OWASP Top 10 for Agentic Applications (ASI Top 10)

The OWASP Top 10 for Agentic Applications (ASI Top 10) is the definitive agentic risk taxonomy as of Q1 2026, published December 9, 2025 at the Agentic AI Security Summit in London. Developed by 100+ industry experts, it covers ten risk categories specific to AI agents that act autonomously, use tools, maintain memory, and communicate with other agents.

This is the single most important new taxonomy introduced in the agentic AI security space in 2025-2026, and has been rapidly adopted across the industry.

The Ten ASI Categories

Titles below are the published 2026 edition, verified against the primary PDF in the 2026-Q2 standards review. An earlier wiki revision carried two labels from a pre-release draft (ASI05 as “Sensitive Data Disclosure”, ASI09 as “Missing Guardrails”); neither is a category in the published list.

IDCategoryDescription
ASI01Agent Goal HijackAdversary redirects agent objectives, planning, or multi-step behavior through prompt injection, deceptive tool output, forged agent messages, or poisoned external data
ASI02Tool Misuse and ExploitationAgent applies legitimate tools unsafely — exfiltration, output manipulation, or workflow hijacking via chaining or ambiguous instruction, within its authorized privileges
ASI03Identity and Privilege AbuseAgent escalates access by manipulating delegation chains, role inheritance, or cached context, exploiting the gap between user-centric identity and agentic design
ASI04Agentic Supply Chain VulnerabilitiesMalicious or tampered models, plugins, datasets, MCP/A2A interfaces, or registries enter a runtime-composed “live supply chain”
ASI05Unexpected Code Execution (RCE)Agent-generated or agent-executed code escalates into RCE, sandbox escape, or host/container compromise
ASI06Memory & Context PoisoningAdversary corrupts stored or retrievable context (summaries, embeddings, RAG stores) to bias future reasoning, planning, or tool use
ASI07Insecure Inter-Agent CommunicationAgent-to-agent channels lack authentication, integrity, confidentiality, or authorization, enabling interception, spoofing, replay, or downgrade
ASI08Cascading FailuresA single fault propagates and amplifies across autonomous agents into system-wide harm, bypassing stepwise human checks
ASI09Human-Agent Trust ExploitationAnthropomorphism, automation bias, and persuasive explainability are exploited to steer human decisions or extract information
ASI10Rogue AgentsCompromised or misaligned agents deviate from authorized scope, acting harmfully, deceptively, or parasitically once behavioral drift begins

Three categories (ASI07, ASI08, ASI10) represent entirely new risk classes not covered by the LLM Top 10. Each category in the primary document carries a “Prevention and Mitigation Guidelines” list; the standards review maps those mitigations to the CMM domains.

Key Design Concept: “Least Agency”

The ASI Top 10 introduces the “Least Agency” principle — agents should be granted only the minimum autonomy, tool access, and memory scope required for their task. Conceptually strong but lacks implementation guidance on how organizations classify agents into risk tiers and enforce autonomy governance.

Adoption (Q1 2026)

The ASI Top 10 has achieved the fastest industry adoption of any OWASP list:

  • Microsoft published a detailed ASI Top 10 mapping (March 30) with practical mitigations in Copilot Studio; Microsoft AI Red Team members served on the Expert Review Board
  • Palo Alto Networks adopted the taxonomy
  • Auth0 integrated it into guidance
  • Gravitee adopted it

The 2026 document itself cross-maps each category to the OWASP Agentic AI Threats and Mitigations guide (T1–T17), the LLM Top 10 2025 (Appendix A), and the NHI Top 10 2025 (Appendix C). It does not contain a MITRE ATLAS mapping — any ASI↔ATLAS crosswalk is ATLAS-side or community work, not part of the OWASP publication (verified in the 2026-Q2 review).

A separate May 2026 OWASP publication maps the ten ASI categories bidirectionally to the AIUC-1 certification requirements. The wiki summary is at the OWASP ASI to AIUC-1 crosswalk, which records eight AIUC-1 coverage gaps against the ASI prevention guidelines (inter-agent auth, agent identity attestation, cascading-failure containment, tool-call observability, runtime monitoring, and others).

Strengths

  • The only framework achieving full coverage across all ten agentic risk categories
  • Directly addresses risk classes (ASI07–ASI10) completely absent from all prior frameworks
  • 100+ expert development process lends credibility
  • Per-category mappings to the T-code threat taxonomy, LLM Top 10, NHI Top 10, and AIVSS support threat-intelligence integration
  • Fastest industry adoption trajectory of any OWASP list

Gaps and Shortcomings

  • Awareness framework, not compliance standard — no certification mechanisms, audit procedures, or evidence criteria
  • Risk descriptions, not testable control baselines
  • Platform-level vs. prompt-level enforcement distinction not explicitly articulated (the MCP guide implicitly addresses it)
  • “Least Agency” principle introduced without implementation guidance
  • No AI incident response playbooks or IoCs
  • AIVSS v0.8 needed to score ASI vulnerabilities quantitatively — integration still maturing

Cross-Framework Coverage

All six major frameworks measured against ASI Top 10 reveal universal coverage failures. Only OWASP ASI itself achieves full coverage. See AI Security Standards in Q1 2026: Agentic Threats Outpace Frameworks for the full comparison matrix.

See Also

Sources