OWASP Top 10 for Agentic Applications (ASI Top 10)
The OWASP Top 10 for Agentic Applications (ASI Top 10) is the definitive agentic risk taxonomy as of Q1 2026, published December 9, 2025 at the Agentic AI Security Summit in London. Developed by 100+ industry experts, it covers ten risk categories specific to AI agents that act autonomously, use tools, maintain memory, and communicate with other agents.
This is the single most important new taxonomy introduced in the agentic AI security space in 2025-2026, and has been rapidly adopted across the industry.
The Ten ASI Categories
Titles below are the published 2026 edition, verified against the primary PDF in the 2026-Q2 standards review. An earlier wiki revision carried two labels from a pre-release draft (ASI05 as “Sensitive Data Disclosure”, ASI09 as “Missing Guardrails”); neither is a category in the published list.
| ID | Category | Description |
|---|---|---|
| ASI01 | Agent Goal Hijack | Adversary redirects agent objectives, planning, or multi-step behavior through prompt injection, deceptive tool output, forged agent messages, or poisoned external data |
| ASI02 | Tool Misuse and Exploitation | Agent applies legitimate tools unsafely — exfiltration, output manipulation, or workflow hijacking via chaining or ambiguous instruction, within its authorized privileges |
| ASI03 | Identity and Privilege Abuse | Agent escalates access by manipulating delegation chains, role inheritance, or cached context, exploiting the gap between user-centric identity and agentic design |
| ASI04 | Agentic Supply Chain Vulnerabilities | Malicious or tampered models, plugins, datasets, MCP/A2A interfaces, or registries enter a runtime-composed “live supply chain” |
| ASI05 | Unexpected Code Execution (RCE) | Agent-generated or agent-executed code escalates into RCE, sandbox escape, or host/container compromise |
| ASI06 | Memory & Context Poisoning | Adversary corrupts stored or retrievable context (summaries, embeddings, RAG stores) to bias future reasoning, planning, or tool use |
| ASI07 | Insecure Inter-Agent Communication | Agent-to-agent channels lack authentication, integrity, confidentiality, or authorization, enabling interception, spoofing, replay, or downgrade |
| ASI08 | Cascading Failures | A single fault propagates and amplifies across autonomous agents into system-wide harm, bypassing stepwise human checks |
| ASI09 | Human-Agent Trust Exploitation | Anthropomorphism, automation bias, and persuasive explainability are exploited to steer human decisions or extract information |
| ASI10 | Rogue Agents | Compromised or misaligned agents deviate from authorized scope, acting harmfully, deceptively, or parasitically once behavioral drift begins |
Three categories (ASI07, ASI08, ASI10) represent entirely new risk classes not covered by the LLM Top 10. Each category in the primary document carries a “Prevention and Mitigation Guidelines” list; the standards review maps those mitigations to the CMM domains.
Key Design Concept: “Least Agency”
The ASI Top 10 introduces the “Least Agency” principle — agents should be granted only the minimum autonomy, tool access, and memory scope required for their task. Conceptually strong but lacks implementation guidance on how organizations classify agents into risk tiers and enforce autonomy governance.
Adoption (Q1 2026)
The ASI Top 10 has achieved the fastest industry adoption of any OWASP list:
- Microsoft published a detailed ASI Top 10 mapping (March 30) with practical mitigations in Copilot Studio; Microsoft AI Red Team members served on the Expert Review Board
- Palo Alto Networks adopted the taxonomy
- Auth0 integrated it into guidance
- Gravitee adopted it
The 2026 document itself cross-maps each category to the OWASP Agentic AI Threats and Mitigations guide (T1–T17), the LLM Top 10 2025 (Appendix A), and the NHI Top 10 2025 (Appendix C). It does not contain a MITRE ATLAS mapping — any ASI↔ATLAS crosswalk is ATLAS-side or community work, not part of the OWASP publication (verified in the 2026-Q2 review).
A separate May 2026 OWASP publication maps the ten ASI categories bidirectionally to the AIUC-1 certification requirements. The wiki summary is at the OWASP ASI to AIUC-1 crosswalk, which records eight AIUC-1 coverage gaps against the ASI prevention guidelines (inter-agent auth, agent identity attestation, cascading-failure containment, tool-call observability, runtime monitoring, and others).
Strengths
- The only framework achieving full coverage across all ten agentic risk categories
- Directly addresses risk classes (ASI07–ASI10) completely absent from all prior frameworks
- 100+ expert development process lends credibility
- Per-category mappings to the T-code threat taxonomy, LLM Top 10, NHI Top 10, and AIVSS support threat-intelligence integration
- Fastest industry adoption trajectory of any OWASP list
Gaps and Shortcomings
- Awareness framework, not compliance standard — no certification mechanisms, audit procedures, or evidence criteria
- Risk descriptions, not testable control baselines
- Platform-level vs. prompt-level enforcement distinction not explicitly articulated (the MCP guide implicitly addresses it)
- “Least Agency” principle introduced without implementation guidance
- No AI incident response playbooks or IoCs
- AIVSS v0.8 needed to score ASI vulnerabilities quantitatively — integration still maturing
Cross-Framework Coverage
All six major frameworks measured against ASI Top 10 reveal universal coverage failures. Only OWASP ASI itself achieves full coverage. See AI Security Standards in Q1 2026: Agentic Threats Outpace Frameworks for the full comparison matrix.
See Also
- OWASP (publisher)
- OWASP Agentic AI Threats and Mitigations — companion ASI guide; source of the T1–T17 codes the ASI categories cross-map to
- OWASP Top 10 for LLM Applications — the LLM predecessor; ASI Top 10 handles what LLM Top 10 cannot
- OWASP AI Vulnerability Scoring System (AIVSS) — scoring system for ASI vulnerabilities
- OWASP ASI to AIUC-1 Crosswalk — bidirectional map to AIUC-1 certification requirements
- AIUC-1 AI Agent Certification Standard — the certification side of that crosswalk
- MITRE ATLAS — adversary technique cross-reference
- Microsoft Responsible AI Standard (RAI) — most comprehensive ASI Top 10 implementer (700+ controls, Copilot Studio mapping)
- Threat Modeling for AI — the spine that uses ASI as its naming taxonomy; Threat Taxonomy Reconciliation cross-walks ASI01–ASI10 to the T-codes, ATLAS, MAESTRO, the five threat classes, and the RA/CMM controls