TL;DR: OWASP’s 2026 Top 10 for Agentic Applications maps the highest-impact failure modes in agentic systems, including goal hijacking, tool misuse, identity and privilege abuse, memory poisoning, and rogue behaviour across autonomous workflows, according to Lasso Security. Traditional AppSec, DLP, and cloud controls were not designed for agents that plan, act, and mutate state at runtime.
At a glance
What this is: This is a breakdown of OWASP’s 2026 Top 10 for Agentic Applications, with the central finding that autonomous, tool-enabled AI creates failure modes traditional security controls do not cover well.
Why it matters: It matters because IAM, PAM, and governance teams now have to treat agent behaviour, delegated privilege, and runtime tool use as first-class identity problems across NHI, autonomous, and human workflows.
By the numbers:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
👉 Read Lasso Security's analysis of OWASP's Top 10 for Agentic Applications
Context
Agentic AI changes the identity problem because the system is no longer just consuming instructions. It is selecting tools, chaining actions, and mutating state in ways that can outlive a single prompt or workflow step.
That shift breaks the assumptions behind conventional application security and IAM. A control set built for stable accounts, bounded workflows, and predictable approvals struggles when the actor can decide what to do next at runtime and then execute it through delegated credentials.
Key questions
Q: What breaks when agentic AI inherits human or service credentials?
A: The core failure is that the agent can operate inside the principal’s trust domain with access that was never scoped for dynamic, runtime decision-making. If those credentials reach multiple tools, the agent can misuse valid access paths without obvious perimeter alarms. The result is an identity problem, not just a model problem.
Q: Why do agentic systems complicate least privilege?
A: Least privilege assumes the needed access can be defined at provisioning time because the actor’s purpose is known in advance. Agentic systems challenge that assumption because tool choice, sequence, and timing emerge during execution. Security teams must therefore design for runtime behaviour, not only pre-approved entitlements.
Q: How do security teams know if an AI agent is operating outside its intended scope?
A: Look for signals such as unexpected tool invocation, abnormal data access, repeated plan changes, or actions that are valid at the protocol level but inconsistent with the original task. Governance is working when those behaviours are visible quickly enough to stop them before they spread across systems.
Q: What should organisations do when an agent starts mutating state or rewriting memory?
A: They should treat the agent as potentially compromised and isolate the memory, retrieval, and tool paths that can propagate the bad state. The key is to stop persistence from becoming replayable behaviour across later sessions or other agents that trust the same context.
Technical breakdown
Agent goal hijacking and planning-chain coercion
Agent goal hijacking occurs when an attacker changes what the agent is trying to achieve, not just what input it sees. In agentic systems, goals can be inferred from system prompts, intermediate tasks, memory, and planning context. Once the objective is altered, the agent may continue to behave consistently, but toward the wrong end state. That makes the attack difficult to spot with controls that only inspect the final action or the user prompt. The failure is structural because the trust boundary sits inside the reasoning loop, not around it.
Practical implication: constrain goal-setting inputs, separate task intent from execution context, and monitor for unexpected plan drift.
Identity and privilege abuse through delegated credentials
Agentic applications often inherit human or service credentials to reach APIs, file systems, browsers, and internal workflows. If those credentials grant broad access, the agent effectively operates inside the same trust domain as the principal that issued them. That creates a privilege problem, not merely a bot problem. A compromised agent can silently use valid access paths, which is why traditional perimeter alerts may miss abuse that looks legitimate at the protocol layer. In NHI terms, the issue is not whether the token is valid. It is whether the token is over-scoped for a runtime that can choose actions independently.
Practical implication: scope delegated credentials to single-purpose, short-lived access and audit every downstream tool permission.
Memory poisoning and rogue agent behaviour
Agent memory and retrieval layers create persistence. If attackers poison long-term memory, scratchpads, or retrieval sources, the agent can keep using corrupted context across future sessions. That is different from a one-off prompt injection because the bad state survives and can compound over time. Rogue behaviour often emerges when this persistence combines with weak monitoring, loose governance rules, or unvalidated inter-agent messages. The result is an AI system that appears to be functioning normally while repeatedly reproducing unsafe decisions and actions.
Practical implication: treat memory, retrieval, and agent-to-agent messages as governed inputs and continuously validate the state they feed into.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Agentic AI creates an identity problem before it creates an application problem. OWASP’s taxonomy matters because it shows that the dangerous part is not just model output, but runtime behaviour that can select tools, change plans, and act through inherited access. That makes agent governance an identity and privilege discipline, not a narrow AI safety topic. Practitioners should treat agentic systems as controlled identities with observable trust boundaries.
Identity and privilege abuse is the clearest example of why agentic control assumptions collapse. Least privilege was designed for access granted to a principal with a stable purpose at provisioning time. That assumption fails when the actor is autonomous because tool choice and execution timing emerge during the session, after the access decision has already been made. The implication is that traditional entitlement review no longer describes the real risk surface.
Memory poisoning is a persistence problem disguised as an AI quality issue. When an agent retains compromised context, the unsafe behaviour can reappear long after the original trigger is gone. That turns a single malicious interaction into a reusable governance defect, especially where agents share retrieval sources or participate in multi-agent workflows. Practitioners should see memory as part of the attack surface, not a convenience layer.
Rogue agents expose the gap between policy intent and runtime enforcement. OWASP’s framing shows that many enterprises can describe what agents should do, yet cannot reliably constrain what those agents actually do once conditions change. That matters for NHI governance because dynamic behaviour breaks static approvals, fixed scopes, and human review cadences. The field needs controls that evaluate behaviour in motion, not just before deployment.
Named concept: runtime trust drift. This is the widening gap between the access an agent is granted at setup and the actions it can take once it starts chaining tools, memory, and external services. It is not a single misconfiguration. It is the steady mismatch between static authorization and dynamic execution. Practitioners should read OWASP’s agentic model as proof that runtime trust drift is now a category-level governance issue.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, which means 48% still lack basic visibility into what those systems are touching.
- If you are building response playbooks for agentic behaviour, review OWASP Agentic Applications Top 10 for the failure modes most likely to surface first.
What this signals
Runtime trust drift will become the practical test for whether agentic governance is real or decorative. If an organisation cannot see where an agent’s granted access diverges from its actual runtime behaviour, approval workflows will keep certifying the wrong thing. That makes visibility into delegated identity, memory, and tool use a core control objective, not an AI-specialist concern.
Enterprises that already understand service-account sprawl will recognise the pattern quickly, but agentic systems make the gap more volatile because behaviour changes session by session. The presence of AI does not remove identity discipline. It makes the discipline more urgent because the actor can change what it is trying to do while the access grant remains static.
For practitioners
- Inventory every agentic identity and its delegated access Map each AI agent to the human, service account, or workload identity that authorises it, then document every API, browser, file, and workflow permission it can reach. Separate discovery from approval so shadow AI and over-scoped agents are visible before they enter production.
- Re-scope agent credentials to the narrowest runtime task Issue short-lived, task-specific credentials for each agent workflow and remove broad reuse of the same token across tools. Where an agent can chain actions, assume the safest control is to reduce what the credential can do if the plan changes mid-session.
- Treat memory and retrieval as governed inputs Classify agent memory stores, scratchpads, retrieval sources, and inter-agent messages as security-relevant data flows. Validate provenance, monitor for poisoning, and separate durable memory from ephemeral task context so compromised state does not persist across sessions.
- Test for tool misuse and plan drift before release Red-team the agent against goal hijacking, malicious tool invocation, and unintended state mutation. Focus on how the agent behaves when instructions conflict, sources are poisoned, or a downstream tool returns unexpected results.
Key takeaways
- Agentic AI turns access management into a runtime governance problem because the system can change goals, tools, and actions after credentials are issued.
- The strongest evidence of risk is behavioural, not theoretical: most organisations already see agents acting beyond intended scope, touching systems and data they should not.
- Practitioners should shift from static approval thinking to continuous control of delegated identity, memory, and tool execution paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | ASI03 | Identity and privilege abuse is a core agentic failure mode in this article. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Agent credentials behave like NHI secrets and need rotation and scope control. |
| NIST AI RMF | Agent governance needs lifecycle accountability, monitoring, and risk treatment. |
Apply AI RMF governance and mapping functions to define ownership, monitoring, and escalation paths for agents.
Key terms
- Agentic Application: An agentic application is an AI system that can plan, select tools, and execute actions to complete tasks rather than only generating text. Its risk profile is governed by runtime behaviour, delegated access, and state changes, not by prompt quality alone.
- Runtime Trust Drift: Runtime trust drift is the gap between the access an agent is authorised to have and the actions it can actually take once it begins chaining tools and context. It matters because static approvals can look compliant while live behaviour expands beyond the original trust boundary.
- Memory Poisoning: Memory poisoning is the deliberate or accidental corruption of an agent’s persistent context, retrieval sources, or scratchpad so future behaviour is influenced by bad state. The issue persists across sessions, which makes it more dangerous than a one-time prompt injection.
- Tool Misuse: Tool misuse is the abuse of APIs, browsers, file systems, or other connected tools by an AI agent in ways that were not intended by the organisation. In agentic systems, tool permissions are as important as model safety because real-world damage happens through execution.
Deepen your knowledge
Agentic AI governance and delegated access control are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for autonomous workflows and runtime privilege, it is worth exploring.
This post draws on content published by Lasso Security: OWASP Top 10 for Agentic Applications. Read the original.
Published by the NHIMG editorial team on 2026-03-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
