OWASP (Open Worldwide Application Security Project) released in December 2025 the Top 10 for Agentic Applications 2026, a document identifying the 10 highest-impact threats to artificial intelligence systems that operate autonomously to plan, decide, and act across multiple stages and systems.
Agentic AI systems are rapidly advancing from pilot projects to production environments in the financial, healthcare, defense, critical infrastructure, and public sectors, distinguishing themselves from specific automations by planning, deciding, and acting across multiple steps and systems, often on behalf of users and teams. The document identifies 10 main vulnerability categories: agent goal hijacking (ASI01), tool misuse and exploitation (ASI02), identity and privilege abuse (ASI03), agentic supply chain vulnerabilities (ASI04), unexpected code execution (ASI05), memory and context poisoning (ASI06), insecure inter-agent communication (ASI07), cascading failures (ASI08), human-agent trust exploitation (ASI09), and rogue agents (ASI10).
Agent goal hijacking represents the most critical vulnerability, allowing attackers to manipulate an agent's goals, task selection, or decision paths through indirect prompt injection, deceptive tool outputs, malicious artifacts, forged inter-agent messages, or poisoned external data. Unlike traditional prompt injection that affects a single model response, this vulnerability captures the broader agentic impact where manipulated inputs redirect goals, planning, and multi-step behavior. Tool misuse occurs when agents apply legitimate tools insecurely or unintentionally due to prompt injection, misalignment, or insecure delegation, leading to data exfiltration, tool output manipulation, or workflow hijacking, with risks amplified by agent memory, dynamic tool selection, and delegation.
The identity and privilege abuse vulnerability exploits dynamic trust and delegation in agents to escalate access and bypass controls by manipulating delegation chains, role inheritance, control flows, and agent context, including cached credentials or conversation history across interconnected systems. Supply chain vulnerabilities arise when agents, tools, and related artifacts provided by third parties are malicious, compromised, or tampered with in transit, including static and dynamic source components such as models and model weights, tools, plugins, datasets, other agents, agentic interfaces like MCP (Model Context Protocol) and A2A (Agent2Agent), agentic registries, and update channels. The document recommends various mitigation strategies, including treating all natural language inputs as untrusted, applying least privilege for agent tools, validating user and agent intent before executing critical actions, maintaining comprehensive logs and continuous monitoring of agent activity, isolating agent identities and contexts, and implementing execution sandboxes and output controls. The initiative was developed by the global OWASP community with dozens of security experts from industry, academia, and government who contributed threat research, red team findings, and field-tested mitigations, with support from organizations building agentic platforms, public institutions, and product vendors.
This post was summarized from the original publication using AI, with human review.
With information from OWASP