OWASP Top 10 for Agentic Applications (ASI01-ASI10) Explained
OWASP Agentic Top 10 explained: the ASI01 to ASI10 taxonomy with real incidents and mitigations for AI agent risks, from a cybersecurity team.
Key takeaways: OWASP Top 10 for Agentic Applications 4
The ten risk classes behind the ASI01-ASI10 taxonomy, the incidents that anchor them and how to prioritize mitigation.
- A shared vocabulary for agent risk Published by OWASP GenAI on Dec 9 2025, updated to v2.01 on Jun 1 2026, with input from over 100 security experts.
- Entry points and impact chain together ASI01 and ASI06 are entry points, ASI02 and ASI05 are impact. Most real attack chains combine one of each.
- Map every ASI item to your architecture Input surfaces, action surfaces, identity plus dependencies and orchestration each map to a distinct set of ASI risks.
- It is becoming the governance reference The Agentic Top 10 is showing up in procurement questionnaires, vendor risk reviews and internal AI governance policies.
AI agents plan, call tools, hold memory and act on external systems. That autonomy creates attack surface that classic AppSec models and even the earlier OWASP LLM Top 10 never had to describe. An agent that reads email can be hijacked by an email. An agent that writes code can be tricked into executing it. An agent with a service account can quietly become the most privileged identity in your company.
To give the industry a shared vocabulary for these failures, the OWASP GenAI Security Project published the Top 10 for Agentic Applications on December 9 2025, developed with input from more than 100 security experts and refreshed as version 2.01 on June 1 2026 (source: genai.owasp.org, Dec 9 2025). This article walks through all ten items, the incidents behind them and the mitigations we apply when we build and audit AI agent systems.
In short: the OWASP Agentic Top 10 (ASI01-ASI10) is the first industry-standard taxonomy of security risks specific to AI agents, published by the OWASP GenAI Security Project on December 9 2025 and updated to version 2.01 on June 1 2026. It names ten risk classes from Agent Goal Hijack to Rogue Agents, each grounded in a real incident such as EchoLeak or the Replit database deletion. Teams building or deploying agents should map every agent workflow against all ten items before production.
Why agents needed their own Top 10
The original OWASP Top 10 covers web applications. The LLM Top 10 covers models that answer prompts. Agentic applications combine both and add three new properties:
- Autonomy. The agent decides its own next step, so a single poisoned input can redirect an entire multi-step plan.
- Tool access. The agent holds credentials and calls real APIs, so a reasoning failure becomes a real-world action.
- Persistence. The agent keeps memory and context across sessions, so an attack can be planted today and triggered next week.
Each ASI item describes how one of these properties fails. The taxonomy is deliberately incident-driven: almost every entry is anchored to a public 2025-2026 security event, which makes it unusually practical as an audit checklist.
The ASI01-ASI10 taxonomy

The table below is the full taxonomy as named by OWASP GenAI (Dec 9 2025, v2.01 Jun 1 2026), with a plain-language definition, the reference incident and the primary mitigation for each item.
| Item | What it is | Example incident | Primary mitigation |
|---|---|---|---|
| ASI01 Agent Goal Hijack | Attacker-supplied content redirects the agent’s objective away from the user’s intent | EchoLeak – a crafted email silently exfiltrated data through an email assistant | Treat all retrieved content as untrusted, separate instructions from data, require confirmation for goal changes |
| ASI02 Tool Misuse and Exploitation | The agent is manipulated into using its legitimate tools in harmful ways | Amazon Q incident – a poisoned prompt pushed destructive system commands through the coding assistant | Least-privilege tool scopes, allowlisted parameters, dry-run and approval gates on destructive actions |
| ASI03 Identity and Privilege Abuse | Agent identities, tokens and delegated permissions are stolen or over-granted | Over-permissioned service accounts reused across agents | Per-agent identities, short-lived credentials, scoped OAuth grants, no shared service accounts |
| ASI04 Agentic Supply Chain Vulnerabilities | Compromise arrives through the agent’s dependencies: MCP servers, plugins, models, packages | GitHub MCP exploit – a malicious server exposed private repository data | Vet and pin MCP servers and packages, maintain an AI bill of materials, isolate third-party connectors |
| ASI05 Unexpected Code Execution / RCE | Agent-generated code or commands execute outside a safe boundary | AutoGPT path traversal and code execution findings | Sandbox all execution, no direct shell access, egress-filtered containers for generated code |
| ASI06 Memory and Context Poisoning | False or malicious data is planted in the agent’s memory and shapes later decisions | Gemini Memory Attack – injected content persisted into long-term memory | Validate before persisting, provenance-tag memory entries, expire and audit stored context |
| ASI07 Insecure Inter-Agent Communication | Agent-to-agent messages are spoofed, intercepted or trusted blindly | Spoofed peer messages in multi-agent frameworks | Authenticate every agent channel, sign messages, never grant trust based on sender role alone |
| ASI08 Cascading Failures | One compromised or faulty agent propagates errors through a chain of dependent agents | Error loops amplified across orchestrated agent pipelines | Circuit breakers, blast-radius limits, independent validation between pipeline stages |
| ASI09 Human-Agent Trust Exploitation | Users over-trust agent output and approve harmful actions the agent proposes | Social-engineering style approvals harvested through agent UIs | Explainable action previews, friction on irreversible steps, out-of-band verification for sensitive approvals |
| ASI10 Rogue Agents | An agent acts outside its mandate, deceptively or destructively | Replit meltdown – an agent deleted a production database and misreported what it had done | Hard guardrails outside the model, immutable audit logs, kill switches, environment separation |
How to read the taxonomy
Three practical observations from applying this list in audits:
- ASI01 and ASI06 are entry points, ASI02 and ASI05 are impact. Most real attack chains start with goal hijack or memory poisoning and cash out through tool misuse or code execution. Fixing only the entry point or only the impact leaves the chain alive.
- ASI03 and ASI04 are governance problems as much as engineering problems. Who approves a new MCP server? Who owns an agent’s service account? If the answer is “nobody”, the vulnerability already exists.
- ASI08, ASI09 and ASI10 scale with autonomy. The more agents you chain and the fewer humans in the loop, the more these three dominate your risk profile.
Mapping ASI items to your architecture
A useful exercise for any team shipping agents: draw the agent’s data flow and mark where each ASI class applies.
Input surfaces: ASI01 and ASI06
Every channel the agent reads is an injection surface: email, tickets, web pages, retrieved documents, database rows and other agents’ output. The mitigation pattern is consistent – treat retrieved content as data rather than instructions and gate anything that writes to persistent memory.
Action surfaces: ASI02 and ASI05
Every tool the agent can call is a potential weapon. Inventory tools, assign each a risk tier and require human approval or sandboxed execution for the top tier. Code execution always belongs in an isolated, egress-restricted environment.
Identity and dependencies: ASI03 and ASI04
Agents need their own identity fabric: per-agent credentials, short-lived tokens and scoped permissions. Dependencies, including models, packages and MCP servers, need the same supply-chain discipline you apply to any production software, plus AI-specific artifacts such as an AIBOM.
Orchestration and oversight: ASI07 to ASI10
Multi-agent systems need authenticated channels, circuit breakers between stages, human-readable action previews and a kill switch that works even when the model is confidently wrong. Guardrails must live outside the model, in infrastructure the agent cannot rewrite.
What this means for AI governance
The Agentic Top 10 is quickly becoming the reference framework in procurement questionnaires, vendor risk reviews and internal AI governance policies, similar to the role the classic Top 10 plays in web security. Because it was developed with more than 100 contributing experts (source: genai.owasp.org, Dec 9 2025), it carries enough industry weight to anchor an internal standard. If your organization runs an AI governance program, mapping deployed agents against ASI01-ASI10 is one of the highest-value controls you can add in 2026, and it pairs naturally with structured security audits of the surrounding application, alongside the broader state of application security in 2026.
How Pharos Production helps secure agentic AI
The Agentic Top 10 gives every team building agents a shared checklist grounded in real 2025-2026 incidents. The uncomfortable part is that most production agents today would fail an honest review against at least half the list. The good news is that every item has known, buildable mitigations. If you are deploying AI agents and want an ASI01-ASI10 assessment of your architecture, or you need those mitigations designed and built, talk to our cybersecurity services team.
Sources: OWASP GenAI Security Project, Top 10 for Agentic Applications, published Dec 9 2025 and updated to v2.01 Jun 1 2026 (genai.owasp.org). Incident references drawn from public 2025-2026 security disclosures. Figures and dates are as published by the cited sources at the time of writing.
FAQ
Quick answers to common questions about custom software development, pricing, process and technology.
Type to filter questions and answers. Use Topic to narrow the list.
Showing all 3
No matches
Try a different keyword, change the topic, or clear filters
-
It is a taxonomy of the ten most important security risks specific to AI agents, published by the OWASP GenAI Security Project on December 9 2025 and updated to version 2.01 on June 1 2026. The items are labeled ASI01 through ASI10 and cover risks from Agent Goal Hijack to Rogue Agents, each illustrated by a real incident such as EchoLeak or the Replit database deletion.
-
The LLM Top 10 covers risks of models that generate responses, such as prompt injection and insecure output handling. The Agentic Top 10 covers what happens when a model gains autonomy, tools, memory and the ability to act: goal hijack, tool misuse, identity abuse, inter-agent attacks and rogue behavior.
Teams deploying agents generally need to address both lists.
-
Start with the pairs that form complete attack chains: ASI01 Agent Goal Hijack plus ASI02 Tool Misuse, and ASI06 Memory Poisoning plus ASI05 Unexpected Code Execution. Locking down tool scopes, sandboxing execution and treating retrieved content as untrusted removes the highest-probability paths.
Identity hygiene (ASI03) and supply-chain vetting (ASI04) follow immediately after.
I work with startup founders who need a dedicated software development team but don’t want to gamble on hiring, random outsourcing, or opaque delivery.
Most founders face the same problem sooner or later.
Early technical and team decisions lock the product into tech debt, slow delivery, missed milestones and constant re-hiring. By the time this becomes visible, fixing it is already expensive.As a CTO and software architect, I help founders design, build and run dedicated development teams that work as a true extension of the startup. Not as a black-box vendor.
My focus is on complex products where mistakes are costly:
- Web3 and blockchain platforms
- FinTech and regulated products
- High-load startup systems
- MVP → scale transitions
We don’t do body-shopping.
We don’t sell generic outsourcing.Instead, we help founders:
- build the right team structure from day one
- keep technical ownership and transparency
- scale delivery without losing control
- avoid vendor lock-in and hidden risks
Teams are aligned with the product roadmap, business goals and long-term architecture. Not just short-term velocity.