OWASP Top 10 for Agentic AI Applications
Publisher: Open Worldwide Application Security Project
Version: 2025
Addresses security risks unique to autonomous AI agent systems. Covers excessive permissions, misaligned objectives, resource exhaustion, supply chain integrity, identity exploitation, unmonitored actions, cascading failures, compliance gaps, operational disruption, and misplaced trust.
| ID | Name | Description | Domains |
|---|---|---|---|
| ASI01 | Agent Goal Hijack | Attackers alter agent objectives through indirect prompt injection embedded in retrieved content, causing agents to p... |
secure
|
| ASI02 | Tool Misuse and Exploitation | Agents invoke tools with destructive or unintended parameters, chain tool calls in exploitable sequences, or are misl... |
build
secure
|
| ASI03 | Identity and Privilege Abuse | Agents inherit excessive credentials from their operators, cache authentication tokens in accessible memory, or escal... |
secure
|
| ASI04 | Agentic Supply Chain Vulnerabilities | Dynamic loading of tools, plugins, and MCP servers from untrusted or unverified sources introduces malicious code, da... |
govern
deploy
|
| ASI05 | Unexpected Code Execution | Agents generate and execute code — shell commands, Python scripts, SQL queries, or infrastructure-as-code — without a... |
build
secure
|
| ASI06 | Memory and Context Poisoning | Adversarial data persisted to RAG indexes, vector stores, agent memory, or conversation history corrupts future decis... |
secure
monitor
|
| ASI07 | Insecure Inter-Agent Communication | Multi-agent systems exchange messages, delegate tasks, and share context without authentication, encryption, or integ... |
secure
deploy
|
| ASI08 | Cascading Failures | Errors in multi-agent workflows propagate unchecked across dependent agents, amplifying a single point of failure int... |
deploy
monitor
|
| ASI09 | Human-Agent Trust Exploitation | Agents present harmful, incorrect, or manipulative recommendations with unwarranted authority, exploiting human tende... |
build
secure
|
| ASI10 | Rogue Agents | Compromised or malfunctioning agents persist beyond their authorized lifecycle, impersonate other agents, self-replic... |
secure
monitor
|