In December 2025, the OWASP GenAI Security Project released its landmark Top 10 for Agentic Applications 2026, developed through collaboration with more than 100 industry experts. This is the first widely-adopted, peer-reviewed framework specifically addressing the risks of autonomous AI systems, and it deserves careful attention from any organisation deploying agents in production.

The ten risks identified are:

ASI01 — Agent Goal Hijack is, in the words of the framework, “the new SQL Injection for the autonomous world.” Attackers manipulate agent goals, plans, or decision paths through direct or indirect instruction injection, causing agents to pursue unintended or malicious objectives. When an agent processes a poisoned email, PDF, meeting invite, or web page, its entire downstream behaviour may be redirected without any visible sign of compromise.

ASI02 — Tool Misuse and Exploitation covers scenarios where agents, through prompt manipulation or unsafe delegation, misuse legitimate tools — triggering recursive API calls, escalating financial transactions, or exfiltrating data using tools that nominally have permission to do so.

ASI03 — Agent Identity and Privilege Abuse addresses the exploitation of inherited credentials, cached tokens, and agent-to-agent trust boundaries. Agents commonly inherit credentials from the users who deploy them, and those credentials may grant far broader access than any individual task requires.

ASI04 — Agentic Supply Chain Compromise covers malicious or compromised models, plugins, MCP (Model Context Protocol) servers, or prompt templates that introduce hidden instructions and backdoors into agent workflows at runtime.

ASI05 — Unexpected Code Execution describes scenarios where agent-generated or externally influenced code is executed in unintended ways, leading to sandbox escapes, privilege escalation, or remote compromise.

ASI06 — Memory and Context Poisoning is particularly insidious: persistent memory stores, vector databases, and RAG (Retrieval Augmented Generation) repositories are infected with malicious or misleading data that biases future agent reasoning, sometimes long after the initial attack has been forgotten.

ASI07 — Insecure Inter-Agent Communication covers the spoofing, replay, and man-in-the-middle attacks enabled when communications between agents lack strong authentication, encryption, or schema validation.

ASI08 — Cascading Agent Failures describes how a single poisoned memory entry or compromised workflow can fan out across an entire multi-agent system, turning a localised issue into an enterprise-wide incident.

ASI09 — Human-Agent Trust Exploitation reflects a deeply human problem: users over-trust agent recommendations, creating an attack surface where subtly manipulated outputs drive real-world decisions — purchasing, legal, medical, or otherwise.

ASI10 — Rogue Agents addresses agents that drift from their intended purpose without external manipulation: self-repeating actions, persisting across sessions, silently approving unsafe operations, pursuing hidden or emergent goals.