Reverse crosswalk
OWASP Top 10 for Agentic Applications 2026
10 entries, 10 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.
| Framework entry | Description | Disposition | Register mapping | Confidence | Note |
|---|---|---|---|---|---|
ASI01 Agent Goal Hijack | AI agents execute a series of tasks to achieve a goal. Because agents and the underlying model cannot reliably distinguish instructions from related content, attackers can hijack the agent's goal to pursue adversarial objectives. | Mapped | Clear | Agent goal hijack is the autonomous-agent hijacking risk (MR-071), achieved via prompt injection (MR-010); context poisoning (MR-071.2) is the finer sub-risk. | |
ASI02 Tool Misuse and Exploitation | Agents can misuse legitimate tools due to prompt injection, misalignment or unsafe/ambiguous delegation, leading to data exfiltration, tool-output manipulation or workflow hijacking. | Mapped | Clear | Tool misuse and exploitation maps to abuse of agent tool invocation (MR-071.1) and insecure tool/integration (MR-020), with data exfiltration through tools (MR-071.6). | |
ASI03 Identity and Privilege Abuse | Identity and privilege abuse exploits dynamic trust and delegation in agents to escalate access and bypass controls by manipulating delegation chains, role inheritance, control flows and agent context (including cached credentials). | Mapped | Clear | Identity and privilege abuse maps to agent credential theft (MR-071.5) and abuse of valid accounts against the AI system (MR-015.1), within the excessive-agency risk (MR-071). | |
ASI04 Agentic Supply Chain Vulnerabilities | Agentic supply chain vulnerabilities arise when agents, tools and related artefacts are provided by third parties and may be malicious, compromised or tampered with in transit (models, weights, tools, plugins). | Mapped | Clear | Agentic supply chain maps to poisoned AI agent tools published (MR-018.6) and poisoning of AI agent tools (MR-071.13) under the AI supply-chain risk (MR-018). | |
ASI05 Unexpected Code Execution (RCE) | Agentic systems often generate and execute code; attackers exploit code-generation features or embedded tool access to escalate into remote code execution (RCE), local misuse or exploitation of internal systems. | Mapped | Clear | Unexpected code execution via an agent maps to abuse of agent tool invocation (MR-071.1) and container or sandbox escape (MR-015.8); insecure code generation (MR-019) is related. | |
ASI06 Memory and Context Poisoning | Agentic systems rely on stored and retrievable context (memory, conversation history, retrieved data); poisoning that context corrupts continuity and reasoning across tasks. | Mapped | Clear | Memory and context poisoning is the register's agent context poisoning (MR-071.2) and RAG poisoning (MR-010.6). | |
ASI07 Insecure Inter-Agent Communication | Multi-agent systems depend on continuous communication between autonomous agents coordinating via APIs, message buses and shared memory, significantly expanding the attack surface and undermining perimeter-based security. | Mapped | Clear | Insecure inter-agent communication is the multi-agent interaction risk (MR-057); agent-to-agent abuse channels relate to command and control (MR-071.12). | |
ASI08 Cascading Failures | Agentic cascading failures occur when a single fault (hallucination, malicious input, corrupted tool or poisoned memory) propagates across autonomous agents, compounding into system-wide harm and bypassing stepwise human checks. | Mapped | Clear | Cascading failures across autonomous agents map to the multi-agent interaction risk (MR-057), with correlated-failure overlap at MR-047. OWASP ASI08 gives MR-057 a direct external anchor. | |
ASI09 Human-Agent Trust Exploitation | Agents can establish strong trust with users through fluency, emotional intelligence and perceived expertise (anthropomorphism); adversaries or misaligned designs exploit this trust to influence decisions or extract sensitive information. | Mapped | Clear | Human-agent trust exploitation maps to manipulation and dark patterns (MR-030), emotional dependence (MR-036) and overreliance (MR-034); deceptive content baiting agents is MR-071.9. | |
ASI10 Rogue Agents | Rogue agents are malicious or compromised AI agents that deviate from their intended function or authorized scope, acting harmfully, deceptively or parasitically within multi-agent or human-agent ecosystems. | Mapped | Clear | Rogue agents map to adversary-deployed AI agent in the environment (MR-071.11) and agent abused for command and control (MR-071.12) under the excessive-agency risk (MR-071). |
Descriptions are each source framework's own text, where it provides one; long entries are clipped here.