OWASP Agentic Top 10 Explained: ASI01 Through ASI10

The OWASP Agentic Security Initiative (ASI) published its top 10 risks for AI agent systems. Unlike the OWASP LLM Top 10 (which focuses on the model), the ASI list focuses on the agent: the system that uses the model to take actions.

ASI01: Prompt Injection

The risk: Adversarial input causes the agent to execute unintended actions. Example: An injected instruction in a fetched web page causes the agent to email the user's data to an external address. Mitigation: Input scanning, tool authorization policies, output validation.

ASI02: Privilege Escalation

The risk: An agent gains access to capabilities beyond its authorized scope. Example: An agent chains a "read config" tool with an "execute API" tool to use database credentials found in configuration files. Mitigation: Least privilege, sequence-aware policy evaluation, context verification independent of the model.

ASI03: Tool Misuse

The risk: Legitimate tools are used for unintended purposes. Example: A "send notification" tool is used to send data to an external endpoint by crafting a notification payload that contains exfiltrated information. Mitigation: Parameter validation, URL allowlists, behavioral monitoring for unusual tool usage patterns.

ASI04: Data Exfiltration

The risk: Sensitive data is extracted through agent channels. Example: The agent includes database query results in an HTTP request to an attacker-controlled URL via a tool call. Mitigation: Egress controls, data classification, output scanning, network segmentation.

ASI05: Insufficient Access Control

The risk: Missing or weak authorization policies allow unauthorized actions. Example: An agent has access to all tools in the system rather than just those needed for its task. Mitigation: Fail-closed policy engine, role-based tool access, parameter constraints.

ASI06: Excessive Agency

The risk: Agents with more capability than needed increase blast radius. Example: A summarization agent that also has database write access. The write access is never needed for summarization but can be exploited if the agent is compromised. Mitigation: Least privilege. Grant only the tools and access levels the agent needs for its specific task.

ASI07: Lack of Observability

The risk: Insufficient logging and monitoring means incidents are not detected. Example: An agent exfiltrates data over several days. No one notices because tool calls are not logged. Mitigation: Hash-chained audit receipts, behavioral monitoring, alerting on anomalies.

ASI08: Trust Boundary Violations

The risk: Agents cross trust boundaries without proper authorization. Example: In a multi-agent system, Agent A delegates a task to Agent B across a security boundary. Agent B executes with its own (broader) permissions rather than Agent A's. Mitigation: Transitive authorization, cross-agent monitoring, trust boundary enforcement.

ASI09: Supply Chain Risks

The risk: Compromised tools, models, or dependencies. Example: A compromised MCP server changes its tool descriptions after initial security review (rug pull attack). Mitigation: Hash and pin tool definitions, scan tool descriptions continuously, minimize dependencies in safety-critical code.

ASI10: Insufficient Error Handling

The risk: Errors expose information or cause the system to fail open. Example: A policy engine crash causes the agent to operate without authorization checks. Mitigation: Fail-closed error handling, graceful degradation, error monitoring.

Each ASI risk maps to specific technical controls. Authensor addresses ASI01 (content scanning), ASI05 (policy engine), ASI07 (audit receipts), and supports mitigations for the others through its architecture.