OWASP Top 10 for agentic applications 2026 and NHI risk

At a glance

What this is: This is a summary of OWASP’s 2026 agentic application risk categories, with a central finding that autonomous AI agents create identity, privilege, and tool-use risks that traditional app security models do not fully cover.

Why it matters: It matters because IAM, NHI, and security teams need to govern agents as privileged actors with scoped access, not as passive software features.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

👉 Read Teleport's summary of the OWASP Top 10 for Agentic Applications 2026

Context

Agentic AI changes the governance problem because the system does not just generate text. It can call tools, move data, and act with permissions that were originally designed for humans or tightly bounded services. That makes agentic AI a Non-Human Identity issue as much as an application security issue, because access scope, credential handling, and auditability become the first control plane.

OWASP’s 2026 agentic application categories reflect a broad shift in the market: security teams are now dealing with autonomous actors that can inherit identity, chain tools, and amplify mistakes across environments. For IAM and NHI practitioners, the issue is not whether agents are useful. It is whether existing identity models can contain their blast radius once those agents start making and executing decisions in production.

Key questions

Q: How should security teams govern AI agents that can call tools and take actions?

A: Treat agents as non-human identities with bounded privileges, explicit ownership, and revocation paths. Give each agent only the tools and data it needs for the current task, require re-approval for elevated actions, and log every sensitive step. Governance fails when agents inherit broad human-style access without the same accountability controls.

Q: When does just-in-time access reduce risk for agentic AI?

A: JIT access reduces risk when the task is short, the scope is narrow, and the credential expires before the agent can reuse it elsewhere. It becomes weaker when context, delegation chains, or cached sessions outlive the credential. The control works best when paired with session isolation and rapid revocation.

Q: What is the difference between workload identity and agent identity?

A: Workload identity identifies a service or runtime so it can authenticate to systems. Agent identity must also cover intent, delegation, and the authority to make decisions across tools. For autonomous systems, identity management has to include behavioral scope, not just authentication, because execution can extend beyond a single API call.

Q: Why do autonomous agents create more blast-radius risk than ordinary applications?

A: Autonomous agents can chain tool calls, reuse context, and act across multiple systems without waiting for a human at each step. That speeds up failure propagation and makes a small mistake harder to contain. The practical response is to cap permissions, isolate sessions, and add circuit breakers before deployment.

Technical breakdown

Agentic AI risk categories and identity boundaries

OWASP’s agentic application model groups the major failure modes around what an agent can decide, what it can reach, and how that authority can be abused. The important technical point is that agents often blend reasoning and execution in one loop, so a prompt, retrieved document, or tool response can alter both intent and action. That is why categories like goal hijack, tool misuse, and identity abuse are not separate edge cases. They are different expressions of the same architectural problem: unbounded trust in software that behaves like a user. Practical implication: define every agent identity, tool scope, and approval boundary explicitly.

Practical implication: Treat each agent as a bounded principal with narrowly scoped permissions, not as an extension of a human workflow.

Identity & privilege abuse in autonomous workflows

Identity abuse in agentic systems usually starts when credentials, delegation, or cached context carry more authority than the task requires. Once an agent can inherit a broad identity, every downstream tool call becomes part of the attack surface. Short-lived credentials help, but only if they are paired with session isolation, re-authorization for escalation, and reliable revocation of stale entitlements. This is where NHI governance becomes central: agent identity, role design, and lifecycle controls must be managed with the same discipline used for high-risk service accounts, but with tighter task scoping and faster expiry. Practical implication: prevent transitive privilege from becoming the default operating model.

Practical implication: Use per-agent identities, enforce re-approval for elevated actions, and remove persistent entitlements wherever possible.

Memory poisoning, tool chains, and cascading failure

Agentic systems fail differently from conventional apps because errors can persist in memory, spread through inter-agent messaging, and compound across delegated tool chains. A poisoned context store or a spoofed agent message can influence multiple future decisions, while a single unsafe tool invocation can cascade into data movement, deletion, or policy bypass. In practice, this means architecture matters as much as policy. Segmented memory, signed messages, mTLS, sandboxed execution, and blast-radius caps are not optional extras. They are the controls that stop one compromised action from turning into a system-wide event. Practical implication: isolate planning, memory, and execution so one failure cannot rewrite the next step.

Practical implication: Separate memory from execution, authenticate agent-to-agent communication, and add containment controls before rollout.

Threat narrative

Attacker objective: The objective is to turn a trusted agent into a high-privilege execution path that can be used for data theft, unauthorized actions, or operational disruption.

1. Entry occurs when attackers manipulate agent inputs, tool descriptors, or cached context so the agent’s reasoning path is changed before execution.
2. Escalation follows when the agent reuses delegated credentials, transitive trust, or overbroad tool permissions to perform actions beyond the original task scope.
3. Impact is reached when the agent deletes data, leaks sensitive information, or triggers broader operational failure through chained autonomous actions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Agentic AI turns identity into the primary security boundary. Once software can plan, call tools, and act on its own, the old separation between application logic and access control breaks down. The decisive control is no longer just input validation. It is whether the agent has the minimum identity, tool scope, and approval path required for the task. Practitioners should treat agent governance as identity governance with execution consequences.

Ephemeral credential trust debt is now a real category of risk. Short-lived access reduces exposure, but it does not eliminate the assumptions embedded in delegation chains, cached context, and inherited authority. The problem is that an agent can act correctly with the wrong level of trust. That means teams need to measure not just credential lifetime, but how many downstream systems inherit that lifetime. Practitioners should assume every extra hop increases trust debt.

OWASP has effectively validated the NHI lens for agent security. The 2026 agentic application categories map cleanly to problems IAM teams already understand: overprivilege, stale credentials, weak provenance, and unbounded delegation. The difference is that agents compress those risks into faster execution loops. That accelerates the need for policy enforcement, telemetry, and revocation designed for non-human actors. Practitioners should align agent governance with NHI controls instead of inventing a separate model.

Blast-radius control is becoming the deciding metric for agent safety. If an agent can chain tasks across systems, then the question is not whether a failure will happen but how far it will travel. That shifts attention toward session isolation, kill switches, per-task authorization, and tamper-evident logs. The field should expect more emphasis on containment than on perfect prediction. Practitioners should optimise for rapid interruption, not just detection.

Agentic supply chain risk is already an identity problem. When models, plugins, descriptors, or MCP servers can be loaded dynamically, the trust decision is no longer about code alone. It is about whether a runtime component can assume authority inside production workflows. That makes signing, attestation, inventory, and source pinning central to NHI governance. Practitioners should review every runtime trust relationship as an access relationship.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• For a deeper control model, see Ultimate Guide to NHIs for lifecycle governance patterns that apply directly to agent identities.

What this signals

Agentic identity governance will become a baseline requirement, not a specialist add-on. As more environments adopt autonomous tools, teams will need to move from static service-account thinking to task-scoped access models with faster revocation and clearer ownership. The gap is structural, and identity programmes that cannot model execution authority will struggle to keep pace with agent deployments.

With 43% of security professionals already concerned about AI systems learning and reproducing sensitive information patterns from codebases, per The State of Secrets in AppSec, the risk picture extends beyond secrets leakage into how agents ingest and reuse context. Programmes should expect pressure to classify agent memory, retrieved context, and tool outputs as governed data paths.

OWASP’s agentic guidance and the OWASP Non-Human Identity Top 10 both point to the same operational conclusion. Organisations should converge on one control plane for human and machine access, then layer agent-specific approvals, telemetry, and containment. That alignment will matter more than any single point product because the failure mode is coordinated privilege, not isolated authentication.

For practitioners

• Define a unique identity for every agent Assign short-lived credentials, task boundaries, and explicit owners so each agent can be traced and revoked independently.
• Separate planning from execution Put approval gates, policy checks, and sandbox controls between the agent’s reasoning loop and any destructive or privileged action.
• Inventory every runtime dependency Track plugins, MCP servers, descriptors, and external tools as part of your NHI inventory so hidden trust paths do not accumulate.
• Reduce transitive privilege Block cached credentials, re-authorize privilege escalation, and remove any inherited access that is not required for the specific task.
• Add containment and rollback controls Use kill switches, tamper-evident logs, and session isolation so a compromised agent can be stopped without affecting the rest of the environment.

Key takeaways

• Agentic AI creates an access problem as much as an application problem, because agents can act with real permissions across live systems.
• The most dangerous failures involve identity abuse, tool chaining, and trust inherited through context or delegation rather than a single broken control.
• Security teams should respond with task-scoped identities, tighter approval gates, and blast-radius containment designed for non-human actors.

Key terms

• Agent Identity: An agent identity is the authenticated principal assigned to an autonomous software entity so it can access tools, data, and systems. In practice, it must include scope, expiry, ownership, and revocation, because the agent can make decisions and take actions rather than simply call an endpoint.
• Tool Misuse: Tool misuse is the unsafe use of a legitimate capability by an AI agent, such as calling the right API with the wrong parameters or chaining tools into an unintended outcome. The underlying issue is not access alone, but whether execution boundaries are narrow enough to prevent harmful combinations of actions.
• Blast Radius: Blast radius is the amount of damage a compromised identity, bad decision, or poisoned context can spread before it is contained. For agentic systems, it is shaped by privilege scope, session persistence, tool reach, and how quickly policy enforcement can interrupt execution.

What's in the full article

Teleport's full article covers the operational detail this post intentionally leaves for the source:

• Category-by-category mitigation guidance for all ten OWASP agentic risks, including specific controls for each failure mode.
• Telemetry and guardrail examples that show how Teleport maps identity, approvals, and session recording to agentic workflows.
• Implementation framing for ephemeral credentials, scoped access, and human-in-the-loop controls across infrastructure and AI agents.
• Practical examples for using identity-based access controls when agents interact with APIs, shells, and cloud services.

👉 Teleport's full article covers the ten risk categories and the mitigation steps for each one.

Deepen your knowledge

Agent identity governance, least privilege, and lifecycle controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous agents and service identities at the same time, it is worth exploring.