What is the OWASP Agentic AI Top 10 (ASI01–ASI10)?

What the OWASP Agentic AI Top 10 is

The OWASP Top 10 for Agentic Applications (2026) is the first peer-reviewed, prioritized risk list for autonomous, tool-using, multi-agent LLM systems — agents that plan, call tools, hold memory, delegate to sub-agents, and act with minimal human input. It was published Dec 9, 2025 by the OWASP GenAI Security Project's Agentic Security Initiative (ASI), the same project that maintains the OWASP Top 10 for LLM Applications. It uses an ASI01–ASI10:2026 risk-ID scheme, grounds each entry in real CVE/incident examples, and was developed over roughly a year with 100+ security researchers and vendors.

• Why it differs from the LLM Top 10: the LLM Top 10 treats the model as a text-in/text-out component. Agentic risk comes from what the model is *allowed to do* — take actions, chain tools, persist memory across sessions, hold an identity, and coordinate with other agents. A one-shot prompt injection becomes a multi-step autonomous campaign; a hallucination becomes a downstream action; poisoned memory persists silently across sessions.
• The new attack surface is autonomy, not just generation: planning, tool/function-calling, persistent memory, dynamic identity/privilege, and agent-to-agent communication are surfaces the LLM Top 10 never had to model.
• Authoritative review: OWASP credits an ASI Expert Review Board including representatives from NIST, the European Commission, and the Alan Turing Institute — the basis for the "first peer-reviewed" claim.

The prioritized ASI01–ASI10:2026 list

Each entry below gives a one-line description and the single most important mitigation.

• ASI01 — Agent Goal Hijack. Attackers bend an agent's objective or decision pathway (usually via indirect/poisoned external data) so injected goals drive multi-step autonomous action. Top mitigation: enforce strict separation between trusted system/goal definitions and untrusted user/tool content, and apply prompt-injection defenses to every input. *(The Dec 9 2025 OWASP release prose also refers to this as "Agent Behavior Hijacking"; both denote the same ASI01 entry.)*
• ASI02 — Tool Misuse and Exploitation. An agent is manipulated into invoking its legitimately-authorized tools/APIs in unintended or destructive ways. Top mitigation: apply least privilege/least agency per tool and validate tool names and arguments against expected schemas before execution.
• ASI03 — Agent Identity & Privilege Abuse. Agents act without distinct, governed identities while managing permissions dynamically, creating attribution gaps and privilege-escalation paths. Top mitigation: issue short-lived, task-scoped tokens bound to a verified per-agent identity, with continuous (not session-start-only) authorization checks.
• ASI04 — Agentic Supply Chain Compromise. Agents compose capabilities at runtime — loading tools, skills, models, or data (including MCP servers and skill marketplaces) from third parties that may be compromised. Top mitigation: pin and verify dependencies to immutable hashes with provenance tracking, and validate upstream trust before a component is loaded.
• ASI05 — Unexpected Code Execution (RCE). An agent's ability to generate and run code is steered into executing attacker-controlled commands. Top mitigation: treat all agent-generated code as untrusted — separate generation from validation and execution, and run only in a restricted, non-root sandbox with allowlists.
• ASI06 — Memory & Context Poisoning. Attackers corrupt long-term agent memory or RAG/vector data, permanently skewing later decisions across sessions. Top mitigation: validate and sanitize every write before it enters memory, and tag entries with provenance + trust so low-trust sources are rejected from durable memory.
• ASI07 — Insecure Inter-Agent Communication. Messages between agents (or with the orchestrator) are open to interception, spoofing, tampering, or replay when not authenticated/encrypted. Top mitigation: mutually authenticate and encrypt all inter-agent channels, and sign/integrity-hash messages with replay protection (nonces, task-scoped session IDs).
• ASI08 — Cascading Agent Failures. A single fault or error in one agent propagates across the network into a system-wide failure. Top mitigation: add validation and consensus/cross-checking gates so one agent's output is verified before it becomes another's input, plus circuit-breakers to contain blast radius.
• ASI09 — Human-Agent Trust Exploitation. Agents exploit anthropomorphism and authority bias to push humans into security-compromising decisions (approving fraud, clicking phishing links, sharing secrets). Top mitigation: require independent, multi-step verification for risky actions and calibrate user trust with risk cues, provenance, and clear statements of agent limitations.
• ASI10 — Rogue Agents. Agents deviate from intended function via misalignment, reward-hacking, or collusion and act as insider threats. Top mitigation: continuously compare agent actions against baseline behavior profiles with anomaly detection, and keep fast containment ready (kill switches, credential revocation, quarantine).

It builds on the fuller T1–T15 Threats & Mitigations taxonomy

The ASI01–ASI10 list is the prioritized, board-reviewed distillation of a deeper reference: "Agentic AI – Threats and Mitigations" v1.0 (Feb 2025), which catalogs 15 threats (T1–T15) across agentic concern areas — agent design/reasoning, memory, planning & autonomy, tool use, identity, multi-agent coordination, and human interaction.

• T1–T15 in brief: T1 Memory Poisoning, T2 Tool Misuse, T3 Privilege Compromise, T4 Resource Overload, T5 Cascading Hallucination Attacks, T6 Intent Breaking & Goal Manipulation, T7 Misaligned & Deceptive Behaviors, T8 Repudiation & Untraceability, T9 Identity Spoofing & Impersonation, T10 Overwhelming Human-in-the-Loop, T11 Unexpected RCE & Code Attacks, T12 Agent Communication Poisoning, T13 Rogue Agents, T14 Human Attacks on Multi-Agent Systems, T15 Human Manipulation.
• How they relate: T1–T15 is the exhaustive taxonomy and mitigation catalog; ASI01–ASI10 is the field-prioritized "what to fix first" view. Use the Top 10 to triage, then drill into the matching T-entries for the full mitigation depth.

Mapping to the OWASP LLM Top 10 — net-new vs amplification

The taxonomy explicitly classifies each underlying threat as either net-new to agentic AI (11 of 15) or an agentic amplification of an existing LLM Top 10 entry (4 of 15: T3, T4, T9, T11).

• The 4 amplifications (existing LLM risks made worse by autonomy):
• ASI02 / T2 Tool Misuse → LLM06 Excessive Agency — scoped to the tool/function-calling surface.
• ASI05 / T11 Unexpected RCE → LLM05 Improper Output Handling — unsafe handling of model output escalated to arbitrary execution.
• ASI08 / T4 Resource Overload → LLM10 Unbounded Consumption — recursive/looping plans exhaust compute, quota, and budget.
• ASI03 / T9 Identity & Privilege → LLM-Top-10 authentication/agency — excessive permissions and identity weaknesses at agentic scale.
• Agentic realizations of LLM01 Prompt Injection: ASI01 / T6 Goal Manipulation applies injection to the agent's goals and plans rather than a single output.
• Net-new agentic risks with no direct LLM-Top-10 ancestor:
• ASI06 / T1 Memory Poisoning (durable, cross-session memory — related to LLM04 Poisoning and LLM08 Vector/Embedding Weaknesses).
• ASI07 / T12 Insecure Inter-Agent Communication (multi-agent messaging).
• ASI10 / T13 Rogue Agents, plus T14 Human Attacks on Multi-Agent Systems (multi-agent coordination).
• T8 Repudiation & Untraceability (agentic accountability/audit).
• ASI09 / T15 Human Manipulation and T10 Overwhelming Human-in-the-Loop (the human-oversight control itself becomes the attack surface).
• T5 Cascading Hallucinations / ASI08 Cascading Agent Failures (error/fault propagation through the agent chain — an amplification *dynamic* unique to multi-step pipelines).
• Bottom line: about a quarter of agentic risk is "LLM risk, but worse"; the majority — memory persistence, agent identity, inter-agent trust, multi-agent coordination, and weaponized human oversight — is genuinely new and invisible to the LLM Top 10.

How AgentReady helps

AgentReady operationalizes this list so you don't have to map it by hand. The /check readiness assessment now scores agentic risk directly against ASI01–ASI10, and /toolkit generates an agentic risk register — a per-risk, mitigation-tracked artifact you can hand to engineering and compliance.