Most enterprise security teams have read the OWASP LLM Top 10. Far fewer have read the Agentic AI Top 10 — released December 2025 — and the gap between the two is where the real risk lives right now.
This isn't a prompt injection update. It's a different threat model entirely.
What changed between LLM and Agentic AI risks
The LLM Top 10 assumes a human in the loop. A user sends a prompt, a model responds, a human evaluates the output. The attack surface is the prompt and the response.
Agentic AI systems don't work that way. An agent receives a goal, plans a sequence of actions, calls external tools, stores information in memory, spawns sub-agents, and executes — often without a human reviewing each step. The attack surface is every tool call, every memory read/write, every inter-agent handoff, and every external server connection.
Here's a quick comparison of what shifted:
RiskLLM Top 10Agentic Top 10Primary vectorPromptTool calls + memoryScopeSingle model responseMulti-step autonomous executionBlast radiusOne outputCascading actions across systemsHuman reviewAssumedOften absentNew attack classPrompt injectionAgent hijacking, cascading failures, rogue agents
The 3 Agentic risks most teams are underestimating
- Cascading agent failures In a connected agent system, one compromised or misconfigured agent can corrupt every downstream decision. A 2025 study found a single poisoned agent degraded 87% of downstream decisions within 4 hours across a connected system. There's no equivalent to this in traditional security models — it's closer to a supply chain attack than a perimeter breach.
- MCP server exploitation Model Context Protocol (MCP) is how AI agents call external tools. Anthropic open-sourced it in late 2024 and adoption has been fast. Security hasn't kept up. Trend Micro found 492 exposed MCP servers with zero authentication in early 2026. The first confirmed malicious MCP server — postmark-mcp — silently BCC'd every outgoing email to an attacker-controlled address for weeks before detection. No user interaction. No obvious indicator. OWASP published a dedicated MCP Security Guide in February 2026. Key attack classes to know:
Tool poisoning — malicious server executes unauthorized commands when an agent calls it
Rug pull attacks — server behaves correctly during testing, changes behavior in production
Cross-server escalation — agents with access to multiple MCP servers can be manipulated to chain calls across them
Prompt injection via tool output — server returns instructions disguised as data, agent executes them
- Privilege escalation through agent credentials Most teams provision AI agents using existing user credentials or broad service accounts. An agent operating under a user's credentials inherits that user's full permission scope — including permissions the user would never exercise manually, like bulk export or delete on production data. Unlike a human session, an agent can execute thousands of actions in minutes. The blast radius of a compromised or misconfigured agent is orders of magnitude larger than a compromised human account. What happened at Microsoft Copilot: EchoLeak EchoLeak (CVE-2025-32711, CVSS 9.3) is the clearest real-world example of the Agentic threat model in action. A single crafted email triggered Microsoft Copilot to exfiltrate data from OneDrive, SharePoint, and Teams. Zero user interaction required. The attack worked because Copilot has tool-level access to the M365 tenant and processes email content as part of its context. One malicious input, full data boundary breach. If your org is running Copilot without an AI firewall layer between the agent and your data, your data perimeter is not where you think it is. What governance actually looks like at the agent layer Native M365 controls — conditional access, DLP, sensitivity labels — are content controls. They don't give you visibility into agent behavior at the action level. You can know what data was accessed after the fact, but you can't govern what an agent is allowed to do in real time. Effective AI agent governance requires three layers: Usage Layer — governs every user-to-AI interaction. Catches shadow AI at the agent level, not just chatbot level. Blocks sensitive data from leaving in prompts. Agent Layer — controls every tool call an AI agent can make. Governs MCP server connections before they load. Enforces behavioral policy at the action boundary. Model Layer — evaluates AI models before they operate in your environment. Controls who can use which model, under what conditions, for what purpose. This is the architecture we've deployed at our org using Pragatix as the enforcement layer. The audit results after deployment — 5,015 shadow AI agent attempts discovered, 464 data leaks prevented — changed how our security team thinks about the AI risk surface entirely. What to do this week
Read the OWASP Agentic AI Top 10 if you haven't. It's meaningfully different from the LLM Top 10.
Audit every AI agent in your environment. Map the credentials they're running under and the tools they can call.
Inventory your MCP server connections. If you don't know which MCP servers your agents can connect to, you have a blind spot.
Map your existing controls against the Agentic Top 10. DLP and conditional access cover maybe 3 of the 10 risks.
If you want to see how the three-layer defense model works in practice, AGAT Software has a full breakdown at agatsoftware.com/pragatix.
Questions welcome in the comments — particularly interested in how other security engineers are approaching MCP governance and whether existing CASB solutions are attempting to cover this yet.
Top comments (1)
For anyone who wants to go deeper on the three-layer defense model mentioned here (Usage / Agent / Model), AGAT Software published a full breakdown of how Pragatix implements it in practice — including the shadow AI audit results and deployment options from SaaS to air-gapped: agatsoftware.com/pragatix
Happy to answer questions in the comments on any of the OWASP risks covered above, particularly around MCP governance — it's the area we're seeing the most blind spots in enterprise environments right now.