OWASP Top 10 for Agentic Applications (2026)

The OWASP Top 10 for Agentic Applications is a practical security taxonomy for agentic AI applications: systems that plan, act, and use tools across multi-step workflows (including multi-agent orchestration).

Related framework

Most agentic systems are also LLM apps. For the LLM-focused taxonomy, see OWASP Top 10 for LLM Applications (2025).

Key facts

Type

Security risk taxonomy

Scope

Agentic AI applications

Focus

Autonomy, tool use, delegation

Version

2026 (ASI)

Best for

Security and engineering teams

Authoritative resources

• OWASP GenAI: Top 10 for Agentic Applications 2026 (resource page)
• OWASP GenAI: Agentic Security Guide
• Announcement: OWASP Top 10 for Agentic Applications

Why agentic security matters in governance

Agentic systems expand the attack surface because outputs can turn into actions:

• tool calls and side effects (data access, execution, external actions)
• delegation chains and inherited privileges
• memory that persists across sessions
• inter-agent messaging and discovery
• cascading failures with fast fan-out

Go deeper:

• Top risks
• Mitigations and testing

Agentic app attack surface (quick map)

Agentic app attack surface (where risks show up)

Inputs and goal settingprompts, retrieved content, tool outputs, messages

ASI01 Agent Goal Hijack

ASI09 Human-Agent Trust Exploitation

Planning and orchestrationmulti-step plans, task graphs, sub-agents

ASI08 Cascading Failures

ASI10 Rogue Agents

Tools and actionsfunction calling, plugins, automation, permissions

ASI02 Tool Misuse and Exploitation

ASI05 Unexpected Code Execution

Identity and delegationagent identities, scopes, delegation chains

ASI03 Identity and Privilege Abuse

ASI09 Human-Agent Trust Exploitation

Supply chain and registriestools, prompts, agent cards, MCP servers, artifacts

ASI04 Agentic Supply Chain Vulnerabilities

Memory and contextRAG, embeddings, long-term memory, summaries

ASI06 Memory & Context Poisoning

Inter-agent communicationcoordination protocols, discovery, messaging

ASI07 Insecure Inter-Agent Communication

How Modulos operationalizes OWASP work

In Modulos, OWASP becomes executable governance:

• represent OWASP categories as requirements and mapped controls
• link evidence (design docs, red-team results, incident records)
• run tests and store results as governance signals

Frameworks

EU AI ActRegulatory

ISO 42001Standard

Requirements

Art. 9.1Risk management

Art. 10.2Data governance

6.1.1Risk assessment

Controls

Risk assessment processReusable

Data validation checksReusable

Components

Risk identification

Impact analysis

Evidence

Risk registerDocument

Test resultsArtifact

Requirements preserve the source structure

Controls are reusable across frameworks

Evidence attaches to components (sub-claims)

Related platform areas:

• Testing
• Evidence
• Human in the loop

Getting started

Top risks

A practical overview of ASI01–ASI10

Mitigations and testing

Turn OWASP into controls, evidence, and tests in Modulos

Testing

Turn evaluations into governance signals

Disclaimer

This page is for general informational purposes and does not constitute legal advice or security advice.