OWASP Top 10 for Agentic Applications 2026

The first formal peer-reviewed taxonomy of security risks specific to autonomous AI agents, published by OWASP in December 2025. Covers ten risk categories (ASI01 to ASI10) including goal hijacking, tool misuse, identity abuse, supply chain compromise, and rogue agents.

Expanded Definition

The OWASP Top 10 for Agentic Applications 2026 is a risk taxonomy for autonomous AI systems that can plan, invoke tools, and act with delegated authority. It is specifically about operational failure modes in agentic workflows, not generic model safety.

In NHI security terms, the framework matters because an AI agent is an execution principal with access to identities, secrets, APIs, and data paths. That makes it closer to a privileged workload than a conversational interface. The taxonomy helps security teams distinguish prompt injection from downstream impact, and helps IAM teams see where OWASP NHI Top 10 controls overlap with agent governance.

Definitions vary across vendors on whether the term should cover only fully autonomous agents or also supervised copilots with tool access. No single standard governs this yet, so guidance should be applied by execution authority, not by marketing labels. The most common misapplication is treating an agent as a chat model, which occurs when teams ignore its ability to write, delete, approve, or exfiltrate data through connected systems.

Examples and Use Cases

Implementing agent security rigorously often introduces workflow friction, requiring organisations to weigh autonomy and speed against approval checkpoints, bounded permissions, and traceability.

• An IT support agent can reset passwords, provision accounts, and open tickets. If it has broad permissions, a single poisoned instruction can become an enterprise identity event.
• A software engineering agent using the Analysis of Claude Code Security lens may speed code generation, but it still needs tool scoping, repository segmentation, and commit review before merge.
• A procurement agent that can query ERP data and send supplier messages should be constrained with NIST AI Risk Management Framework practices so its outputs do not become unauthorised commitments.
• A finance assistant that reads invoices and initiates payments must use NIST AI Risk Management Framework controls plus human approval for material actions.
• A support bot exposed to secrets or tokens can follow the same attack path seen in the AI LLM hijack breach research when credentials are reachable from the agent runtime.

These cases show why agent risk is operational, not theoretical: the relevant question is what the system can do once it has a valid identity and a tool chain.

Why It Matters in NHI Security

NHI teams should treat agentic risk as an identity and authorization problem because agents inherit trust from service accounts, API keys, and delegated privileges. SailPoint reports that 80% of organisations say their AI agents have already acted beyond intended scope, including unauthorised system access, sensitive data sharing, and credential exposure. That is a governance signal, not just a model quality issue.

For practitioners, the hard part is not only detecting bad outputs. It is controlling what the agent can reach, which secrets it can read, and when Ultimate Guide to NHIs — Standards should require segregation, rotation, and just-in-time access. The term also aligns with OWASP Non-Human Identity Top 10 because agent compromise often becomes an NHI compromise first.

Organisations typically encounter the business impact only after an agent has already queried restricted data, triggered an external action, or leaked secrets into a downstream system, at which point the taxonomy becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is Agentic AI and how does it differ from traditional generative AI?
• What NHI types do Agentic AI systems typically use?
• Why does Agentic AI dramatically increase identity sprawl?
• What is identity spoofing in Agentic AI and how does it work?