In December 2025 OWASP published a Top 10 built specifically for autonomous AI agents, separate from the LLM list. Here is what each of the ten risks means in production, and how to defend against them without crippling the agent.
For three years the reference point for LLM security has been the OWASP Top 10 for Large Language Model Applications. It is a good list. It is also a list about a model answering a prompt. That is no longer the system most teams are shipping.
On 9 December 2025 the OWASP GenAI Security Project published a separate list, the Top 10 for Agentic Applications, with its own prefix, ASI01 through ASI10. The split is the important part. An agent plans, calls tools, holds memory, talks to other agents, and acts with minimal human review. Those capabilities are not edge cases bolted onto a chatbot. They are a different attack surface, and they needed their own taxonomy.
This is a working guide to all ten, what each one actually looks like in a deployed system, and where the defensible line sits.
Why a second list exists
The simplest way to think about it: the LLM Top 10 is about what a model says; the Agentic Top 10 is about what an agent does. If you are building a chatbot or a retrieval system with no tool use and no autonomy, the original LLM list still covers you and the agentic list adds little. The moment your system can take an action in the world, call an external tool, or coordinate with another agent, you need both. Most teams crossed that line in 2025 without re-evaluating their threat model.
The ten, in plain terms
| ID | Risk | What it looks like in production |
|---|---|---|
| ASI01 | Agent Goal Hijack | Injected instructions redirect the agent's objective mid-task, so it pursues the attacker's goal while looking like it is doing its job. |
| ASI02 | Tool Misuse & Exploitation | The agent is talked into calling a legitimate tool in an illegitimate way, or chaining tools to reach something it should not. |
| ASI03 | Identity & Privilege Abuse | The agent's credentials and permissions are broader than its task, and an attacker rides them. |
| ASI04 | Agentic Supply Chain | A poisoned tool, model, plugin, or registry entry enters the stack and is trusted by default. |
| ASI05 | Unexpected Code Execution (RCE) | The agent reaches a code-execution path, intended or not, and runs attacker-controlled logic. |
| ASI06 | Memory & Context Poisoning | Malicious content is written into the agent's memory and re-read later as trusted fact. |
| ASI07 | Insecure Inter-Agent Communication | Messages between agents are unauthenticated or unvalidated, so one compromised agent steers the rest. |
| ASI08 | Cascading Failures | A single bad decision or fault propagates across a chain of agents and systems. |
| ASI09 | Human-Agent Trust Exploitation | The agent is used to manipulate the human, or the human's misplaced trust is the exploit. |
| ASI10 | Rogue Agents | An unauthorized or hijacked agent, tool, or API operates inside the trust boundary. |
The three that will hurt you first
Goal hijack (ASI01) is prompt injection grown up. In a chatbot, a successful injection makes the model say something wrong. In an agent, it makes the system do something wrong, with the user's own permissions, across however many steps the task involves. The blast radius is the difference between an embarrassing transcript and an exfiltrated database. Defending it means treating every piece of content the agent ingests, including tool outputs and retrieved documents, as untrusted, and evaluating it before it can influence the agent's plan.
Tool misuse (ASI02) rarely needs an exploit. The tools work exactly as designed. The attack is in the composition: a file-read tool plus a network tool plus an injected instruction becomes a data-exfiltration pipeline, and each tool individually looks innocent. This is why per-tool allowlisting and policy enforcement on tool calls matters more than hardening any single tool.
Memory and context poisoning (ASI06) is the patient one. An attacker plants a false belief, a fake policy, a poisoned record, and the agent absorbs it into long-term memory. Days later it acts on that belief as though the agent itself had learned it. There is no live injection to catch in the moment, because the payload was written earlier and is now indistinguishable from the agent's own knowledge. We treat memory writes as a security boundary, not a convenience.
The structural ones
ASI03, ASI04, ASI07, ASI08 and ASI10 are less about a single clever prompt and more about how the system is wired. They reward boring discipline: scope every agent's identity to its task and nothing more; vet tools and models the way you vet third-party code; authenticate messages between agents; and put circuit breakers between steps so one failure does not become ten. ASI05, unexpected code execution, is the one where the agentic and model-file worlds meet, and it is exactly why scanning the artifacts an agent loads is part of agentic defense, not a separate concern.
Frequently asked questions
Does the Agentic Top 10 replace the LLM Top 10? No. They are complementary. If your system uses tools or autonomy, apply both. The LLM list covers the language layer; the agentic list covers the action layer.
Which risk is most common in real deployments? Goal hijack and tool misuse dominate, because they require no novel exploit, only untrusted content reaching an agent that can act. They are the agentic face of prompt injection.
Can native model safety cover these? Not on its own. The model's own guardrails are built for conversational misuse, not for an adversarial tool-and-memory pipeline. Coverage has to live around the model, at the input, retrieval, tool, and memory layers.
How Promptention maps to it
Our defense-in-depth architecture was built around exactly these failure modes: input control and indirect-injection scanning for goal hijack, tool-call policy enforcement for tool misuse, memory-integrity checks for context poisoning, and artifact scanning for the code-execution and supply-chain paths. Our red team exercises the same list against your specific deployment, because a framework tells you what to worry about and a red team tells you whether you actually handled it.
The agentic list is the clearest signal yet that AI security has moved from "what did the model say" to "what did the system do." The defense has to move with it.
Promptention Guard and Red Team Services map to the OWASP Top 10 for Agentic Applications and to MITRE ATLAS, with risk governance aligned to the NIST AI Risk Management Framework.
Further reading: OWASP GenAI Security Project, "Top 10 for Agentic Applications (2026)"; OWASP Top 10 for LLM Applications; MITRE ATLAS.
