What the OWASP Top 10 for Agentic Applications Covers

The OWASP GenAI Security Project published its Top 10 for Agentic Applications as a globally peer-reviewed framework specifically addressing autonomous AI systems. These are agents that plan, act, and make decisions across multi-step workflows, rather than single-turn language model interactions. This scope distinguishes the agentic framework from the earlier OWASP Top 10 for LLM Applications, which focuses on risks like prompt injection and output handling at the model layer. The agentic framework instead addresses what happens once a model's output becomes an action: a tool call, a workflow decision, an interaction with another agent, or a persistent change to memory or state.

The framework's risk categories include the following:

  • Agent goal hijacking, where an agent's objective is redirected away from its intended purpose
  • Tool misuse, where an agent invokes a legitimate tool in a way that exceeds its intended function
  • Identity and privilege abuse, where an agent operates with access broader than its current task requires
  • Agentic supply chain risk, covering the plugins, tools, and third-party components an agent depends on
  • Memory and context poisoning, where persistent agent memory is corrupted to influence future behavior
  • Cascading failures across multi-agent systems, where one agent's erroneous behavior propagates to others
  • Rogue agent behavior, where an agent acts outside its intended operational boundaries

Each category is paired with practical guidance intended for builders, defenders, and organizational decision-makers rather than purely academic researchers.

For governance and compliance teams, the value of this framework is that it gives agentic AI risk a common vocabulary that can be referenced in internal policy, vendor questionnaires, and audit documentation. A companion crosswalk maps each OWASP agentic risk category to the NIST AI Risk Management Framework's four core functions -- Govern, Map, Measure, and Manage -- which allows organizations that have already built governance programs around NIST AI RMF to extend that structure to agentic-specific risks rather than building a parallel framework from scratch.

Key Distinction

The OWASP Top 10 for Agentic Applications addresses risk at the action layer -- what an agent does -- rather than only at the model layer. This distinction matters for compliance teams whose existing controls were designed around model inputs and outputs, not autonomous multi-step execution.

Representative Risk Categories at a Glance

The table below summarizes three foundational risk categories from the framework to illustrate the type of concerns it addresses and how they translate to governance language.

Risk Category What It Describes Governance Relevance
Agent goal hijacking An agent's objective is manipulated away from its intended task, often through crafted inputs in the environment or context. Requires monitoring of in-flight agent objectives and detection of deviations from authorized task scope.
Tool misuse An agent invokes a legitimate tool with parameters or in a context that was not intended by the tool's designers or the organization's policy. Requires per-invocation policy evaluation, not just access control at the tool registration level.
Identity and privilege abuse An agent operates with access entitlements that are broader than what the current task requires, creating excess exposure. Requires runtime authorization aligned to current task context, rather than a static role assigned at deployment.
Agentic supply chain risk Third-party tools, plugins, or MCP servers introduce risk into an agent's operational environment through their own vulnerabilities or behavior. Requires a maintained inventory of agent dependencies and a recurring review process comparable to third-party software risk management.
Memory and context poisoning Content written into an agent's persistent memory is manipulated so that it influences the agent's future decisions in ways not intended or authorized. Requires provenance tracking and validation on memory writes, so manipulated inputs cannot silently become part of the agent's decision basis.
Cascading failures A single agent's compromised or erroneous behavior automatically propagates authority or data to other agents in a multi-agent workflow. Requires bounded blast-radius controls that limit lateral propagation between agents.

From Risk Taxonomy to Enforceable Controls

A risk taxonomy on its own does not satisfy an audit or reduce operational exposure. Each category must be translated into controls that can be implemented, monitored, and evidenced. The mapping between the OWASP agentic risk categories and their corresponding operational controls follows a consistent pattern:

Identity and privilege abuse

The corresponding control is runtime authorization: verifying, at the moment an agent attempts an action, that its current permissions match what its current task actually requires. This is different from relying on a static role assigned at deployment, which remains fixed regardless of what an agent is doing at any given moment.

Tool misuse

The corresponding control is per-call policy enforcement that evaluates not just whether an agent is allowed to use a tool in general, but whether this specific invocation -- with these specific parameters, in this task context -- is consistent with approved use. Access control at the tool registration level alone is insufficient.

Memory and context poisoning

The corresponding control is validation and provenance tracking on what gets written into an agent's persistent memory. Without this, manipulated inputs can silently become part of the agent's future decision-making in ways that are difficult to detect after the fact.

Agentic supply chain risk

The corresponding control is an inventory and review process for every tool, plugin, and MCP server an agent can reach. This should be treated with the same rigor as third-party software dependencies, including periodic reassessment rather than one-time review at onboarding.

Cascading failures in multi-agent systems

The corresponding control is bounded blast radius -- ensuring that one agent's compromised or erroneous behavior cannot automatically propagate authority or data to other agents in the same workflow. This may involve designing explicit handoff verification points between agents rather than implicit trust.

None of these controls are entirely novel. Most extend existing identity, access management, and monitoring disciplines into the agent execution layer. The gap in most organizations is not awareness that these controls are needed -- the OWASP framework makes that explicit -- but operationalizing them at the speed and scale that agentic workflows require. Manual review cannot keep pace with autonomous, multi-step execution, which means the enforcement mechanisms themselves must be automated and policy-driven.


Compliance Readiness Checklist

Organizations assessing their readiness against the OWASP Top 10 for Agentic Applications should be able to answer the following questions affirmatively. Gaps in any of these areas represent control deficiencies that may require remediation before an audit or regulatory review.

  • Is there a current inventory of every agent in production, its permitted tools, and its data access scope?
  • Are agent actions authorized per call, based on current task context, rather than a static role granted at deployment?
  • Is there provenance tracking on what content is written into persistent agent memory?
  • Are third-party tools, plugins, and MCP servers reviewed and reassessed on a recurring basis?
  • Can the organization produce an audit trail mapping specific agent actions to the policy that authorized them?
  • Is there a documented process for containing a single agent's failure before it propagates to other agents in a workflow?
  • Have the OWASP agentic risk categories been reviewed against the organization's existing AI governance policy to identify gaps?

Building a Governance Program Around the Framework

Translating the OWASP framework into a governance program requires treating the risk categories not as a one-time checklist but as an ongoing input into policy, control design, vendor assessment, and audit evidence. The practical steps involved include:

  1. Map risk categories to existing policy. Review current AI and information security policies to identify where agentic-specific risks are and are not addressed. Goal hijacking and cascading failures, for example, are unlikely to appear in policies written before agentic AI was in use.
  2. Assign control ownership. For each risk category, identify who in the organization is responsible for the corresponding control. In many organizations, this spans security engineering, platform teams, and the groups responsible for vendor management and third-party risk.
  3. Define evidence standards. Determine what evidence is required to demonstrate that each control is operating effectively. For runtime authorization controls, this typically means structured logs showing authorization decisions alongside agent actions. For supply chain controls, it means a maintained inventory with documented review dates.
  4. Build into audit cadence. Incorporate agentic risk controls into existing internal audit or risk review cycles rather than standing up a separate program. This reduces overhead and makes it easier to align reporting to existing governance structures.
  5. Plan for framework evolution. The OWASP framework will continue to develop as agentic AI matures. Building in a process to review and incorporate updates -- at least annually -- ensures the governance program remains aligned with current risk guidance.

Where This Fits Alongside Broader AI Governance Programs

Organizations that already maintain AI governance programs anchored in frameworks like the NIST AI RMF or ISO/IEC 42001 should treat the OWASP agentic framework as an extension rather than a competing structure. The distinction is one of scope: broader AI governance frameworks address model risk, data governance, and organizational accountability across the AI lifecycle, while the OWASP agentic framework addresses the specific, newer risk surface created when AI systems take autonomous action inside enterprise infrastructure.

The published NIST AI RMF crosswalk makes this integration concrete. By aligning each OWASP agentic risk category to the corresponding NIST AI RMF function -- Govern, Map, Measure, or Manage -- organizations can extend their existing NIST-aligned programs to cover agentic risks without rebuilding their governance architecture.

Enterprises that fold agentic risk into their existing governance cadence typically find it easier to secure executive sponsorship and audit sign-off, because the reporting structure and control ownership are already established. Treating agentic AI as a governed technology category -- rather than a novel system that requires its own parallel program -- tends to result in faster adoption of controls and more consistent enforcement over time.

Framework Relationship

The OWASP Top 10 for Agentic Applications addresses what happens at runtime. Broader frameworks like NIST AI RMF address lifecycle governance. Both are needed for a complete control environment. The published crosswalk between them provides a starting point for integrating the two without duplicating effort.