DEV Community

Cover image for The OWASP Agentic Top 10, explained for practitioners
Brenn Hill
Brenn Hill

Posted on

The OWASP Agentic Top 10, explained for practitioners

If you are shipping anything with autonomous agents — tool-calling LLMs, multi-agent workflows, agents that read memory and act on it — you have probably noticed that the usual web and API threat models do not quite fit. The risks shift when the thing making decisions is a model that can be steered by its own inputs.

In December 2025 the OWASP GenAI Security Project, through its Agentic Security Initiative, published the OWASP Top 10 for Agentic Applications (2026). It is the result of work by 100+ contributors across vendors, enterprises, researchers, and national cybersecurity agencies, and it has quickly become the field's reference threat list for agentic systems — the agentic counterpart to the long-standing OWASP Top 10 for web applications.

What it actually is

The Top 10 is a catalog of what can go wrong with agents. Each risk is coded ASI01 through ASI10, with a description, example attack paths, and pointers toward mitigations. It is not a compliance checklist and it is not a controls catalog. It is a shared vocabulary: when someone says "that's an ASI06 problem," everyone in the room knows you are talking about poisoned memory or context, not a leaked credential.

That shared vocabulary is the real value. Threat modeling for agents has been ad hoc and team-specific. The Top 10 gives you a stable list to model against.

The ten, in plain language

  1. ASI01 — Agent Goal Hijack. An attacker redirects what the agent is trying to do, usually by smuggling instructions into content the agent reads, so it pursues their objective instead of yours.
  2. ASI02 — Tool Misuse. The agent uses its legitimate, granted tools in harmful ways — calling the right API with the wrong intent, or chaining permitted actions into something damaging.
  3. ASI03 — Identity & Privilege Abuse. Weak handling of the agent's credentials and permissions lets it act with more authority than it should, or lets an attacker borrow that authority.
  4. ASI04 — Agentic Supply Chain Vulnerabilities. Compromise enters through the agent's dependencies: third-party tools, models, plugins, and registries it pulls in and trusts.
  5. ASI05 — Unexpected Code Execution. The agent generates and runs code that slips past traditional controls, executing things you never reviewed.
  6. ASI06 — Memory & Context Poisoning. Corrupted or attacker-planted data in the agent's memory or context quietly steers its future decisions.
  7. ASI07 — Insecure Inter-Agent Communication. When agents talk to each other, weak or unauthenticated channels let a message be forged, intercepted, or tampered with.
  8. ASI08 — Cascading Failures. A single fault, bad output, or compromised agent propagates through a workflow, with each agent amplifying the last.
  9. ASI09 — Human-Agent Trust Exploitation. The agent's human-like, authoritative manner is weaponized to make people approve, click, or disclose things they otherwise would not.
  10. ASI10 — Rogue Agents. Agents drift from intended behavior, collude, or self-replicate, operating outside the boundaries anyone set for them.

The practitioner takeaway

Treat the Top 10 as a threat checklist, not a controls list. The most useful thing you can do with it is sit down with your architecture and walk the ten, one at a time, asking "where does this show up in our system, and what happens if it does?"

Some will not apply — if you run a single agent with no inter-agent messaging, ASI07 is moot. Others will surface gaps you had not named: an agent with a shell tool is staring straight at ASI05; an agent that reads from a shared vector store is exposed to ASI06. The list is deliberately about what can go wrong, which is exactly what you want for the threat-modeling half of the work.

What it does not do — by design — is tell you which control to build. ASI06 names memory poisoning as a risk; it does not hand you the input validation, provenance tracking, and trust boundaries that contain it. That gap between "here is the risk" and "here is the fix" is where your engineering judgment lives, and it is the gap worth being deliberate about.


The OWASP Agentic Top 10 is one of the sources behind *BRACE*, an open, vendor-neutral framework for securing autonomous AI agents — BRACE maps each of these risks to the concrete controls that mitigate it. It's built by reading the incidents and the research and asking, each time: what concrete control would have prevented or contained this?

Top comments (0)