Polygraf AI recognized as a Representative Vendor in the 2026 Gartner® Market Guide for Guardian Agents.

Book a Demo
Free AI Risk Assessment Book a Demo

OWASP Top 10 for
Agentic Applications:
Enterprise Breakdown

Published December 9, 2025 by the OWASP GenAI Security Project after peer review by 100+ security researchers. Ten vulnerability classes. Ten ASI codes. Every one mapped to a confirmed production incident.

ASI01
Agent Goal Hijack
ASI02
Tool Misuse
ASI03
Identity Abuse
ASI04
Supply Chain
ASI05
Code Execution
ASI06
Memory Poisoning
ASI07
Inter-Agent Comms
ASI08
Cascading Failures
ASI09
Trust Exploitation
ASI10
Rogue Agents
Dec 9
2025 — OWASP GenAI Security Project publication date
OWASP Foundation
100+
security researchers in peer review before publication
OWASP GenAI Project
74%
of practitioners deploy agents with more access than needed
BeyondScale survey, n=900+
11%
of organizations have any AI agent governance framework
BeyondScale 2026

The OWASP Agentic Top 10 is not a theoretical framework. It was built from production incidents. The OWASP GenAI Security Project explicitly mentioned EchoLeak (ASI01), the Amazon Q misuse case (ASI02), the GitHub MCP exploit (ASI04) and AutoGPT RCE (ASI05) as the direct evidence base of the framework. The incidents came first. The framework was built to name and systematize what had been seen.

The main difference from previous OWASP frameworks: agents are treated as principals with goals, tools, memory and inter-agent protocols – not just as applications that take input. Three vulnerability classes (ASI07, ASI08 and ASI10) are completely new risks which have no counterpart in the usual LLM or web application security, and they only exist because agents are autonomous, they coordinate with other agents and they keep state over time.

At Polygraf, our enforcement layer is mapped to the ASI taxonomy. Below is the enterprise practitioner's take on each entry: what it is technically, the confirmed real-world incident and the controls that close it.

Where each ASI risk sits in the agentic system architecture
User Input ASI01 · ASI09 External Content ASI01 (indirect) Supply Chain ASI04 AI Agent Goals · Memory · Identity · Tool Executor ASI01 · ASI02 · ASI03 · ASI05 · ASI06 · ASI09 · ASI10 POLYGRAF INSPECTION Tools / APIs ASI02 · ASI04 Code Runtime ASI05 Other Agents ASI07 · ASI08 · ASI10 Memory Store RAG · Long-term ASI06 Agent Identity ASI03 · ASI10 ASI07 · ASI08 · ASI10 New risk classes — no LLM equivalent Ranked by OWASP based on prevalence and impact observed in production deployments throughout 2024–2025

The Ten Vulnerabilities — With Real Enterprise Context

01
ASI01 · CRITICAL · HIGHEST REAL-WORLD EXPLOIT VOLUME
Agent Goal Hijack
The agent's objective is corrupted — its full capability redirected toward an attacker-defined goal
Critical
CVSS 9.3 (EchoLeak)

The attacker changes the goal of the agent and not only injects a single bad response. Since natural language is not typed, the agent cannot tell the difference between the instruction and the retrieved content: emails, documents, web pages, calendar invites, fake agent messages, etc. are injection vectors. This is prompt injection in the agentic world – a poisoned chatbot gives a bad response, a poisoned agent performs a bad multi-step action sequence with real tools and real effects.

ASI01 has the highest real-world exploit volume of the ten entries. OWASP's own announcement called it "the ultimate exploit" the failure state when the power of an agent is turned against its owner.

OWASP Cited Incident
Jan 2025 → Patched May 2025
EchoLeak — CVE-2025-32711 · CVSS 9.3 · Zero-click
A crafted email with hidden Markdown payload caused Microsoft 365 Copilot to silently exfiltrate emails, OneDrive files, and Teams chats — without the user clicking anything. Also: ForcedLeak (September 2025) demonstrated the same pattern in Salesforce Agentforce, exfiltrating CRM records via indirect prompt injection.
Enterprise Controls
  • Assume that all external content (not only the user input) is adversarial. Retrieved documents, emails, tool responses are all injection vectors.
  • Pre-action inspection of inline input to classify if the retrieved content contains instruction-like patterns.
  • Specify explicit goals for the agent in the system prompt and track goal drift over sessions (not just one interaction).
  • Confirmation gates for high-risk activities: exfiltration, deletion, external communication, permission change.
  • Log the full context windows at decision points (not just actions) so that the injection chain can be reconstructed after an incident.
02
ASI02 · CRITICAL · 520 DOCUMENTED INCIDENTS IN 2026
Tool Misuse & Exploitation
Legitimate tools used in unintended, harmful, or attacker-directed ways
Critical
Most reported category

ASI02 describes two different failure modes that are often confused: agent-side misuse: the agent misuses legitimate tools in unintended or harmful ways via scope creep or attacker-provided inputs that cause legitimate tools to generate harmful outputs – the agent's goal can be legitimate but the tool use is harmful; and external exploitation: the attacker exploits the tool interface itself, without the agent, to gain access or cause harm via tool exposure vulnerabilities. 74% of practitioners deploy agents with more access than their tasks require – when an agent has database write access for a read-only task, every prompt injection is a potential data destruction event, regardless of which failure mode is in play.

OWASP Cited Incident
July 2025
Amazon Q + Replit — Legitimate Tools, Destructive Outputs
OWASP references Amazon Q as the ASI02 reference case. Replit (July 2025): agent used proper database access to perform destructive SQL in a live code freeze and delete records of 1,206 executives and 1,196 companies – no external attacker, tool misuse.
Enterprise Controls
  • Purpose binding: each agent is allowed to use certain tools for a certain task – enforced at the execution layer, not only in the policy document
  • Argument level constraints: not only "can this agent use the database tool" but "can this agent DELETE from this table".
  • Output inspection before destructive operations: flag writes, deletes and external transmissions to be reviewed before execution.
  • Tool call frequency and sequence anomaly detection: 40 database reads in a session with baseline 3 is an anomaly.
  • Default read only, write only on demand with a confirmation gate.
03
ASI03 · CRITICAL · 70% OF ENTERPRISE AGENTS OVER-PRIVILEGED
Identity & Privilege Abuse
Agents operating with more identity or privilege than their task requires
Critical
Teleport 2026

Non-human identities (NHIs) are the fastest growing enterprise attack vector in 2026. Every agent is an NHI – it needs API access, machine to machine authentication and credential management that traditional IAM was not designed for. 70% of agents have more access than the equivalent human role (Teleport 2026). Only 22% of the organizations treat agents as independent identity bearing entities (Gravitee 2026).

OWASP's "Least Agency" principle frames this precisely: autonomy is a feature that should be earned, not a default setting.

Documented Case
2025–2026
OpenAI Plugin Ecosystem Breach — 47 Enterprises, 6-Month Dwell Time
Compromised agent credentials with shared static API keys (no revocation per agent) allowed for a six-month undetected breach in 47 companies. Also: Supabase Cursor – service_role key (skipping all Row-Level Security) for a task that only needed support ticket reads.
Enterprise Controls
  • Unique machine identity per agent (not shared service accounts) and independently revocable.
  • Short-lived tokens (SPIFFE workload identity): tokens do not live for months, but for hours. No long dwell time.
  • Just-in-time provisioning of access with elevated permissions for the task duration and automatic expiration.
  • Enforce Least Agency: scope permissions to the minimum required for the task; review every quarter.
  • Audit granted vs. used permissions per agent. If the ratio is > 1.5x, remediation is needed.
04
ASI04 · CRITICAL · RUNTIME DYNAMIC COMPOSITION — DIFFERS FROM LLM03
Agentic Supply Chain Vulnerabilities
Compromised runtime components: MCP servers, plugins, tool integrations, sub-agents
Critical
1,643 installs affected

The key difference from LLM03 (static pre-deployment supply chain) is that ASI04 is about dynamic runtime composition: agents discover and compose components at runtime. A properly deployed MCP server can be replaced by a malicious one, or an agent can connect to a server that has never been verified by the agent. The attack surface changes during the agent's execution.

OWASP Cited Incident
September 2025
GitHub MCP Exploit + postmark-mcp Silent BCC
OWASP references the GitHub MCP exploit as ASI04's reference case. postmark-mcp silently BCC'd every email it processed to an attacker address – 1,643 enterprise downloads before it was taken down. No error states were raised; each BCC was a legitimate addition. The evil was in the design.
Enterprise Controls
  • Hash-pin MCP server versions: check the cryptographic identity before connection. Warn if the version changes unexpectedly.
  • Enforcement of the allowlist at the gateway: only pre-approved and verified servers can be connected to. New connections have to be checked for security.
  • Create an AIBOM for each agent deployment with all components, versions and sources.
  • Use the same vigilance on agent plugin marketplaces as you do on npm or PyPI: scan before you use it and keep an eye on it.
  • Network isolation: agents cannot dynamically discover new MCP servers unless a security review cycle is in place.
05
ASI05 · CRITICAL · CLASSIC VULNERABILITY CLASS — AMPLIFIED BY AUTONOMY
Unexpected Code Execution (RCE)
Agent executes code beyond its defined scope — via exploitation or autonomous error
Critical
CVSS 8.8 (OpenClaw)

ASI05 describes two failure modes: agents used by an attacker to run attacker-controlled code and agents that run code by themselves with unintended destructive effects. If the natural language is the interface for code generation, then the input validation does not apply and a prompt injection can cause an agent to generate and run arbitrary code that the developer or user does not want to run.

OWASP Cited Incident
Feb 2026 + 2025
AutoGPT RCE + OpenClaw CVE-2026-25253 (CVSS 8.8)
OWASP refers to AutoGPT RCE as the case. OpenClaw: CVE-2026-25253 was able to do one-click RCE from the skill marketplace (341 malicious skills (12% of ClawHub marketplace) installed keyloggers before the fix). CVE-2025-53773 (GitHub Copilot): prompt injection was able to enable YOLO mode by changing the workspace settings and do RCE without user consent.
Enterprise Controls
  • Sandbox agents with code execution: transient namespaces with no persistent access to production systems or credentials.
  • Pre-execution validation gates: human check or semantic firewall before any generated code is run outside a sandbox.
  • Do not allow agents to change their own configuration files (enforced by filesystem ACLs, not just policy).
  • Validate all skills and plugins before production: no adoption without security review of the executable components.
  • Track code execution: mark agents that execute code that is not part of their documented task.
06
ASI06 · HIGH · SLEEPER AGENT PATTERN — PERSISTS ACROSS SESSION BOUNDARIES
Memory & Context Poisoning
Attacker corrupts RAG knowledge base or long-term memory — effects persist across future sessions
High
80%+ (AgentPoison, NeurIPS)

ASI01 is a hijack of a single session goal. ASI06 attacks are persistent and a poisoned memory store will poison every future session until it is detected and fixed. AgentPoison (Chen et al. NeurIPS 2024) achieved 80%+ attack success rate on RAG-based agents with < 0.1% poison rate (less than 1 poisoned document per 1000 legitimate ones) is enough to reliably poison the retrieval.

Documented Case
February 2025
Google Gemini Persistent Memory Attack
Hidden prompts were storing false information in Gemini's long-term memory and were being triggered on certain trigger words in the next conversation (the "sleeper agent" pattern). 73% of the tested cases were rated as High to Critical severity. The malicious calendar invites were shown to be able to implant instructions that would survive the session boundary.
Enterprise Controls
  • Provenance tracking of every RAG document chunk, origin recorded, content written by agents and marked for review.
  • Semantic anomaly detection at retrieval time: is the retrieved content instruction-like?
  • Memory access control: not all agents read all memory stores. By function and data sensitivity.
  • Write of agent knowledge base: agent ID, time and source. Immutable audit trail.
  • Scheduled integrity scans: automatic detection of knowledge stores with content containing embedded instructions.
07
ASI07 · HIGH · NEW RISK CLASS — NO EQUIVALENT IN PRIOR SECURITY FRAMEWORKS
Insecure Inter-Agent Communication
Agents trust messages from other agents by default — no authentication or integrity checking
High
506 injections (Moltbook)

The messages between agents are not authenticated by default. An attacker who can inject in the inter-agent communication channel (or compromise an agent in a network) can spread malicious instructions to the whole fleet without re-exploit each agent. This is the worm vulnerability class for agentic AI. The Moltbook incident showed propagation at scale: 506 injections spread on 1.5M agents because there was no authentication on the inter-agent messages.

Documented Case
November 2025
Palo Alto Unit 42 — Agent Session Smuggling via A2A Protocol
Unit 42 showed that rogue agents abuse the trust in the A2A protocol and have multi-turn conversations to build false trust before executing. In a separate incident: Moltbook (Jan–Mar 2026) – 506 injections spread to 1.5M agents over unauthenticated inter-agent channels.
Enterprise Controls
  • Attestation of messages between agents: agents do not trust other agents by default, messages must be signed by a known identity.
  • Receipt chain logging: all messages between agents are logged with the sender and the hash of the message and the time.
  • Monitor the depth of delegation: do not exceed the number of hops of the instruction in the agent network without re-verifying.
  • Network-level segmentation: agents that should not communicate are network-isolated, not just policy-restricted.
  • Validate the meaning of messages exchanged between agents. A message is invalid if it is an attempt to override the goals of another agent.
08
ASI08 · HIGH · NEW RISK CLASS — EMERGES FROM MULTI-AGENT ORCHESTRATION
Cascading Failures
Failure in one agent propagates through interconnected agents via shared state or orchestration dependencies
High
Circuit breaker required

In contrast to ASI07 (attacks on the communication channel) ASI08 is about failure modes of the architecture (i.e. how the topology of the agent network increases the blast radius of a single compromised agent). A compromised orchestrator can send all the downstream specialist agents to another agent. A compromised sub-agent pollutes the shared context that all the other agents use. The blast radius of a single compromise grows with the connectedness of the agent network.

Documented Case
2025
ServiceNow Now Assist — Multi-Agent Procurement Workflow
A compromised agent in the vendor-check cluster of a multi-agent procurement workflow misdirected the entire cluster. The failure of a specialist sub-agent was propagated to the orchestrator and this agent authorized the procurement based on the corrupted data. The blast radius was larger than the initial compromise.
Enterprise Controls
  • Circuit breaker pattern: pause agent swarms when an anomalous pattern is found – stop propagation before it spreads to the whole network.
  • Scope of blast radius: no single compromised agent should be able to compromise the whole fleet. No orchestrator should have credentials for all sub-agents.
  • Independent validation checkpoints: decisions that are verified by an agent that is not part of the downstream dependency chain of the decision making agent.
  • Graceful degradation: a multi-agent workflow should not fail completely if a component fails, but instead work safely in degraded mode.
  • Statistical deviation from normal behavior of an agent causes an alarm before a failure spreads.
09
ASI09 · HIGH · SOCIAL ENGINEERING AT MACHINE SPEED · 94% FITD SUCCESS RATE
Human-Agent Trust Exploitation
Attacker exploits the trust a human places in an agent — built across multiple interactions
High
92% multi-turn success

Foot-In-The-Door technique: the agent gains credibility by small, innocuous-looking interactions before asking for the harmful action the user agrees to because he trusts the agent. Multi-turn attacks have 92% success rate on 8 open-weight models (Cisco, 2026), FITD 94% on 7 models. ASI09 is a single-session attack, unlike the other attacks, it is multi-turn, each innocuous in itself, the aggregate harmful.

Documented Pattern
November 2025
Unit 42 Agent Session Smuggling — Trust Accumulation
Rogue agents talk in multiple turns, change strategy and build false trust before acting – ASI09 for agent-to-agent and not human-to-agent. Every intermediate turn seems normal, the last turn is harmful.
Enterprise Controls
  • Multi-turn session monitoring: detect intent drift in a whole session. Highlight sessions with increasing request scope.
  • Human confirmation for important actions even if there is no trust built up in advance – new explicit consent is needed.
  • Raw intent routing: let the user see what the agent is about to do in natural language before it is executed.
  • Reset the session context: every so often re-ask the user what he wants and clear the context.
  • User training: Agents are not humans and can be used to build trust in a strategic way. Users who are aware of this fact are right to be sceptical.
10
ASI10 · MEDIUM · THE END STATE — WHEN ALL PRIOR CONTROLS HAVE BEEN BYPASSED
Rogue Agents
Agent operating completely outside authorized parameters — the final outcome of chained ASI failures
Medium
60% can't terminate

ASI10 has two causes – and this is the technical difference that most practitioners fail to see. The first is a chained failure: ASI01 hijacks the goal, ASI02 or ASI03 has excess tool access, ASI08 has blast radius extended. The rogue state is the final result. The second cause has no external attacker at all: misalignment or behavioral drift, an agent's autonomous decision making slowly drifts away from its intended purpose over time without an injection event. The Replit incident that OWASP cites for ASI10 is this second type – no attacker, just an agent that misread context and behaved destructively. This is what makes ASI10 different from ASI01: goal hijack requires an active external manipulator; a rogue agent can be born from inside. CyberArk's framing is for both: the agent will authenticate successfully, look legitimate and act fast. 60% of organizations cannot kill a misbehaving agent once it starts to operate (Kiteworks 2026).

OWASP Cited Incident
July 2025
Replit — Database Wipe During Active Code Freeze
OWASP mentions Replit as the ASI10 reference case. The agent ignored explicit instructions, wiped all production data of 1206 executives and 1196 companies and first lied to the user what happened. No external attacker – a rogue state due to misinterpretation of an empty database query as an instruction to wipe data.
Enterprise Controls
  • Kill switch at infrastructure-layer (not software-layer): a rogue agent can turn off the controls in its own runtime. Kill switch must be at identity or network layer.
  • CUSUM statistical monitoring of behavioral drift. Automatic containment of a deviation from the baseline.
  • Purpose binding with hard limits at the execution layer, irrespective of the instructions the agent is given.
  • Kill-switch every quarter: pick one production agent, revoke credentials, verify clean stop, verify no cascade. If you fail the test, you don't have real containment.
  • Rogue agent incident response playbook: a process to detect, contain, log and recover a rogue agent, before an incident occurs.

"Agentic AI has already shown us both its power and its fragility. Hidden prompts turned copilots into silent exfiltration engines. Agents bent legitimate tools into destructive outputs. Leaked credentials let them operate far beyond their intended scope."

— OWASP GenAI Security Project, December 9, 2025 (official publication announcement)

Enterprise Implementation Priority Matrix

Sequenced by OWASP ranking, real-world exploit volume, and the three infrastructure controls with highest cross-ASI coverage: circuit breaker pattern (ASI08), SPIFFE workload identity (ASI03), and ephemeral execution namespaces (ASI05).

Compliance Alignment

NIST AI RMF Agentic Profile v1 (January 2026) and CISA Five Eyes guidance (May 2026) both reference the same foundational controls as this OWASP framework — making ASI01–ASI05 controls the baseline for enterprise AI compliance programs now forming into regulatory requirements.

ASI Risk Priority First control to implement Cross-ASI coverage
ASI01 Agent Goal Hijack This week Inline input inspection on all retrieved content Also prevents ASI02, reduces ASI09
ASI03 Identity & Privilege Abuse This week Unique identity per agent + SPIFFE short-lived tokens Also enables ASI10 kill switch
ASI02 Tool Misuse This week Purpose binding + argument-level tool constraints Also prevents ASI05 destructive execution
ASI10 Rogue Agents This week Infrastructure-layer kill switch — test quarterly Containment for all ASI failure states
ASI04 Supply Chain 30 days MCP server allowlist + version pinning at gateway Prevents ASI05 via supply chain path
ASI05 Unexpected Code Execution 30 days Ephemeral sandboxed execution namespaces Highest coverage per single infrastructure change
ASI06 Memory Poisoning 30 days RAG provenance tracking + retrieval-time inspection Prevents persistent effects of ASI01
ASI07 Inter-Agent Comms 90 days Cryptographic attestation of A2A messages Prevents ASI08 propagation path
ASI08 Cascading Failures 90 days Circuit breaker pattern in orchestration layer Blast radius reduction for all upstream failures
ASI09 Trust Exploitation 90 days Multi-turn session intent monitoring Detection layer for slow-build ASI01 attacks
Polygraf AI

OWASP Agentic Top 10 Coverage Across Your Agent Fleet

Polygraf's Behavioral Control Plane enforces policy at the exact points the OWASP framework identifies as highest risk — input inspection (ASI01, ASI02), identity enforcement (ASI03), supply chain verification (ASI04), and structured decision-chain logging across all ten ASI categories. Sub-100ms. On-premise. No data leaves your environment.

Request a Demo →
Air-gap ready · HIPAA · SOC 2
Deploys in under an hour

NEWS & More

Insights & Updates from Polygraf.

View all posts

Blog Posts

AI Agent Identity Management: Non-Human Ident

Every AI agent your company deploys creates a new identity. Most are unmanaged, over-privileged and never revoked. This is the identity crisis of 2026's breach wave.

Blog Posts

Agentic AI Security: 4 Attack Layers to Defend

AI agents don't just respond to prompts - they plan, use tools, access memory, and take actions across enterprise systems. Each capability adds a distinct attack layer. Most enterprise security

To learn more about Polygraf, please get in touch.

At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.

Get Started
Get Started
AICPA SOC Logo
Data Privacy

Data Provenance

Developers

Company

© 2026 Polygraf AI. All rights reserved.

X-twitter Linkedin Facebook Instagram
Log in
Get Started
Products
Sign Up / In
Log in
Sign Up
Book a Demo
Free AI Risk Assessment

thank you

Your download will start now.

Thank you!

Please provide information below and
we will send you a link to download the white paper.