TL;DR: The OWASP Top 10 for Agentic Applications reframes agentic AI security as a progressive breach model in which prompt injection, memory poisoning, tool misuse, and identity abuse can compound into system-wide failure once models are allowed to act, according to Lakera. The security shift is from filtering outputs to containing amplification and blast radius.
At a glance
What this is: This is Lakera’s analysis of the OWASP Top 10 for Agentic Applications as a progressive breach model, showing how manipulation becomes more dangerous once AI systems can act, remember, and coordinate.
Why it matters: It matters because IAM, PAM, and NHI teams must think beyond access to the consequences of delegated action, especially when autonomous or agentic systems inherit real credentials and operational authority.
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
👉 Read Lakera’s analysis of the OWASP Top 10 for agentic applications
Context
Agentic AI security is different from traditional LLM security because the system is no longer only producing text. Once a model can use tools, retain memory, and operate under credentials, a prompt-level manipulation can become an action-level breach.
Lakera’s framing is useful because it treats the OWASP Top 10 for Agentic Applications as a progression, not a checklist. For identity teams, that means the problem is not just access to the model, but what a compromised objective can do with delegated privilege across NHI, autonomous, and human-controlled workflows.
Key questions
Q: How should security teams govern AI agents that can call tools and use credentials?
A: Security teams should govern AI agents as delegated actors, not just chat interfaces. That means separating planning from execution, restricting which tools can be reached, logging every state-changing action, and requiring human approval for high-risk operations. The key test is whether a compromised objective could still trigger meaningful business impact under valid credentials.
Q: Why do AI agents create a different risk model from traditional LLM applications?
A: AI agents create a different risk model because they can turn manipulated context into action. A prompt injection in a plain LLM may produce a bad answer, but in an agent it can drive tool calls, workflow changes, or data movement. The risk is amplification through delegated authority, not just content generation.
Q: What breaks when agents can retain memory and reuse retrieved context?
A: What breaks is the assumption that the attack ends when the session ends. Persistent memory and retrieval can preserve poisoned instructions, biased priorities, or false facts across later runs. That turns a one-time manipulation into a durable governance problem because the same corrupted context can shape future decisions.
Q: How do organisations contain cascading failures in agentic systems?
A: Organisations contain cascading failures by treating agent interactions as a trust boundary. Shared memory, internal messages, and dynamic tool discovery should be verified, scoped, and isolated so one compromised agent cannot influence many others. The goal is to limit propagation before a bad decision becomes a system-wide failure.
Technical breakdown
Prompt injection becomes goal hijack in agentic systems
In a traditional LLM, prompt injection mainly changes the response. In an agentic system, the same manipulation can redirect planning, task selection, and tool use. That is why OWASP separates agentic risk from classic LLM risk: the attack surface now includes memory, retrieval, tool calls, and downstream action. A malicious document, message, or tool output can become instruction-like material once the agent blends context and intent. If the agent keeps state, the manipulated objective can persist across sessions and influence later decisions. The result is not just unsafe text but unsafe behaviour that looks internally consistent.
Practical implication: inspect every input path that can influence an agent’s planning context, not just its chat prompt.
Tool misuse and identity abuse turn model influence into real operations
Agentic systems are dangerous when they can move from deciding to doing. Once an agent has delegated credentials, a poisoned objective can trigger API calls, workflow execution, code runs, or infrastructure changes under valid access. OWASP treats this as tool misuse and identity and privilege abuse because the problem is not authentication failure, but authority misuse through normal integrations. The system may remain technically authenticated while the business action is wrong. This is especially important for agents that inherit rights from users, service accounts, or other agents, because delegated access amplifies any compromised intent.
Practical implication: separate delegated authority from decision-making wherever an agent can reach production systems.
Cross-agent propagation creates a containment problem
Agentic ecosystems rarely involve one isolated model. They rely on planners, executors, reviewers, memory stores, and shared tools that exchange structured messages. That creates an internal propagation channel. If one agent is influenced, other agents may trust its outputs, route work through it, or reuse its memory as if it were reliable. OWASP’s inter-agent communication and cascading failure categories capture this shift. The breach is no longer a single compromised node. It becomes a coordination problem where the system can amplify one corrupted decision into many, without any explicit lateral exploitation in the conventional sense.
Practical implication: design trust boundaries between agents as if every internal message could be attacker-shaped.
Threat narrative
Attacker objective: The attacker aims to turn a manipulated instruction into repeated, credential-backed operations that spread across the agentic environment and widen the blast radius.
- Entry occurs when an attacker manipulates an agent’s context through prompt injection, poisoned retrieval content, or malicious tool output.
- Escalation follows when that altered intent is translated into legitimate action through tools, delegated credentials, or workflow execution.
- Impact appears when the compromised agent propagates the bad objective or corrupted state across other agents and shared systems, creating cascading failure.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Autonomy changes the breach model, not just the attack surface. Traditional LLM security assumes the main failure is unsafe output. That assumption fails when the system can plan, call tools, and act under real credentials. The implication is that identity governance has to be judged by how much delegated power a compromised objective can convert into action, not by prompt filtering alone.
Compromised intent becomes privilege amplification in agentic environments. The agentic Top 10 shows that tool misuse, identity abuse, and memory poisoning are not separate hygiene issues but a single escalation path. A manipulated objective can survive long enough to become execution, which makes blast radius the decisive control variable. Practitioners need to treat agent privilege as operational authority, not just another account type.
Identity does not select or combine tools dynamically mid-session was designed for constrained execution. That assumption fails when the actor is autonomous because tool choice, sequencing, and timing emerge at runtime without human approval. The implication is that existing access review and provisioning models cannot describe the full risk of an actor that can change its own path to action after access has been granted.
Agentic governance must move from entitlement thinking to containment thinking. The article’s core contribution is not a list of ten categories but a progression from compromise to propagation and then loss of containment. That aligns with OWASP-NHI, ZT-NIST-207, and NIST-AIRMF because the control question becomes where to stop amplification, not whether the model was allowed to call a tool once.
Cross-domain identity teams need a shared language for autonomous misuse. Human IAM, NHI controls, and emerging agent governance all fail in different ways if they are managed as isolated programmes. The practitioner conclusion is to align policy, telemetry, and response around the behaviour of delegated actors, including AI agents that inherit credentials and create downstream trust chains.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, which means 48% cannot fully support compliance or breach investigation, according to the same SailPoint research.
- For a broader control lens, OWASP NHI Top 10 helps teams map agentic risk to containment, privilege, and propagation controls.
What this signals
Progressive breach model: agentic governance now needs to assume that a small context manipulation can evolve into an operational incident if the actor can call tools under valid credentials. That shifts programme design from input validation toward containment, telemetry, and blast-radius reduction.
The immediate planning challenge is visibility across the full delegation chain, especially where agents inherit access from users, service accounts, or other agents. If teams cannot tell which context shaped a decision, they cannot reliably explain or contain the resulting action.
With only 44% of organisations having policies for AI agents in place according to SailPoint’s research, the gap is no longer theoretical. Identity programmes should prioritise agent policy, message trust, and action logging before deployment scales further.
For practitioners
- Map agent-to-tool trust boundaries Inventory every tool, workflow, and data source an agent can reach, then classify which of those paths can change business state without human review.
- Separate intent from execution rights Give agents the minimum operational permissions needed for a task and keep high-risk actions behind a distinct approval or orchestration layer.
- Instrument memory and retrieval inputs Log which documents, messages, and retrieved items can influence planning so you can trace when a poisoned context entry becomes actionable.
- Design for propagation containment Treat inter-agent messages, shared memory, and dynamic tool discovery as untrusted until verified, and isolate failures so one agent cannot cascade into many.
Key takeaways
- Agentic AI security is a progression problem, not a single-control problem, because intent can be manipulated and then converted into action.
- Once an agent has memory, tools, and delegated credentials, a small injection can scale into privilege abuse, propagation, and containment failure.
- Teams need to govern agent behaviour as delegated identity behaviour, with tighter boundaries around tools, trust, and state-changing actions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article maps prompt injection, tool misuse, and cascading failure patterns. | |
| NIST AI RMF | Autonomous decision-making and governance are central to the article's risk model. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | The article focuses on controlling delegated access and limiting blast radius. |
Apply least-privilege access and continuous verification to every agent-to-tool trust boundary.
Key terms
- Agentic Application: An agentic application is software that can decide, sequence, and carry out actions using tools or services rather than only producing text. In identity terms, it behaves like a delegated actor with operational authority, which means its access, memory, and execution paths must be governed as a security boundary.
- Goal Hijack: Goal hijack is the redirection of an agent’s objective so that it pursues attacker-shaped intent while still appearing to operate normally. The danger is not just a bad answer. It is a legitimate workflow executed against the wrong target, often through valid credentials and approved integrations.
- Memory Poisoning: Memory poisoning is the corruption of persistent context, retrieval data, or stored summaries so future decisions are influenced by attacker-controlled content. For agents, this matters because the compromised input can survive beyond a single session and shape later planning, tool use, and escalation paths.
- Cross-Agent Propagation: Cross-agent propagation is the spread of compromised context, instructions, or decisions from one agent to others through trusted internal exchanges. It turns a single manipulated actor into a coordination risk, because downstream systems may treat the original output as valid input without sufficient verification.
What's in the full article
Lakera’s full article covers the technical detail this post intentionally leaves for the source:
- The article breaks down the OWASP Agentic Top 10 category by category, including the differences between prompt injection, goal hijack, memory poisoning, tool misuse, and cascading failures.
- It expands on concrete agentic attack paths such as poisoned documents, malicious tool outputs, and inter-agent propagation patterns that this post only frames at a high level.
- It includes the vendor’s own examples and internal research references on how agentic threats manifest in real environments.
- It shows how Lakera maps the progression from compromise to loss of containment across the agent lifecycle.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org