OWASP Agentic AI Threats and Mitigations

Source: OWASP GenAI Security Project — Agentic AI: Threats and Mitigations (v1.1, December 2025). Local copy: .raw/papers/owasp-agentic-ai-threats-mitigations-v1.1.pdf (md5 c6615bfe74f00ec60b019332a8814a82).

Key Claim

Agentic AI introduces a bounded set of seventeen threats — some entirely new, some agentic variations of existing LLM risks — that can be mapped onto a reference agent architecture and resolved into six defensive playbooks of proactive, reactive, and detective controls.1

Methodology

The document is a threat-model-based reference, not a control standard. It is the first guide from the OWASP Agentic Security Initiative (ASI), the same working group behind the ASI Top 10.1 The method:

  • Defines agent capabilities (planning/reasoning, memory/statefulness, action/tool use) and a single-agent plus multi-agent reference architecture used as the canvas for threat placement.
  • Catalogs threats as a 17-row reference threat model (T1–T17), then re-organizes them through an “Agentic Threats Taxonomy Navigator” — a six-step decision tree keyed to agent properties (reasoning, memory, tools, authentication, human dependency, multi-agent).2
  • Pairs each threat group with worked attack scenarios and maps the seventeen threats onto six mitigation playbooks.
  • States it does not follow one methodology (STRIDE, PASTA, MAESTRO); it notes the layered MAESTRO extension to STRIDE as the agentic option practitioners may adopt.3
  • Draws explicitly on prior work from NIST, CSA, academic research, and vendor efforts such as Precize.4

The document defers general (non-agentic) LLM threats to the existing OWASP guides and cross-references each agentic threat to the relevant LLM Top 10 2025 entry (e.g. LLM01 Prompt Injection, LLM03 Supply Chain, LLM06 Excessive Agency, LLM08 Vector and Embedding Weaknesses).5

Reference Threat Model (T1–T17)

The T-code taxonomy is the catalog the published ASI Top 10 cross-maps each ASI category to (ASI Appendix; see the 2026-Q2 standards review).1

TIDThreatCore risk
T1Memory PoisoningCorrupting short- or long-term memory to alter decisions; see Memory Poisoning
T2Tool MisuseDeceiving an agent into abusing authorized tools, incl. Agent Hijacking; see Tool-Abuse Chains
T3Privilege CompromiseExploiting permission management, dynamic role inheritance, or misconfiguration
T4Resource OverloadExhausting compute, memory, or service quotas to degrade or fail the system
T5Cascading Hallucination AttacksPlausible-but-false output propagating through memory, tools, or multi-agent loops
T6Intent Breaking and Goal ManipulationSubverting planning, reasoning, and self-evaluation to redirect objectives
T7Misaligned and Deceptive BehaviorsAgent evades safety constraints via deceptive reasoning to reach a goal
T8Repudiation and UntraceabilityActions cannot be traced or attributed due to insufficient logging
T9Identity Spoofing and ImpersonationImpersonating agents, users, or services; theft of persistent agent identity
T10Overwhelming Human-in-the-LoopInducing decision fatigue or compromising the oversight interface; see HITL
T11Unexpected RCE and Code AttacksAbusing agent code-execution environments to run unauthorized code
T12Agent Communication PoisoningManipulating inter-agent channels to spread false information
T13Rogue Agents in Multi-Agent SystemsCompromised agents operating outside monitoring boundaries; “infectious backdoors”
T14Human Attacks on Multi-Agent SystemsExploiting inter-agent delegation and trust to escalate privileges
T15Human ManipulationExploiting user trust in the agent to drive harmful human actions
T16Insecure Inter-Agent Protocol AbuseFlaws in MCP / A2A — consent bypass, context hijacking; see MCP Security
T17Supply Chain CompromiseTampered models, libraries, tools, or build environments enter the agent

6

T16 and T17 are present in the T-code reference model and the per-threat navigator but are absent from the page-16 “Detailed Threat Model” diagram, which enumerates T1–T15. The two are added in the taxonomy navigator and the example threat models.

Taxonomy Navigator (decision tree)

StepQuestionThreat group
1Does the agent independently determine its steps?Agency/reasoning: T6, T7, T8
2Does the agent rely on stored memory?Memory-based: T1, T5
3Does the agent execute via tools / commands / integrations?Tool, execution, supply chain: T2, T3, T4, T11, T16, T17
4Does the system rely on authentication?Authentication/spoofing: T9
5Does the agent require human engagement?Human-related: T10, T15
6Does the system rely on multiple interacting agents?Multi-agent: T12, T14, T13

2

Mitigation Playbooks

Six playbooks group the controls; each carries proactive (prevention), reactive (response), and detective (monitoring) steps.7

#PlaybookThreats covered
1Preventing AI Agent Reasoning ManipulationT6, T8, T7
2Preventing Memory Poisoning and AI Knowledge CorruptionT1, T5
3Securing AI Tool Execution and Preventing Unauthorized Actions Across Supply ChainsT2, T3, T11, T4, T16, T17
4Strengthening Authentication, Identity and Privilege ControlsT3, T9, T16
5Protecting HITL and Preventing Decision-Fatigue ExploitsT10, T15
6Securing Multi-Agent Communication and Trust MechanismsT12, T14, T13

Recurring control primitives across playbooks: memory content validation and session isolation; least-privilege / RBAC-ABAC and just-in-time tool access; execution sandboxing with per-call reset; cryptographic and immutable logging; mutual authentication and short-lived credentials for agent identities; signed agent cards, prompt templates, and model definitions with verifiable SBOMs (AI SBOM / AIBOM / Agent SBOM); and message authentication for inter-agent channels.7

Notable Findings

  • The guide is the source of the T1–T17 codes that the published ASI Top 10 cross-maps to. The two documents are companions: the ASI Top 10 is the ranked awareness list, this guide is the underlying threat-and-mitigation reference.
  • It is the first OWASP document to name Insecure Inter-Agent Protocol Abuse (T16) against MCP and A2A — consent-flow manipulation, MCP response injection, and tool-description exploitation — as a distinct threat. See MCP Security.
  • It anchors Non-Human Identity risk explicitly: agents operate under NHIs (machine accounts, service identities, agent API keys) that lack session-based oversight, raising privilege-misuse and token-abuse risk.8 See Non-Human Identity.
  • It cites named real-world incidents as scenario anchors: the Amazon Q for VS Code destructive-prompt supply-chain incident (v1.84.0) and the Replit autonomous-agent database-deletion incident.9
  • It treats Misaligned and Deceptive Behaviors (T7) as distinct from hallucination — emergent from advanced reasoning, not random error — and cites Anthropic and OpenAI work on the area.10
  • Four example threat models work the T-codes through concrete settings: Enterprise Co-Pilots, Agentic IoT smart-home cameras, and agent-driven RPA in an expense-reimbursement workflow.11

Strengths and Weaknesses

Strengths:

  • Architecture-anchored: every threat is placed on a reference diagram, which supports threat-modeling conversations with consistent language.
  • The decision-tree navigator gives a repeatable path from agent properties to applicable threats — usable by builders, not only security specialists.
  • Playbooks separate proactive/reactive/detective steps, which maps cleanly onto control-catalog and detection-engineering work.

Weaknesses:

  • Awareness-and-guidance document, not a compliance standard: no shall-level requirements, no audit or evidence criteria, no maturity tiers. The same enforceability limit applies as to the ASI Top 10.
  • Internal numbering is inconsistent: the page-16 diagram shows T1–T15 while the navigator and example models use T1–T17.
  • Mitigations are control candidates rather than testable baselines; several (“probabilistic truth-checking”, “AI-driven behavioral profiling”) are stated without implementation detail.
  • The Gartner “33% of enterprise software by 2028 / 15% of day-to-day decisions” figure is cited as an adoption claim without a primary link in the document.12

Relations

Footnotes

  1. OWASP GenAI Security Project, Agentic AI – Threats and Mitigations, v1.1, December 2025 — Introduction (p. 3) and Agentic AI Threat Model (pp. 12–15). .raw/papers/owasp-agentic-ai-threats-mitigations-v1.1.pdf. 2 3

  2. Same source, “Agentic Threats Taxonomy Navigator” (pp. 21–32), six-step decision path. 2

  3. Same source, “Threat modeling approach” (p. 12): MAESTRO described as a layered STRIDE extension for agentic threats; the document declines to adopt a single methodology.

  4. Same source, taxonomy provenance note (p. 19): “Our taxonomy draws from a wide range of prior work including work from NIST, CSA, academic research, industry work, and taxonomies developed by vendor-led efforts, such as Precize.”

  5. Same source, per-threat LLM Top 10 cross-references throughout the navigator (pp. 21–32).

  6. Same source, “Detailed Threat Model” table (pp. 16–19) for T1–T15; T16 and T17 added on pp. 18–19.

  7. Same source, “Mitigation Strategies” — playbook/threat mapping overview (pp. 34–35) and Playbooks 1–6 (pp. 35–42). 2

  8. Same source, Reference Threat Model — Non-Human Identities discussion (p. 14).

  9. Same source, Supply Chain Attacks scenarios (pp. 28–29): Amazon Q for VS Code v1.84.0 destructive prompt and the Replit vibe-coding database-deletion incident.

  10. Same source, T7 Misaligned & Deceptive Behaviors (p. 17), citing published Anthropic and OpenAI work.

  11. Same source, “Example Threat Models” (pp. 43–49): Enterprise Co-Pilots, Agentic IoT smart-home cameras, agent-driven RPA expense reimbursement.

  12. Same source, AI Agents section (p. 4): Gartner forecast that by 2028 33% of enterprise software applications will use agentic AI, enabling 15% of day-to-day work decisions to be made autonomously — cited without a primary-source link.