DARR
Reverse crosswalk

OWASP Top 10 for Agentic Applications 2026

10 entries, 10 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.

Framework entryDescriptionDispositionRegister mappingConfidenceNote
ASI01
Agent Goal Hijack
AI agents execute a series of tasks to achieve a goal. Because agents and the underlying model cannot reliably distinguish instructions from related content, attackers can hijack the agent's goal to pursue adversarial objectives.
MappedClearAgent goal hijack is the autonomous-agent hijacking risk (MR-071), achieved via prompt injection (MR-010); context poisoning (MR-071.2) is the finer sub-risk.
ASI02
Tool Misuse and Exploitation
Agents can misuse legitimate tools due to prompt injection, misalignment or unsafe/ambiguous delegation, leading to data exfiltration, tool-output manipulation or workflow hijacking.
MappedClearTool misuse and exploitation maps to abuse of agent tool invocation (MR-071.1) and insecure tool/integration (MR-020), with data exfiltration through tools (MR-071.6).
ASI03
Identity and Privilege Abuse
Identity and privilege abuse exploits dynamic trust and delegation in agents to escalate access and bypass controls by manipulating delegation chains, role inheritance, control flows and agent context (including cached credentials).
MappedClearIdentity and privilege abuse maps to agent credential theft (MR-071.5) and abuse of valid accounts against the AI system (MR-015.1), within the excessive-agency risk (MR-071).
ASI04
Agentic Supply Chain Vulnerabilities
Agentic supply chain vulnerabilities arise when agents, tools and related artefacts are provided by third parties and may be malicious, compromised or tampered with in transit (models, weights, tools, plugins).
MappedClearAgentic supply chain maps to poisoned AI agent tools published (MR-018.6) and poisoning of AI agent tools (MR-071.13) under the AI supply-chain risk (MR-018).
ASI05
Unexpected Code Execution (RCE)
Agentic systems often generate and execute code; attackers exploit code-generation features or embedded tool access to escalate into remote code execution (RCE), local misuse or exploitation of internal systems.
MappedClearUnexpected code execution via an agent maps to abuse of agent tool invocation (MR-071.1) and container or sandbox escape (MR-015.8); insecure code generation (MR-019) is related.
ASI06
Memory and Context Poisoning
Agentic systems rely on stored and retrievable context (memory, conversation history, retrieved data); poisoning that context corrupts continuity and reasoning across tasks.
MappedClearMemory and context poisoning is the register's agent context poisoning (MR-071.2) and RAG poisoning (MR-010.6).
ASI07
Insecure Inter-Agent Communication
Multi-agent systems depend on continuous communication between autonomous agents coordinating via APIs, message buses and shared memory, significantly expanding the attack surface and undermining perimeter-based security.
MappedClearInsecure inter-agent communication is the multi-agent interaction risk (MR-057); agent-to-agent abuse channels relate to command and control (MR-071.12).
ASI08
Cascading Failures
Agentic cascading failures occur when a single fault (hallucination, malicious input, corrupted tool or poisoned memory) propagates across autonomous agents, compounding into system-wide harm and bypassing stepwise human checks.
MappedClearCascading failures across autonomous agents map to the multi-agent interaction risk (MR-057), with correlated-failure overlap at MR-047. OWASP ASI08 gives MR-057 a direct external anchor.
ASI09
Human-Agent Trust Exploitation
Agents can establish strong trust with users through fluency, emotional intelligence and perceived expertise (anthropomorphism); adversaries or misaligned designs exploit this trust to influence decisions or extract sensitive information.
MappedClearHuman-agent trust exploitation maps to manipulation and dark patterns (MR-030), emotional dependence (MR-036) and overreliance (MR-034); deceptive content baiting agents is MR-071.9.
ASI10
Rogue Agents
Rogue agents are malicious or compromised AI agents that deviate from their intended function or authorized scope, acting harmfully, deceptively or parasitically within multi-agent or human-agent ecosystems.
MappedClearRogue agents map to adversary-deployed AI agent in the environment (MR-071.11) and agent abused for command and control (MR-071.12) under the excessive-agency risk (MR-071).

Descriptions are each source framework's own text, where it provides one; long entries are clipped here.