OWASP Agentic AI Threats and Mitigations
Source: OWASP GenAI Security Project — Agentic AI: Threats and Mitigations (v1.1, December 2025). Local copy: .raw/papers/owasp-agentic-ai-threats-mitigations-v1.1.pdf (md5 c6615bfe74f00ec60b019332a8814a82).
Key Claim
Agentic AI introduces a bounded set of seventeen threats — some entirely new, some agentic variations of existing LLM risks — that can be mapped onto a reference agent architecture and resolved into six defensive playbooks of proactive, reactive, and detective controls.1
Methodology
The document is a threat-model-based reference, not a control standard. It is the first guide from the OWASP Agentic Security Initiative (ASI), the same working group behind the ASI Top 10.1 The method:
- Defines agent capabilities (planning/reasoning, memory/statefulness, action/tool use) and a single-agent plus multi-agent reference architecture used as the canvas for threat placement.
- Catalogs threats as a 17-row reference threat model (T1–T17), then re-organizes them through an “Agentic Threats Taxonomy Navigator” — a six-step decision tree keyed to agent properties (reasoning, memory, tools, authentication, human dependency, multi-agent).2
- Pairs each threat group with worked attack scenarios and maps the seventeen threats onto six mitigation playbooks.
- States it does not follow one methodology (STRIDE, PASTA, MAESTRO); it notes the layered MAESTRO extension to STRIDE as the agentic option practitioners may adopt.3
- Draws explicitly on prior work from NIST, CSA, academic research, and vendor efforts such as Precize.4
The document defers general (non-agentic) LLM threats to the existing OWASP guides and cross-references each agentic threat to the relevant LLM Top 10 2025 entry (e.g. LLM01 Prompt Injection, LLM03 Supply Chain, LLM06 Excessive Agency, LLM08 Vector and Embedding Weaknesses).5
Reference Threat Model (T1–T17)
The T-code taxonomy is the catalog the published ASI Top 10 cross-maps each ASI category to (ASI Appendix; see the 2026-Q2 standards review).1
| TID | Threat | Core risk |
|---|---|---|
| T1 | Memory Poisoning | Corrupting short- or long-term memory to alter decisions; see Memory Poisoning |
| T2 | Tool Misuse | Deceiving an agent into abusing authorized tools, incl. Agent Hijacking; see Tool-Abuse Chains |
| T3 | Privilege Compromise | Exploiting permission management, dynamic role inheritance, or misconfiguration |
| T4 | Resource Overload | Exhausting compute, memory, or service quotas to degrade or fail the system |
| T5 | Cascading Hallucination Attacks | Plausible-but-false output propagating through memory, tools, or multi-agent loops |
| T6 | Intent Breaking and Goal Manipulation | Subverting planning, reasoning, and self-evaluation to redirect objectives |
| T7 | Misaligned and Deceptive Behaviors | Agent evades safety constraints via deceptive reasoning to reach a goal |
| T8 | Repudiation and Untraceability | Actions cannot be traced or attributed due to insufficient logging |
| T9 | Identity Spoofing and Impersonation | Impersonating agents, users, or services; theft of persistent agent identity |
| T10 | Overwhelming Human-in-the-Loop | Inducing decision fatigue or compromising the oversight interface; see HITL |
| T11 | Unexpected RCE and Code Attacks | Abusing agent code-execution environments to run unauthorized code |
| T12 | Agent Communication Poisoning | Manipulating inter-agent channels to spread false information |
| T13 | Rogue Agents in Multi-Agent Systems | Compromised agents operating outside monitoring boundaries; “infectious backdoors” |
| T14 | Human Attacks on Multi-Agent Systems | Exploiting inter-agent delegation and trust to escalate privileges |
| T15 | Human Manipulation | Exploiting user trust in the agent to drive harmful human actions |
| T16 | Insecure Inter-Agent Protocol Abuse | Flaws in MCP / A2A — consent bypass, context hijacking; see MCP Security |
| T17 | Supply Chain Compromise | Tampered models, libraries, tools, or build environments enter the agent |
T16 and T17 are present in the T-code reference model and the per-threat navigator but are absent from the page-16 “Detailed Threat Model” diagram, which enumerates T1–T15. The two are added in the taxonomy navigator and the example threat models.
Taxonomy Navigator (decision tree)
| Step | Question | Threat group |
|---|---|---|
| 1 | Does the agent independently determine its steps? | Agency/reasoning: T6, T7, T8 |
| 2 | Does the agent rely on stored memory? | Memory-based: T1, T5 |
| 3 | Does the agent execute via tools / commands / integrations? | Tool, execution, supply chain: T2, T3, T4, T11, T16, T17 |
| 4 | Does the system rely on authentication? | Authentication/spoofing: T9 |
| 5 | Does the agent require human engagement? | Human-related: T10, T15 |
| 6 | Does the system rely on multiple interacting agents? | Multi-agent: T12, T14, T13 |
Mitigation Playbooks
Six playbooks group the controls; each carries proactive (prevention), reactive (response), and detective (monitoring) steps.7
| # | Playbook | Threats covered |
|---|---|---|
| 1 | Preventing AI Agent Reasoning Manipulation | T6, T8, T7 |
| 2 | Preventing Memory Poisoning and AI Knowledge Corruption | T1, T5 |
| 3 | Securing AI Tool Execution and Preventing Unauthorized Actions Across Supply Chains | T2, T3, T11, T4, T16, T17 |
| 4 | Strengthening Authentication, Identity and Privilege Controls | T3, T9, T16 |
| 5 | Protecting HITL and Preventing Decision-Fatigue Exploits | T10, T15 |
| 6 | Securing Multi-Agent Communication and Trust Mechanisms | T12, T14, T13 |
Recurring control primitives across playbooks: memory content validation and session isolation; least-privilege / RBAC-ABAC and just-in-time tool access; execution sandboxing with per-call reset; cryptographic and immutable logging; mutual authentication and short-lived credentials for agent identities; signed agent cards, prompt templates, and model definitions with verifiable SBOMs (AI SBOM / AIBOM / Agent SBOM); and message authentication for inter-agent channels.7
Notable Findings
- The guide is the source of the T1–T17 codes that the published ASI Top 10 cross-maps to. The two documents are companions: the ASI Top 10 is the ranked awareness list, this guide is the underlying threat-and-mitigation reference.
- It is the first OWASP document to name Insecure Inter-Agent Protocol Abuse (T16) against MCP and A2A — consent-flow manipulation, MCP response injection, and tool-description exploitation — as a distinct threat. See MCP Security.
- It anchors Non-Human Identity risk explicitly: agents operate under NHIs (machine accounts, service identities, agent API keys) that lack session-based oversight, raising privilege-misuse and token-abuse risk.8 See Non-Human Identity.
- It cites named real-world incidents as scenario anchors: the Amazon Q for VS Code destructive-prompt supply-chain incident (v1.84.0) and the Replit autonomous-agent database-deletion incident.9
- It treats Misaligned and Deceptive Behaviors (T7) as distinct from hallucination — emergent from advanced reasoning, not random error — and cites Anthropic and OpenAI work on the area.10
- Four example threat models work the T-codes through concrete settings: Enterprise Co-Pilots, Agentic IoT smart-home cameras, and agent-driven RPA in an expense-reimbursement workflow.11
Strengths and Weaknesses
Strengths:
- Architecture-anchored: every threat is placed on a reference diagram, which supports threat-modeling conversations with consistent language.
- The decision-tree navigator gives a repeatable path from agent properties to applicable threats — usable by builders, not only security specialists.
- Playbooks separate proactive/reactive/detective steps, which maps cleanly onto control-catalog and detection-engineering work.
Weaknesses:
- Awareness-and-guidance document, not a compliance standard: no
shall-level requirements, no audit or evidence criteria, no maturity tiers. The same enforceability limit applies as to the ASI Top 10. - Internal numbering is inconsistent: the page-16 diagram shows T1–T15 while the navigator and example models use T1–T17.
- Mitigations are control candidates rather than testable baselines; several (“probabilistic truth-checking”, “AI-driven behavioral profiling”) are stated without implementation detail.
- The Gartner “33% of enterprise software by 2028 / 15% of day-to-day decisions” figure is cited as an adoption claim without a primary link in the document.12
Relations
- Companion to the ASI Top 10: this guide supplies the T1–T17 codes the ranked list maps each ASI category to.
- Supports Memory Poisoning (T1), Tool-Abuse Chains (T2), and MCP Security (T16) with worked scenarios and playbook controls.
- Reinforces Least Agency — the playbooks’ least-privilege, JIT-tool-access, and scoped-memory controls are the operational form of the principle the ASI Top 10 names.
- Uses but does not adopt CSA MAESTRO; the T-codes are the reference catalog of the threat-modeling spine and the row source for the Threat Taxonomy Reconciliation matrix (each T-code mapped to its ASI category, RA plane, and CMM domain).
- Scored and reconciled in AIVSS standards review (2026-Q2), which already treats the T-codes as the ASI cross-map target.
- Sibling deliverable from the same ASI working group: State of Agentic AI Security and Governance v2, which applies this threat taxonomy to a governance maturity model and a documented 2025–2026 incident base.
- Referenced as a “see also” companion throughout the OWASP ASI to AIUC-1 crosswalk, whose ASI threat descriptions cite this guide for deeper technical context.
Footnotes
-
OWASP GenAI Security Project, Agentic AI – Threats and Mitigations, v1.1, December 2025 — Introduction (p. 3) and Agentic AI Threat Model (pp. 12–15).
.raw/papers/owasp-agentic-ai-threats-mitigations-v1.1.pdf. ↩ ↩2 ↩3 -
Same source, “Threat modeling approach” (p. 12): MAESTRO described as a layered STRIDE extension for agentic threats; the document declines to adopt a single methodology. ↩
-
Same source, taxonomy provenance note (p. 19): “Our taxonomy draws from a wide range of prior work including work from NIST, CSA, academic research, industry work, and taxonomies developed by vendor-led efforts, such as Precize.” ↩
-
Same source, per-threat LLM Top 10 cross-references throughout the navigator (pp. 21–32). ↩
-
Same source, “Detailed Threat Model” table (pp. 16–19) for T1–T15; T16 and T17 added on pp. 18–19. ↩
-
Same source, “Mitigation Strategies” — playbook/threat mapping overview (pp. 34–35) and Playbooks 1–6 (pp. 35–42). ↩ ↩2
-
Same source, Reference Threat Model — Non-Human Identities discussion (p. 14). ↩
-
Same source, Supply Chain Attacks scenarios (pp. 28–29): Amazon Q for VS Code v1.84.0 destructive prompt and the Replit vibe-coding database-deletion incident. ↩
-
Same source, T7 Misaligned & Deceptive Behaviors (p. 17), citing published Anthropic and OpenAI work. ↩
-
Same source, “Example Threat Models” (pp. 43–49): Enterprise Co-Pilots, Agentic IoT smart-home cameras, agent-driven RPA expense reimbursement. ↩
-
Same source, AI Agents section (p. 4): Gartner forecast that by 2028 33% of enterprise software applications will use agentic AI, enabling 15% of day-to-day work decisions to be made autonomously — cited without a primary-source link. ↩