Enterprise Security in the Agentic AI Era

OWASP Top 10 for Agentic Applications (ASI Top 10)

3 min read

OWASP Top 10 for Agentic Applications (ASI Top 10)

The OWASP Top 10 for Agentic Applications (ASI Top 10) is the definitive agentic risk taxonomy as of Q1 2026, published December 9, 2025 at the Agentic AI Security Summit in London. Developed by 100+ industry experts, it covers ten risk categories specific to AI agents that act autonomously, use tools, maintain memory, and communicate with other agents.

This is the single most important new taxonomy introduced in the agentic AI security space in 2025-2026, and has been rapidly adopted across the industry.

The Ten ASI Categories

IDCategoryDescription
ASI01Agent Goal HijackAdversary redirects agent objectives through prompt injection, indirect injection, or manipulated context
ASI02Tool MisuseAgent invoked tools in unauthorized, unintended, or harmful ways
ASI03Identity & Privilege EscalationAgent assumes unauthorized identity or escalates privileges beyond intended scope
ASI04Supply Chain CompromiseMalicious models, plugins, skills, or tool integrations introduced into agent ecosystems
ASI05Sensitive Data DisclosureAgent leaks confidential information through memory, tool output, or inter-agent communication
ASI06Memory PoisoningAdversary corrupts agent long-term memory to persist malicious instructions across sessions
ASI07Insecure Inter-Agent CommunicationAgent-to-agent communication lacks authentication, confidentiality, or integrity controls
ASI08Cascading FailuresErrors or compromises in one agent propagate to dependent agents, causing multi-system impact
ASI09Missing GuardrailsAgent operates without adequate behavioral constraints, scope limits, or human oversight
ASI10Rogue AgentsAgent acts autonomously beyond intended authorization or escapes intended operational boundaries

Three categories (ASI07, ASI08, ASI10) represent entirely new risk classes not covered by the LLM Top 10.

Key Design Concept: “Least Agency”

The ASI Top 10 introduces the “Least Agency” principle — agents should be granted only the minimum autonomy, tool access, and memory scope required for their task. Conceptually strong but lacks implementation guidance on how organizations classify agents into risk tiers and enforce autonomy governance.

Adoption (Q1 2026)

The ASI Top 10 has achieved the fastest industry adoption of any OWASP list:

  • Microsoft published a detailed ASI Top 10 mapping (March 30) with practical mitigations in Copilot Studio; Microsoft AI Red Team members served on the Expert Review Board
  • Palo Alto Networks adopted the taxonomy
  • Auth0 integrated it into guidance
  • Gravitee adopted it
  • MITRE ATLAS cross-mapping now covers all 10 categories

Strengths

  • The only framework achieving full coverage across all ten agentic risk categories
  • Directly addresses risk classes (ASI07–ASI10) completely absent from all prior frameworks
  • 100+ expert development process lends credibility
  • ATT&CK-cross-mapping to MITRE ATLAS enables threat intelligence integration
  • Fastest industry adoption trajectory of any OWASP list

Gaps and Shortcomings

  • Awareness framework, not compliance standard — no certification mechanisms, audit procedures, or evidence criteria
  • Risk descriptions, not testable control baselines
  • Platform-level vs. prompt-level enforcement distinction not explicitly articulated (the MCP guide implicitly addresses it)
  • “Least Agency” principle introduced without implementation guidance
  • No AI incident response playbooks or IoCs
  • AIVSS v0.8 needed to score ASI vulnerabilities quantitatively — integration still maturing

Cross-Framework Coverage

All six major frameworks measured against ASI Top 10 reveal universal coverage failures. Only OWASP ASI itself achieves full coverage. See AI Security Standards in Q1 2026: Agentic Threats Outpace Frameworks for the full comparison matrix.

See Also

Graph View

Backlinks