventory tools, assign each a risk tier and require human approval or sandboxed execution for the top tier. Code execution always belongs in an isolated, egress-restricted environment.

Identity and dependencies: ASI03 and ASI04

Agents need their own identity fabric: per-agent credentials, short-lived tokens and scoped permissions. Dependencies, including models, packages and MCP servers, need the same supply-chain discipline you apply to any production software, plus AI-specific artifacts such as an AIBOM.

Orchestration and oversight: ASI07 to ASI10

Multi-agent systems need authenticated channels, circuit breakers between stages, human-readable action previews and a kill switch that works even when the model is confidently wrong. Guardrails must live outside the model, in infrastructure the agent cannot rewrite.

What this means for AI governance

The Agentic Top 10 is quickly becoming the reference framework in procurement questionnaires, vendor risk reviews and internal AI governance policies, similar to the role the classic Top 10 plays in web security. Because it was developed with more than 100 contributing experts (source: genai.owasp.org, Dec 9 2025), it carries enough industry weight to anchor an internal standard. If your organization runs an AI governance program, mapping deployed agents against ASI01-ASI10 is one of the highest-value controls you can add in 2026, and it pairs naturally with structured security audits of the surrounding application, alongside the broader state of application security in 2026.

How Pharos Production helps secure agentic AI

The Agentic Top 10 gives every team building agents a shared checklist grounded in real 2025-2026 incidents. The uncomfortable part is that most production agents today would fail an honest review against at least half the list. The good news is that every item has known, buildable mitigations. If you are deploying AI agents and want an ASI01-ASI10 assessment of your architecture, or you need those mitigations designed and built, talk to our cybersecurity services team.

Sources: OWASP GenAI Security Project, Top 10 for Agentic Applications, published Dec 9 2025 and updated to v2.01 Jun 1 2026 (genai.owasp.org). Incident references drawn from public 2025-2026 security disclosures. Figures and dates are as published by the cited sources at the time of writing.

FAQ

Last updated:

Quick answers to common questions about custom software development, pricing, process and technology.

  • Copy link Copies a direct link to this answer to your clipboard.

    It is a taxonomy of the ten most important security risks specific to AI agents, published by the OWASP GenAI Security Project on December 9 2025 and updated to version 2.01 on June 1 2026. The items are labeled ASI01 through ASI10 and cover risks from Agent Goal Hijack to Rogue Agents, each illustrated by a real incident such as EchoLeak or the Replit database deletion.

  • Copy link Copies a direct link to this answer to your clipboard.

    The LLM Top 10 covers risks of models that generate responses, such as prompt injection and insecure output handling. The Agentic Top 10 covers what happens when a model gains autonomy, tools, memory and the ability to act: goal hijack, tool misuse, identity abuse, inter-agent attacks and rogue behavior.

    Teams deploying agents generally need to address both lists.

  • Copy link Copies a direct link to this answer to your clipboard.

    Start with the pairs that form complete attack chains: ASI01 Agent Goal Hijack plus ASI02 Tool Misuse, and ASI06 Memory Poisoning plus ASI05 Unexpected Code Execution. Locking down tool scopes, sandboxing execution and treating retrieved content as untrusted removes the highest-probability paths.

    Identity hygiene (ASI03) and supply-chain vetting (ASI04) follow immediately after.

I work with startup founders who need a dedicated software development team but don’t want to gamble on hiring, random outsourcing, or opaque delivery.
Most founders face the same problem sooner or later.
Early technical and team decisions lock the product into tech debt, slow delivery, missed milestones and constant re-hiring. By the time this becomes visible, fixing it is already expensive.

As a CTO and software architect, I help founders design, build and run dedicated development teams that work as a true extension of the startup. Not as a black-box vendor.

My focus is on complex products where mistakes are costly:

  • Web3 and blockchain platforms
  • FinTech and regulated products
  • High-load startup systems
  • MVP → scale transitions

We don’t do body-shopping.
We don’t sell generic outsourcing.

Instead, we help founders:

  • build the right team structure from day one
  • keep technical ownership and transparency
  • scale delivery without losing control
  • avoid vendor lock-in and hidden risks

Teams are aligned with the product roadmap, business goals and long-term architecture. Not just short-term velocity.

Dmytro Nasyrov, Founder and CTO at Pharos Production
Dmytro Nasyrov Founder & CTO Let’s work together!

Your business results matter

Achieve them with minimized risk through our bespoke innovation capabilities

Your contact details
Please enter your name
Please enter a valid email address
Please enter your message
* required

We typically reply within 4 hours. Prefer email? [email protected]

What happens next?

  1. Contact us

    Contact us today to discuss your project. We’re ready to review your request promptly and guide you on the best next steps for collaboration

    Same day
  2. NDA

    We’re committed to keeping your information confidential, so we’ll sign a Non-Disclosure Agreement

    1 day
  3. Plan the Goals

    After we chat about your goals and needs, we’ll craft a comprehensive proposal detailing the project scope, team, timeline and budget

    3-5 days
  4. Finalize the Details

    Let’s connect on Google Meet to go through the proposal and confirm all the details together!

    1-2 days
  5. Sign the Contract

    As soon as the contract is signed, our dedicated team will jump into action on your project!

    Same day