Should I choose the MGF or the OWASP Top 10 for Agentic Applications?

Use both — they answer different questions. Adopt the MGF for Agentic AI as the governance scaffold: it allocates responsibility across the agentic value chain, designs meaningful human oversight, and sets technical-control and end-user expectations. Use the OWASP Top 10 for Agentic Applications as the threat checklist that scopes red-teaming, runtime monitoring, and the security tests behind the MGF's technical-controls dimension. Neither replaces the other: OWASP without governance leaves no owner or oversight model, and the MGF without a concrete threat taxonomy leaves the technical-controls dimension under-specified.

How does each OWASP agentic risk map to the MGF for Agentic AI?

Most OWASP agentic risks are mitigated by bounding the agent's authority by design (MGF Dimension 1) and by the technical controls and testing of Dimension 3. Identity and supply-chain risks also engage the responsibility-allocation work of Dimension 2; human-trust risks engage both the meaningful-oversight practices of Dimension 2 and the disclosure duties of Dimension 4; and the multi-agent risks (insecure inter-agent communication, cascading failures) engage the MGF's multi-agent governance. A crosswalk maps each of ASI01 to ASI10 to the dimension that governs it.

Are either of these frameworks mandatory?

Neither is law. The MGF for Agentic AI is voluntary best-practice guidance published by Singapore's Infocomm Media Development Authority (IMDA). The OWASP Top 10 for Agentic Applications is a community security standard published by the OWASP Foundation. Both are adopted voluntarily to manage agentic-AI risk in a structured, defensible way. Where a binding regime such as the EU AI Act applies, compliance is determined by that regulation, and these frameworks serve as practice and evidence sources rather than as the legal obligation.

How does Modulos let me run both together?

The OWASP Top 10 for Agentic Applications lands in Modulos as named requirements with linked evidence and supporting evaluations, and the MGF for Agentic AI lands as the MFF-17 (application) and OFF-17 (organisation) framework templates. They coexist on the same projects: the OWASP requirements give the security-test vocabulary, while the MFF-17/OFF-17 requirements carry the governance — risk classification, oversight design, responsibility allocation, and end-user duties. Evidence recorded once, such as an agent's tool inventory or a red-team result, can be linked to both.

Singapore MGF for Agentic AI vs OWASP Top 10 for Agentic Applications

Q: Are the Singapore MGF for Agentic AI and the OWASP Top 10 for Agentic Applications competing frameworks?

No. They are different kinds of artefact and they complement each other. The IMDA Model AI Governance Framework for Agentic AI is a governance framework — four dimensions of best practice spanning risk assessment, human accountability, technical controls, and end-user responsibility across the agent lifecycle. The OWASP Top 10 for Agentic Applications is a security-risk taxonomy — a list of the ten most significant security risks for agentic applications. The MGF tells you how to govern agentic AI; OWASP tells you the specific threats to defend against. A mature programme uses both: OWASP as the security-risk vocabulary, the MGF as the governance layer that assigns ownership, oversight, and evidence around those risks.

Both of these address agentic AI, but they are not the same kind of thing — and treating them as competitors misreads both. The Singapore IMDA Model AI Governance Framework for Agentic AI is a governance framework: four dimensions of best practice that span the agent lifecycle, from assessing risk upfront to enabling responsible end-users. The OWASP Top 10 for Agentic Applications is a security-risk taxonomy: a ranked list of the ten most significant security risks specific to agentic applications.

One tells you how to govern agentic AI. The other tells you which threats to defend against. They are most useful together — OWASP as the security-risk vocabulary, the MGF as the governance layer that puts ownership, oversight, and evidence around those risks. This page sets them side by side and maps each OWASP risk to the MGF dimension that governs it.

Quick decision

Standing up agentic-AI governance from scratch → start with the MGF for Agentic AI. Its four dimensions give you the operating model — responsibility allocation, oversight design, technical controls, and end-user duties — into which a threat taxonomy plugs.
Scoping red-teaming, runtime monitoring, or a security review of an agent → start with the OWASP Top 10 for Agentic Applications. The ten ASI categories are the concrete threat checklist behind the MGF's technical-controls dimension.
Running a real agentic programme → use both. The MGF assigns the owner, the oversight model, and the evidence trail; OWASP names the threats those controls have to withstand.
Subject to a binding regime (for example the EU AI Act) → treat both as practice and evidence sources, not as the legal obligation. Compliance is determined by the regulation.

TL;DR

The MGF for Agentic AI is a governance framework — IMDA voluntary best-practice guidance, four dimensions, organisation- and application-level, lifecycle-spanning.
The OWASP Top 10 for Agentic Applications is a security-risk taxonomy — an OWASP Foundation community standard, ten ASI risk categories, threat-focused.
They are complementary, not competing: OWASP is the what to defend against; the MGF is the how to govern it. Most ASI risks are mitigated by the MGF's "bound by design" (Dimension 1) and "technical controls" (Dimension 3) work, with identity, supply-chain, human-trust, and multi-agent risks also drawing on Dimensions 2 and 4.
In Modulos both coexist: the MGF as the MFF-17 / OFF-17 templates, the OWASP taxonomy as named requirements with linked evidence; a single piece of evidence can support both.

Primary source

IMDA Model AI Governance Framework for Agentic AI, v1.5 (published 20 May 2026; updated 5 June 2026) · OWASP Top 10 for Agentic Applications (2026). Both are voluntary; neither creates legal obligations of its own.

At a glance

Dimension	MGF for Agentic AI	OWASP Top 10 for Agentic Applications
Type	Governance framework	Security-risk taxonomy
Publisher	IMDA (Infocomm Media Development Authority), Singapore	OWASP Foundation
Version	v1.5 (May 2026)	2026 edition
What it is	Four dimensions of best practice across the agent lifecycle	Ten ranked security-risk categories (ASI01–ASI10) for agentic apps
Primary question	How do we govern agentic AI responsibly?	What are the top security threats to an agentic application?
Status	Voluntary best-practice guidance	Voluntary community security standard
Scope	Organisation and per-application, all actors in the value chain	The agentic application's security attack surface
Best for	The operating model — ownership, oversight, controls, end-user duties	Threat modelling, red-team scoping, runtime monitoring

How the two relate

The cleanest way to see the relationship is to picture the OWASP taxonomy inside the MGF's third dimension. The MGF's four dimensions are an operating model:

Assess and bound the risks upfront — decide whether an agent is suitable, then bound its authority by design.
Make humans meaningfully accountable — allocate responsibility across the value chain and design real human oversight.
Implement technical controls and processes — build, test, deploy, and monitor the agent safely.
Enable end-user responsibility — disclose the agent's behaviour and equip the people who use it.

The OWASP Top 10 for Agentic Applications is the threat catalogue that Dimension 3 has to defend against, and that Dimension 1 has to bound in advance. Where OWASP says "here is a risk," the MGF says "here is who owns it, how it is overseen, and what evidence proves it is managed." Run on their own, each leaves a gap the other fills: OWASP without the MGF has no owner or oversight model; the MGF without OWASP leaves the technical-controls dimension without a concrete threat list.

Crosswalk: OWASP agentic risks to MGF dimensions

Each OWASP agentic risk is governed by one or more MGF dimensions. The mapping below is a starting point, not an exhaustive control matrix; the MGF dimension pages carry the detailed practices and the Modulos requirement and control codes.

OWASP risk	What it is	MGF dimension(s) that govern it
ASI01 Agent Goal Hijack	Adversary redirects the agent's plan or objective	Dimension 1 (bound by design: caps on autonomous loops, plan-validation checkpoints, approval gates on irreversible actions) + Dimension 3 (planning-layer controls)
ASI02 Tool Misuse	Agent invokes tools outside their authorised use	Dimension 1 (least-privilege, deny-by-default tool access) + Dimension 3 (tool-layer controls and the tool-invocation policy gate)
ASI03 Identity & Privilege Abuse	Agent identity or permissions are reused or escalated	Dimension 1 (agent identity and authorisation; the central agent catalogue) + Dimension 2 (separation-of-duties allocation)
ASI04 Agentic Supply Chain Vulnerabilities	Third-party tools, frameworks, or agent components carry exposure	Dimension 2 (assess third-party agent components; value-chain responsibility)
ASI05 Unexpected Code Execution	Agent or sandbox boundary fails and arbitrary code runs	Dimension 1 (bound the action-space) + Dimension 3 (isolation, blast-radius limits, technical controls)
ASI06 Memory & Context Poisoning	Persistent memory or context is shaped to mislead later steps	Dimension 3 (controls on the memory component — provenance, tenancy separation, forgetting windows)
ASI07 Insecure Inter-Agent Communication	Messages between agents are spoofed, replayed, or unauthenticated	Dimension 3 (protocol-layer controls) + the MGF's multi-agent governance
ASI08 Cascading Failures	A fault in one agent fans out across the system	Dimension 3 (multi-agent testing, blast-radius caps, continuous monitoring) + multi-agent governance
ASI09 Human-Agent Trust Exploitation	Humans over-trust agent outputs into harmful actions	Dimension 2 (meaningful oversight, automation-bias mitigation) + Dimension 4 (disclosure of the agent's range of actions and limits)
ASI10 Rogue Agents	An agent operates outside policy by failure, drift, or compromise	Dimension 1 (emergency revocation) + Dimension 2 (oversight) + Dimension 3 (per-agent telemetry, anomaly detection, continuous monitoring)

Two patterns stand out. First, bounding by design (Dimension 1) and technical controls (Dimension 3) carry most of the agentic security load — they govern eight of the ten risks between them. Second, the multi-agent risks (ASI07, ASI08) and the human-facing risks (ASI09) are exactly where the MGF reaches beyond a pure security taxonomy into multi-agent governance, oversight design, and end-user disclosure.

When to use which

Use the OWASP Top 10 for Agentic Applications when the question is security. It is the right vocabulary for threat modelling, for scoping a red-team engagement, and for naming what runtime monitoring should detect.
Use the MGF for Agentic AI when the question is governance. It is the right structure for deciding whether an agent should exist at all, for allocating accountability, for designing human oversight, and for setting end-user expectations.
Use both for a production agentic programme. Let OWASP scope the security tests inside the MGF's technical-controls dimension, and let the MGF carry the ownership, oversight, and evidence around the whole lifecycle.

What this looks like in Modulos

Modulos lets the two coexist on the same projects rather than forcing a choice:

The MGF for Agentic AI is modelled as two framework templates — MFF-17 (application) and OFF-17 (organisation) — carrying the governance: agent suitability and risk classification, bounding authority, oversight design, technical controls, testing, multi-agent governance, disclosure, and the organisation-level responsibility allocation and central agent catalogue. See Operationalizing the MGF in Modulos.
The OWASP Top 10 for Agentic Applications lands as named requirements with linked evidence and supporting evaluations — the security-test vocabulary that the MGF's technical-controls dimension exercises. See OWASP Top 10 for Agentic Applications in Modulos.
Evidence recorded once supports both. An agent's tool inventory, its identity and delegation model, or a red-team result can be linked to an OWASP ASI requirement and to the MFF-17 requirement that governs the same surface — single-source evidence, multi-framework links.

This is the same pattern Modulos uses across overlapping frameworks: the security taxonomy supplies the threat vocabulary, the governance framework supplies the operating model, and one evidence base serves both.

Singapore MGF for Agentic AI

The governance framework: four dimensions, scope, and the MFF-17 / OFF-17 model

OWASP Top 10 for Agentic Applications

The security-risk taxonomy: the ten ASI categories and their mitigations

MGF Dimension 3: Technical controls

Where the agentic security threats are defended against in the MGF

Framework comparison hub

Side-by-side across the AI governance and security frameworks Modulos supports

Source attribution

This comparison draws on the IMDA Model AI Governance Framework for Agentic AI, v1.5 (published 20 May 2026; updated 5 June 2026), published by the Infocomm Media Development Authority of Singapore, and the OWASP Top 10 for Agentic Applications (2026), published by the OWASP Foundation. The ASI category names and descriptions are summarised from the OWASP Top 10 for Agentic Applications guide; the four dimensions are summarised from the MGF for Agentic AI guide.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. Both the MGF for Agentic AI and the OWASP Top 10 for Agentic Applications are voluntary; neither creates legal obligations of its own. Where a binding regime applies, compliance is determined by that regime and these frameworks serve as practice and evidence sources. For binding interpretation in your jurisdiction, consult the authoritative source documents and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT