Appearance
Top risks
This page summarizes OWASP ASI01–ASI10 and frames each risk as governance work: what to prevent, what to monitor, and what evidence to keep.
OWASP ASI01–ASI10 at a glance
| ID | Risk | What it usually looks like |
|---|---|---|
| ASI01 | Agent Goal Hijack | Inputs redirect planning into harmful multi-step actions |
| ASI02 | Tool Misuse and Exploitation | Unsafe tool calls cause exfiltration, destruction, or runaway cost |
| ASI03 | Identity and Privilege Abuse | Delegation chains / confused deputy lead to unauthorized actions |
| ASI04 | Agentic Supply Chain Vulnerabilities | Dynamic tools/agents/prompts/artifacts are tampered or poisoned |
| ASI05 | Unexpected Code Execution (RCE) | Untrusted output becomes executable behavior (shell/code/template) |
| ASI06 | Memory & Context Poisoning | Persistent context biases future actions or leaks across sessions |
| ASI07 | Insecure Inter-Agent Communication | Spoofing, replay, or MITM changes agent intent and decisions |
| ASI08 | Cascading Failures | Small faults fan out into system-wide harm or outages |
| ASI09 | Human-Agent Trust Exploitation | Persuasion/authority bias tricks users into approving harm |
| ASI10 | Rogue Agents | Malicious/compromised agents persist, collude, or self-propagate |
Source: OWASP Top 10 for Agentic Applications 2026.
How to use this taxonomy
Treat this list as:
- a consistent vocabulary for agentic risks and controls
- a basis for targeted testing and monitoring
- a way to make evidence auditable and reusable
Go deeper: Mitigations and testing.
ASI01: Agent Goal Hijack
What it is: attacker-controlled inputs (prompts, retrieved content, tool outputs, or messages) redirect an agent’s goals or plan, causing harmful multi-step actions.
Baseline controls:
- lock and version goal/prompt configuration; review changes like code/config
- validate intent for goal changes; require approvals for high-impact goal shifts
- log plan deltas and tool-call sequences; alert on unexpected goal changes
Tests and signals:
- goal-hijack and indirect injection regression suites (web/RAG/message channels)
- monitoring for anomalous plan changes and unusual tool sequences
Evidence to keep: threat model, prompt/goal governance history, test results, approval/audit records.
ASI02: Tool Misuse and Exploitation
What it is: an agent misapplies legitimate tools (or is induced to do so), leading to exfiltration, destructive operations, workflow hijacking, or denial-of-wallet.
Baseline controls:
- least-agency tool design (minimal tools, minimal scopes, deny by default)
- policy checks at the tool boundary (name + args + scope + rate + purpose)
- budgets/rate limits/timeouts + sandboxing for execution-capable tools
Tests and signals:
- tool boundary tests: permission, argument validation, and escalation paths
- anomaly detection for tool-call rate, spend spikes, and risky tool chaining
Evidence to keep: tool inventories, tool policies, sandbox design, monitoring dashboards, incident drills.
ASI03: Identity and Privilege Abuse
What it is: delegation chains, inherited credentials, and weak attribution create privilege escalation (including confused-deputy patterns).
Baseline controls:
- distinct governed agent identities (non-human identities) and explicit lifecycle controls
- task-scoped, short-lived credentials bound to user/session/purpose
- re-check authorization on each privileged step (not only at workflow start)
Tests and signals:
- delegation escalation tests (transitive privilege, cross-agent relay)
- monitoring for unusual scopes, delegation graphs, or repeated authorization failures
Evidence to keep: identity model, token/credential issuance design, authorization logs, access reviews.
ASI04: Agentic Supply Chain Vulnerabilities
What it is: tools, prompts, agents, models, and registries can be compromised or tampered with at build-time or runtime, and agentic systems often compose capabilities dynamically.
Baseline controls:
- allowlist/pin tools and agent artifacts (version + hash), prefer curated registries
- provenance and signing/attestation for critical artifacts; verify at runtime
- revocation/kill switch process for compromised tools/agents
Tests and signals:
- drift detection on tool/agent descriptors and prompt templates
- registry integrity checks and “known-good” verification tests
Evidence to keep: SBOM/AIBOM, registry policies, attestation records, revocation playbooks.
ASI05: Unexpected Code Execution (RCE)
What it is: agentic systems turn untrusted content or agent-generated output into executable behavior (shell commands, scripts, deserialization, templates), leading to compromise or sandbox escape.
Baseline controls:
- separate generation from execution with validation gates; ban unsafe evaluators (
eval) - sandbox execution with strict filesystem and egress boundaries
- step-up approvals for privileged or destructive execution paths
Tests and signals:
- negative tests for unsafe code paths (file write → load → run, dependency install, template execution)
- runtime monitoring for suspicious execution, egress, and privilege changes
Evidence to keep: sandbox specs, execution allowlists, approval records, test results and remediation history.
ASI06: Memory & Context Poisoning
What it is: attackers corrupt stored/retrievable context (summaries, embeddings, memory) so future reasoning and tool use becomes biased or unsafe, including cross-session influence.
Baseline controls:
- validate and scan memory writes before commit; enforce provenance/attribution
- segment memory by user/tenant/task; minimize retention; support rollback/quarantine
- weight retrieval by trust/tenancy; block auto-promotion of generated content into trusted memory
Tests and signals:
- poisoning regression tests for RAG/memory update paths
- alerts on anomalous memory update patterns and cross-tenant retrieval attempts
Evidence to keep: memory schema, retention policy, provenance logs, rollback procedures, test outputs.
ASI07: Insecure Inter-Agent Communication
What it is: agent-to-agent exchanges lack authentication, integrity, confidentiality, or replay protection, allowing spoofing, manipulation, or protocol abuse.
Baseline controls:
- mutual authentication + end-to-end encryption for agent channels
- signed messages and anti-replay (nonces/timestamps/task windows)
- secured discovery/registries (attested agent cards, strict schema validation)
Tests and signals:
- MITM/spoof/replay tests for agent protocols and discovery paths
- monitoring for protocol downgrade attempts and invalid schemas
Evidence to keep: protocol specs, key management approach, message schema versions, audit trails.
ASI08: Cascading Failures
What it is: an initial fault (hallucination, malicious input, corrupted tool, spoofed message) propagates across autonomous workflows, amplifying into system-wide harm or outages.
Baseline controls:
- isolation boundaries and trust zones between agents/tools; restrict privilege inheritance
- circuit breakers, quotas, and blast-radius limits between steps and agents
- checkpoints and approvals before high-impact fan-out actions
Tests and signals:
- fan-out and loop tests (queue storms, repeated intents, cascading tool chains)
- monitoring for unusual rates, cross-tenant spread, and repeated action patterns
Evidence to keep: architecture diagrams, blast-radius policies, incident runbooks, containment and recovery records.
ASI09: Human-Agent Trust Exploitation
What it is: adversaries leverage authority bias and persuasive explanations to trick users into approving harmful actions or disclosing sensitive data.
Baseline controls:
- explicit confirmations and “preview vs effect” separation for sensitive actions
- provenance-aware UX (source, timestamp, integrity) and plain-language risk summaries
- calibrate autonomy by risk; avoid persuasive language in high-risk flows
Tests and signals:
- simulated social engineering scenarios and approval-gate bypass attempts
- monitoring for plan divergence and unusual tool combinations
Evidence to keep: UX patterns for approvals, audit logs, training materials, incident reports and fixes.
ASI10: Rogue Agents
What it is: malicious or compromised agents deviate from intended scope (drift, collusion, self-replication), even after the initial intrusion.
Baseline controls:
- cryptographic agent identities, attestation, and signed audit logs for actions/messages
- rapid containment (kill switch, credential revocation, quarantine) and recovery workflows
- behavioral baselines/watchdogs and restricted propagation paths
Tests and signals:
- “rogue agent” drills: revoke, quarantine, and recover to a known-good state
- monitoring for replication, unusual delegation graphs, and anomalous tool usage
Evidence to keep: containment runbooks, revocation logs, forensic artifacts, reintegration criteria.