OWASP Top 10 for Agentic Applications

Where the OWASP Top 10 for LLM Applications focuses on model-centric risks, the Agentic Top 10 addresses threats that emerge when models take actions through tools, memory, and other agents. Published in December 2025, it has become the default rubric for agentic AI threat modeling.

The standard organizes the agentic threat surface into ten categories:

• Goal and intent manipulation: ASI01 Goal Hijack and ASI09 Human-Agent Trust Exploitation address what an agent or user is steered to do.
• Tool and code abuse: ASI02 Tool Misuse and ASI05 Unexpected Code Execution cover unsafe tool invocation and runtime code paths.
• Identity, memory, and context: ASI03 Identity and Privilege Abuse and ASI06 Memory and Context Poisoning cover credential and persistent-state attacks.
• Supply chain and communication: ASI04 Agentic Supply Chain Vulnerabilities and ASI07 Insecure Inter-Agent Communication cover composition and message-layer risks.
• Behavioral integrity at scale: ASI08 Cascading Failures and ASI10 Rogue Agents address how faults or drift become systemwide harm.

Each entry cross-maps to LLM01:2025 through LLM10:2025 and to the AIVSS core risk model, giving security teams a shared vocabulary across model-centric and agent-centric risk that procurement, audit, and incident response programs are now adopting as the default agentic AI reference.

How PointGuard AI Helps

PointGuard AI's Agentic AI Security solution maps directly to the OWASP Top 10 for Agentic Applications, with the Agent Governance Mesh and MCP Security Gateway implementing runtime controls for each ASI category and producing audit-grade evidence aligned to the standard.

Learn More

OWASP Top 10 for Agentic Applications

OWASP GenAI Security Project

MITRE ATLAS