{"id":6279,"date":"2025-12-19T07:00:00","date_gmt":"2025-12-19T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6279"},"modified":"2025-12-19T07:00:00","modified_gmt":"2025-12-19T07:00:00","slug":"managing-agentic-ai-risk-lessons-from-the-owasp-top-10","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6279","title":{"rendered":"Managing agentic AI risk: Lessons from the OWASP Top 10"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

LLM-powered chatbots have risks that we see playing out in the headlines on a nearly daily basis. But chatbots are limited to answering questions. AI agents, however, access data and tools and carry out tasks, making them infinitely more capable \u2013 and more dangerous to enterprises.<\/p>\n

The OWASP Top 10 for Agentic Applications<\/a> can help CISOs explain what the issues are to their business counterparts. It can also help CISOs to directly improve agentic AI security, because it comes with threats taxonomy<\/a>, mitigation strategies and playbooks, and example threat models.<\/p>\n

It\u2019s all part of OWASP\u2019s<\/a> Agentic Security Initiative. Scott Clinton, OWASP GenAI security project board co-chair and co-founder, says he was surprised by how many agentic solutions were already deployed in organizations that the OWASP team uncovered while they were researching the list. And how many of those solutions were deployed without the knowledge of IT and security teams.<\/p>\n

This level of risk is unprecedented, he says. That includes a lot of theoretical, \u201cacademic\u201d risks.<\/p>\n

\u201cHowever, we focused on those that were data-driven,\u201d he says. \u201cWhere we would provide practical guidance based on real-world conditions today.\u201d<\/p>\n

The challenge of educating stakeholders<\/h2>\n

\u201cIf you\u2019re a CSO, chances are you are having quite a time educating your stakeholders about the risks that are being introduced by the use cases that are probably being pushed on you,\u201d says Kayla Underkoffler, director of AI security and policy advocacy at Zenity, an AI security company, and one of the core contributors to the OWASP list.<\/p>\n

The CISO might not be able to say no, she adds \u2013 but might also be a little hesitant to say that the company can go all in and adopt the technology without thinking of the consequences.<\/p>\n

The list was deliberately designed to be consumable, she says. \u201cIt will help with threat modeling, help with telling the story, help explain what controls need to be in place to reduce the risk and why.\u201d<\/p>\n

A security leader can get an agentic AI use case from the business and align the top risks to fit that use case. The list also provides a common language around agentic AI and its risks, Underkoffler says.<\/p>\n

Actionable guidance<\/h2>\n

Agentic AI is the main topic of conversation in discussions among his peers, says Keith Hillis, VP of security engineering at Akamai Technologies.<\/p>\n

\u201cMost organizations are confronted with the challenge of balancing the promising power of AI while also ensuring the organization is not incurring increased security risk,\u201d he says. So, the biggest value he finds in the new Agentic AI OWASP top 10 is that it\u2019s immediately useful. \u201cIt\u2019s directly actionable as a control baseline in both security architecture and governance, risk, and compliance contexts,\u201d he says.<\/p>\n

One aspect of the list that he found particularly insightful was the evolution of \u201cleast privilege\u201d to \u201cleast agency.\u201d<\/p>\n

He recommends that CISOs use the list to assess their programs, identify gaps, and map out a plan of action for improvement. \u201cMost likely already have active programs in place,\u201d he says. But it\u2019s also likely they will need to evolve to accommodate the specific risks of agentic AI.<\/p>\n

Missing pieces<\/h2>\n

The only thing that\u2019s lacking in this first release of the list is that some of the mitigation sections aren\u2019t detailed enough, says Zenity\u2019s Underkoffler.<\/p>\n

But there are plans to address that. \u201cWe have some efforts to really dive into the mitigations for security teams, to help implement these controls,\u201d she says. \u201cNot just descriptions of what you should do but real code examples of how you can implement them.\u201d<\/p>\n

For example, she says, one of the suggested mitigations is to \u201capply the principle of least privilege\u201d. \u201cWhich is completely accurate,\u201d she says. \u201cEveryone should apply the principle of least privilege. But what does that mean for agents?\u201d<\/p>\n

Rick Holland, data and AI security officer at Cyera, a data security vendor, says he\u2019d like the list to explain the likelihood of each type of attack. \u201cNot all threat actors are created equal,\u201d he says.<\/p>\n

For organizations targeted by nation-state actors, for example, the attackers might use more sophisticated attack vectors, like memory and context poisoning or agentic supply chain vulnerabilities<\/a>. Rank-and-file cybercriminals might go after more low-hanging fruit, Holland says, using techniques like agent goal hijack or tool misuse.<\/p>\n

Jose Lazu, associate director of product management at CMD+CTRL, a security training company, says that there are some second-tier risks that could have been included, such as model and tuning supply-chain integrity, long-horizon data poisoning, multi-agent coordination exploits, and cost-based resource exhaustion.<\/p>\n

\u201cThese areas are evolving quickly, so CSOs need to keep them on their radar,\u201d he says.<\/p>\n

OWASP Top 10 for Agentic AI<\/h2>\n

Below we list the OWASP Top 10 for Agentic Applications 2026, a framework that identifies the most critical security risks facing autonomous and agentic AI systems.<\/p>\n

1 \u2013 Agent Goal Hijack<\/h3>\n

Attackers use prompt injection, poisoned data, and other tactics to manipulate the AI agent\u2019s goals, so that the agent carries out unwanted actions. For example, a malicious prompt can manipulate a financial agent into sending money to an attacker.<\/p>\n

2 \u2013 Tool Misuse and Exploitation<\/h3>\n

Agents misuse legitimate, authorized tools for data exfiltration, destructive actions, and other unwanted behaviors. In fact, we\u2019ve already seen examples of AI agents deleting databases<\/a> and wiping hard drives.<\/p>\n

3 \u2013 Identity and Privilege Abuse<\/h3>\n

Flaws in agent identity, delegation, or privilege inheritance allow attackers to escalate access, exploit confused deputy scenarios, or execute unauthorized actions across systems. For example, an attacker can use a low-privilege AI agent to relay instructions to a high-privilege in order to do things they\u2019re not supposed to be able to do.<\/p>\n

4 \u2013 Agentic Supply Chain Vulnerabilities<\/h3>\n

Compromised or malicious third-party agents, tools, models, interfaces, or registries introduce hidden instructions or unsafe behavior into agentic ecosystems. For example, an attacker can embed hidden instructions into a tool\u2019s meta-data.<\/p>\n

5 \u2013 Unexpected Code Execution<\/h3>\n

Agent-generated or agent-invoked code executes in unintended or adversarial ways, leading to host, container, or environment compromise. AI agents can generate code on the fly, bypassing normal software controls, and attackers can leverage this. For example, a coding agent writing a security patch might include a hidden back door due to poisoned training data or adversarial prompts.<\/p>\n

6 \u2013 Memory and Context Poisoning<\/h3>\n

Attackers corrupt persistent agent memory, RAG stores, embeddings, or shared context to affect an agent\u2019s future actions. For example, an attacker keeps mentioning a fake price for a product, which gets stored into an agent\u2019s memory, and the agent might later think the price is valid and approves bookings at that price.<\/p>\n

Contaminated context and shared memory can spread between agents, compounding corruption.<\/p>\n

7 \u2013 Insecure Inter-Agent Communication<\/h3>\n

Weak authentication, integrity, or semantic validation in agent-to-agent messaging enables spoofing, tampering, replay, or manipulation. For example, an attacker can register a fake agent in a discovery service, and intercept privileged coordination traffic.<\/p>\n

8 \u2013 Cascading Failures<\/h3>\n

A single fault, such as hallucination, poisoned memory, or compromised tool, propagates across autonomous agents. For example, a regional outage in a hyperscaler can break multiple AI services, leading to a cascade of agent failures across many organizations.<\/p>\n

9 \u2013 Human-Agent Trust Exploitation<\/h3>\n

Agents exploit human trust, authority bias, or automation bias to influence decisions or extract sensitive information. For example, a compromised IT support agent can request credentials from an employee and send them to the attacker.<\/p>\n

10 \u2013 Rogue Agents<\/h3>\n

Agents can act harmfully and deceptively in such a way that individual actions may appear legitimate. This could be due to prompt injection, or due to conflicting objectives or reward hacking. For example, an agent whose job is to reduce cloud costs might figure out that deleting files is the most efficient way to do that.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

LLM-powered chatbots have risks that we see playing out in the headlines on a nearly daily basis. But chatbots are limited to answering questions. AI agents, however, access data and tools and carry out tasks, making them infinitely more capable \u2013 and more dangerous to enterprises. The OWASP Top 10 for Agentic Applications can help […]<\/p>\n","protected":false},"author":0,"featured_media":6280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6279"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6279"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6279\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6280"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}