OWASP agentic top 10 puts identity at the center of AI risk

At a glance

What this is: OWASP’s agentic applications framework defines ten priority risks and places identity, tools, and delegated trust at the center of AI agent security.

Why it matters: IAM teams need this because AI agents are becoming non-human access subjects that can inherit, combine, and misuse privileges across cloud and SaaS systems.

👉 Read Astrix Security's analysis of the OWASP Agentic Applications Top 10

Context

OWASP’s agentic applications framework matters because AI agent identity risk is no longer theoretical. As agents interact with corporate systems, SaaS tools, and cloud services, the control assumptions behind traditional automation start to break, especially where credentials, delegated sessions, and tool access are bundled together.

For IAM and NHI programmes, the problem is not just more automation. It is a new identity shape that can accumulate privileges, invoke tools dynamically, and move across trust boundaries faster than legacy governance cycles were designed to observe.

Key questions

Q: How should security teams govern AI agents that use multiple tools and credentials?

A: Govern AI agents as non-human identities with explicit scope, ownership, and revocation paths. Each credential, delegated session, and tool permission should be tracked separately, because the risk comes from how those authorities combine at runtime. The control goal is to prevent one agent from becoming a hidden concentration point for access across systems.

Q: Why do AI agents complicate traditional least-privilege models?

A: AI agents complicate least privilege because the actor’s intent and execution path are not fully known at provisioning time. A role that looks narrow on paper can expand into broader runtime behaviour through tool chaining, cached credentials, or delegated access. That makes static entitlement design insufficient on its own.

Q: What do security teams get wrong about agentic supply chain risk?

A: They often focus on code provenance and miss the live trust relationship behind the tool or endpoint. In agentic systems, the dangerous moment is when the agent connects to an external service and implicitly accepts its identity, schema, and outputs as trustworthy enough to act on.

Q: What frameworks should organisations use to assess agentic AI risk?

A: Use OWASP Agentic AI Top 10 for threat modelling, OWASP NHI guidance for credential and privilege governance, and Zero Trust principles for continuous verification of tools and identities. Together, they help teams evaluate agent behaviour, access boundaries, and trust at runtime instead of only at onboarding.

Technical breakdown

Agent goal hijack and tool misuse

Agentic applications fail differently from scripted automation because the action path is not fixed in advance. A goal-hijacked agent can be steered by malicious instructions, poisoned tool output, or deceptive external content into using legitimate tools for the wrong outcome. Tool misuse is especially dangerous because the agent may still be operating within its granted authority, which makes the abuse look like normal execution from the platform’s perspective. The control problem is not only whether the tool is allowed, but whether the agent can be induced to use it unsafely.

Practical implication: map every high-risk tool to explicit action boundaries and review where agent decisions can be influenced by external content.

Identity and privilege abuse in agentic systems

Agent identity is broader than a persona. In practice it includes API keys, OAuth tokens, delegated sessions, and any service credentials that let the agent act. That makes the agent an aggregation point for non-human identities, where multiple permissions can converge into one runtime executor. Once those credentials are inherited or cached, compromise of the agent can translate into lateral access across systems that were never intended to share trust. This is why identity abuse is central to the OWASP model and not a side issue.

Practical implication: inventory every credential type an agent can hold and treat each as an independently governed identity object.

MCP and agentic supply chain trust

Model Context Protocol and similar integration layers reduce friction, but they also widen the trust boundary around tools, servers, and external agents. A dynamic tool definition or third-party agent can alter how the system behaves before the security team has a clear view of the provider’s identity or integrity. In agentic environments, supply chain risk is not limited to code packages. It also includes the trustworthiness of the endpoint, the tool schema, and the identity behind the service the agent is about to call.

Practical implication: verify the identity and trust model of every external tool or MCP endpoint before allowing agent access to sensitive data.

Threat narrative

Attacker objective: The attacker’s objective is to turn the agent’s delegated authority into broad enterprise access and unsafe execution across connected tools and data sources.

1. Entry occurs when an attacker manipulates the agent through prompt injection, deceptive tool output, or a compromised external integration that the agent trusts. Credential access follows because the agent already holds delegated sessions, keys, or service credentials that can be reused at runtime. Escalation happens when the agent uses legitimate tools in an unsafe sequence, spreading access across connected systems or multi-agent workflows. Impact is compounded when the abused privileges expose sensitive data, trigger unsafe actions, or create cascading failures across enterprise systems.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity is now the control plane for agentic security. OWASP’s framework confirms that the highest-value risks are not abstract AI concerns but identity failures expressed through tools, permissions, and delegated trust. When an agent can combine credentials and act across systems, the governance question shifts from model safety to access authority. Practitioner conclusion: treat agent identity as an enforceable security boundary, not a software label.

Delegated privilege is the new blast-radius problem for AI agents. ASI03 matters because it exposes how inherited and cached credentials collapse multiple access relationships into a single execution point. That is not just overprovisioning. It is a structural concentration of authority that makes compromise harder to contain once the agent is active. Practitioner conclusion: re-evaluate where a single agent now stands in for several non-human identities.

Agentic supply chain risk broadens the trust perimeter beyond code. The framework’s emphasis on tool and integration trust shows that identity verification must extend to dynamic tools, MCP endpoints, and external agent providers. This is where classic software supply chain controls stop short, because the relevant asset is not only the artifact but the live identity behind the service. Practitioner conclusion: validate trust at the moment of connection, not just at build time.

Human approval is no longer a sufficient backstop when agents can act at runtime. The framework’s risk model shows that unsafe delegation can happen even when the initial setup looked reasonable. That means review processes built around static approvals will miss the real failure point, which is runtime combination of authority, data, and action. Practitioner conclusion: redesign governance for the decision moment, not just the provisioning moment.

Ephemeral credential trust debt: the more identities, tokens, and delegated sessions an agent can inherit, the more unresolved trust accumulates in one runtime actor. The important point is not merely that access exists, but that access is being fused dynamically across systems that were governed separately. Practitioner conclusion: collapse of trust boundaries should be measured as a governance debt, not a one-off configuration issue.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
• That governance gap is why the OWASP Agentic AI Top 10 and the Ultimate Guide to NHIs should be read together.

What this signals

With 48% of companies blind to the data their AI agents access, the programme-level problem is not just control design. It is that governance teams cannot certify what they cannot observe, which makes agent entitlement reviews and breach investigations incomplete from the start.

Identity blast radius: once an agent accumulates credentials, delegated sessions, and external tool access, the containment problem changes. Practitioners should expect agent governance to converge with NHI lifecycle management, especially where access review, offboarding, and privilege reduction were originally designed for slower-moving identities.

The next step for teams is to connect AI agent risk assessments to the same identity governance discipline they already apply to service accounts and privileged access. Zero Trust verification, bounded delegation, and ownership clarity will matter more as agent deployments scale.

For practitioners

• Inventory every agent-held credential Map API keys, OAuth tokens, delegated sessions, service accounts, and tool credentials to each agent and sub-agent. Separate ownership, expiry, and revocation paths so no runtime actor becomes an opaque bundle of inherited authority.
• Constrain tool use by action boundary Define which tools an agent may invoke, what data each tool may touch, and which tool sequences are never permitted. Focus on the misuse path, not just on authentication at the integration layer.
• Verify external tool identity before connection Require identity and integrity checks for MCP endpoints, dynamic tool definitions, and third-party agent services before access is granted. Trust should be established at connection time, not assumed from deployment metadata.
• Review agent privilege concentration Identify where one agent now carries the authority of multiple non-human identities. Reduce duplicated permissions, remove inherited access that is not essential, and document which business process owns each delegated trust relationship.

Key takeaways

• The OWASP agentic framework makes identity, not model novelty, the decisive control plane for AI agent security.
• Real-world agent risk already shows up as tool misuse, delegated privilege abuse, and supply chain trust failures, not just theoretical prompt attacks.
• Practitioners should govern every agent-held credential, external tool, and delegated trust path as a distinct security object.

Key terms

• Agent Identity: The collection of attributes, credentials, and permissions that allow an AI agent to act in an enterprise environment. In practice, this includes keys, tokens, delegated sessions, and tool access, which must be governed as security-relevant identity objects rather than as simple application metadata.
• Delegated Privilege: Access that an agent receives from another identity or trust relationship and can use at runtime. For AI agents, delegated privilege becomes risky when multiple authorities are concentrated into one executor, because compromise or manipulation can turn inherited access into broad enterprise reach.
• Tool Misuse: A failure mode where an agent uses a legitimate tool in an unsafe or unintended way. The tool itself may be valid, but the context, sequencing, or data exposure makes the action harmful, which means governance must cover both tool approval and runtime behavior.
• Agentic Supply Chain: The trust chain connecting an agent to its external tools, endpoints, models, and other agents. It matters because each connection can alter behavior, data exposure, and access decisions, so security teams must verify the live provider identity as well as the integration artifact.

What's in the full article

Astrix Security's full blog covers the operational detail this post intentionally leaves for the source:

• The complete ASI01 to ASI10 risk breakdown with practical examples of where each failure mode appears in agentic environments.
• Identity-centric incident patterns involving tool misuse, delegated access, and agent-to-agent trust abuse.
• The article’s view of how MCP changes the trust boundary between agents, tools, and connected data sources.
• Astrix Security’s own explanation of how identity visibility is used to detect misuse across agent ecosystems.

👉 The full Astrix Security post covers the ASI01 to ASI10 breakdown and identity-first risk discussion.

Deepen your knowledge

AI agent identity risk and delegated privilege abuse are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for agents that inherit access across tools and systems, it is worth exploring.