What is the OWASP Agentic Top 10? (ASI01–ASI10)
A plain-English guide · assess your agents free at /agentic · all security terms → · updated June 2026
The OWASP Top 10 for Agentic Applications (ASI01–ASI10) is a community-built list of the ten most critical security risks specific to AI agents — systems that plan, call tools, hold memory and act autonomously. Released by the OWASP GenAI / Agentic Security Initiative on 9 December 2025, it complements the OWASP Top 10 for LLM Applications, which covers risks in the models themselves.
The ten risks
An attacker manipulates the agent's objectives, instructions or decision path — via prompt injection or poisoned inputs — so it pursues unintended outcomes.
In the wild: EchoLeak (2025): a zero-click email made Microsoft Copilot leak confidential data outside its scope. — Microsoft / Aim Security
The agent uses connected tools in unsafe ways, or attackers exploit tool interfaces — abuse that often stays within the agent's granted privileges.
In the wild: OpenAI Codex CLI (2025): a sandbox-config flaw let agent-generated code write outside the intended workspace. — NVD
Agents inherit or delegate credentials without proper scoping, creating an attribution gap and paths to privilege escalation.
In the wild: A2A "Agent-in-the-Middle" (2025): a rogue agent published a fake agent card falsely claiming high trust. — Trustwave
Malicious or compromised tools, MCP servers, agent cards and registries in the runtime ecosystem the agent pulls from.
In the wild: Claude "Skills" (2025): malicious plugins were re-uploaded to deploy MedusaLocker ransomware. — Cato CTRL
Agent-generated or "vibe-coded" execution paths run unintended code and bypass controls.
In the wild: OpenAI Codex CLI (2025): model-generated code escaped the sandbox to run beyond its scope. — NVD
Persistent corruption of an agent's memory, embeddings or shared context steers its future decisions.
In the wild: EchoLeak (2025): a crafted email poisoned Copilot's context to drive data exfiltration. — Microsoft / Aim Security
Weak agent-to-agent protocols, discovery and semantic validation let messages be spoofed, tampered or misrouted.
In the wild: A2A protocol spoofing (2025): a fake agent card let a rogue agent intercept inter-agent traffic. — Trustwave
One fault or compromise propagates across agents and workflows, amplifying a small issue into a system-wide one.
In the wild: Copilot / Cursor (2025): AI-suggested backdoors and logic flaws propagated into production code. — Pillar Security
Anthropomorphism and authority bias are weaponised to subvert human oversight and approvals.
In the wild: Copilot / Cursor (2025): developers trusted AI suggestions that injected backdoors and leaked API keys. — Pillar Security
Compromised, misaligned or drifting agents keep operating in unintended ways — behavioural drift, collusion, self-replication.
In the wild: A2A "Agent-in-the-Middle" (2025): a rogue agent claimed high trust and exfiltrated sensitive data. — Trustwave
Agentic Top 10 vs the LLM Top 10
The LLM Top 10 covers risks in language models and the apps that wrap them — prompt injection, training-data poisoning, insecure output handling. The Agentic Top 10 focuses on what happens once those models get autonomy, tools, memory and the ability to coordinate: goal hijacking, tool misuse, privilege abuse, inter-agent attacks and rogue behaviour. They're complementary, not competing.
How to assess your agents against it
Use the list as a checklist of failure modes, then score concrete vulnerabilities with AIVSS to prioritise. A fast first screen is the Lethal Trifecta — if an agent holds private data, reads untrusted content and can reach the internet all at once, several of these risks become directly exploitable.
- Agentic AI security — AIVSS calculator + the full ASI reference with examples.
- What is AIVSS? — score how risky a flaw is inside an agent.
- What is the Lethal Trifecta? — the three-condition quick screen.
Frequently asked questions
What is the OWASP Agentic Top 10?
The OWASP Top 10 for Agentic Applications (ASI01–ASI10) is a community-built list of the ten most critical security risks specific to AI agents — systems that can plan, call tools, hold memory and act autonomously. It was released by the OWASP GenAI / Agentic Security Initiative on 9 December 2025. It complements the OWASP Top 10 for LLM Applications, which covers risks in the models themselves.
What are the ten agentic risks?
ASI01 Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI03 Identity & Privilege Abuse, ASI04 Agentic Supply Chain Vulnerabilities, ASI05 Unexpected Code Execution (RCE), ASI06 Memory & Context Poisoning, ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Failures, ASI09 Human-Agent Trust Exploitation, and ASI10 Rogue Agents.
How is it different from the OWASP Top 10 for LLMs?
The LLM Top 10 covers risks in language models and the applications that wrap them — prompt injection, training-data poisoning, insecure output handling and so on. The Agentic Top 10 focuses on what happens when those models are given autonomy, tools, memory and the ability to coordinate with other agents: goal hijacking, tool misuse, privilege abuse, inter-agent attacks and rogue behaviour. The two are complementary.
How do I assess my agents against it?
Use the OWASP Agentic Top 10 as a checklist of failure modes, then score concrete vulnerabilities with AIVSS (the Agentic AI Vulnerability Scoring System) to prioritise. A fast first screen is the Lethal Trifecta: if an agent has private data, untrusted input and external egress at once, several of these risks become exploitable. IsItPatched provides a free AIVSS calculator and Trifecta screen.
When was the Agentic Top 10 released?
The OWASP Top 10 for Agentic Applications (2026 edition) was released on 9 December 2025 by the OWASP GenAI Security Project / Agentic Security Initiative.
IsItPatched is independent and not affiliated with OWASP. Real-world examples are publicly-disclosed incidents from the OWASP Agentic Security Initiative Exploits & Incidents Tracker. See our disclaimer.