OWASP’s agentic AI Top 10 reframes enterprise AI security

At a glance

What this is: OWASP’s Top 10 for Agentic Applications is a new security framework for the operational risks created by AI systems that can plan, invoke tools, and take actions.

Why it matters: It matters because IAM, PAM, and NHI programmes now have to govern not just what AI generates, but what it is permitted to do inside enterprise systems.

👉 Read Zenity's analysis of the OWASP Top 10 for Agentic Applications

Context

Agentic AI changes the security problem because the system is no longer limited to producing text or predictions. Once an AI system can choose tools, reuse credentials, and act inside business workflows, the governance model shifts from output control to action control. That is the primary reason this topic belongs inside identity security, not only AI security.

The article argues that model-centric controls such as prompt filtering and retrieval hardening do not cover the operational layer where risk actually materialises. For identity teams, the issue is whether access, delegation, and audit controls are designed for actors that can execute in real time, not just respond to requests. That is the programme gap OWASP is trying to name.

Key questions

Q: How should security teams govern AI agents that can invoke tools and take actions?

A: Treat AI agents as privileged identities with bounded authority, explicit tool permissions, and continuous monitoring of runtime behaviour. Governance should cover identity assignment, delegation, memory, and audit logging, not just model prompts or content filters. If the agent can act in production, the control model must verify action intent before execution and preserve evidence after it.

Q: Why do AI agents create more risk than traditional automation?

A: Traditional automation follows predefined rules, while agents can choose actions, combine tools, and change course during execution. That makes their privilege use harder to predict and their failure modes harder to contain. Risk increases when the same identity can decide, access, and act without a separate approval boundary.

Q: What breaks when AI agent permissions are too broad?

A: Broad permissions let an attacker or malicious prompt redirect an agent into systems and workflows that were never part of the original task. The result is lateral movement, data exposure, and delegated misuse that looks legitimate in logs unless the organisation tracks intent, tool sequence, and scope. Least privilege must be enforced at the level of agent behaviour, not only account creation.

Q: Who is accountable when an AI agent causes harmful actions?

A: Accountability should remain with the organisation that assigned the agent’s access and allowed it to operate. Security, application, and governance teams share responsibility for permissions, monitoring, and approval boundaries, while risk and compliance teams need evidence that the agent’s actions were visible and reviewable. If nobody owns the delegation chain, nobody owns the blast radius.

Technical breakdown

Agent goal hijack and prompt injection

Agent goal hijack occurs when malicious input changes what the agent is trying to achieve, not just what it says. Because agents combine instructions, context, memory, and tool access, attackers can redirect plans or alter task intent without obvious failure signals. This is different from ordinary prompt tampering because the attack targets decision-making, not output text. In practice, the control problem is runtime intent integrity: the system must distinguish authorised goals from manipulated ones while the session is still active.

Practical implication: teams need controls that inspect intent drift before an agent commits to tool use or downstream actions.

Identity and privilege abuse in agent workflows

Agentic systems often inherit tokens, cached identities, or broad service permissions, which makes them behave like privileged non-human identities. That matters because an attacker does not need to break authentication if the agent already has legitimate access and can be induced to act outside its intended scope. The risk extends to delegation chains, where a higher-privilege agent can be tricked into using its authority on behalf of an untrusted request. Identity and privilege abuse therefore sits at the centre of agent governance, not at the edge.

Practical implication: reduce inherited privilege and separate agent identities from human or system accounts wherever possible.

Memory poisoning, inter-agent communication, and cascading failure

Agent memory and multi-agent communication create persistence and propagation paths that traditional application controls do not model well. If memory is poisoned, the bad state can survive beyond one interaction and keep influencing later decisions. If agents exchange messages without strong authentication and semantic validation, a compromised or spoofed agent can push bad instructions across the chain. Once agents also delegate work to other agents, a small compromise can cascade into larger operational failure before human review occurs.

Practical implication: secure memory writes, validate inter-agent messages, and monitor delegated actions as first-class control points.

NHI Mgmt Group analysis

Agentic AI security is now a distinct governance category, not an extension of model security. The article is right to separate agentic risk from prompt-only and model-only controls because the operational unit of risk is the actor that can decide, access, and act. That distinction matters for IAM, PAM, and NHI teams because the control surface is behavioural and permissioned, not merely conversational. The practitioner conclusion is that AI security programmes need an identity model for agents, not just content filters.

Identity and privilege abuse is the core failure mode for agentic systems. Agents often operate with inherited credentials, cached access, and delegated authority, which turns them into privileged non-human identities by default. Once that happens, least privilege becomes a governance problem at runtime, not a static provisioning problem. The practitioner conclusion is that agent identities must be governed as lifecycle-managed identities with explicit boundaries and auditability.

Runtime intent integrity is the named concept this framework makes unavoidable. Traditional controls assume the actor’s goal is stable enough to authorise and review, but agent goal hijack shows that the goal itself can be manipulated after execution begins. That assumption breaks when the actor can re-plan, call tools, and change course mid-session. The practitioner conclusion is that governance must account for mutable intent, not only mutable access.

Multi-agent delegation creates a new blast radius problem for identity teams. When agents communicate with each other, one compromised instruction or poisoned memory item can propagate across multiple systems before a human sees it. That makes delegated agent behaviour a governance chain, not a set of isolated app events. The practitioner conclusion is that identity oversight must follow the chain of action, not stop at the first authenticated request.

OWASP has given the market a common vocabulary that security teams can now operationalise. The value of the Top 10 is not the label alone, but the way it turns scattered concerns into categories that can be mapped to policy, monitoring, and control ownership. For practitioners, that creates a more defensible way to prioritise agent risk across IAM, NHI, and AI governance programmes. The practitioner conclusion is to use the taxonomy to align ownership before deployment scales further.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a deeper control perspective, see OWASP NHI Top 10 for the risk categories practitioners are now mapping into governance.

What this signals

Runtime intent integrity is the programme issue teams need to watch first, because agent goal hijack changes the control question from "what did the model say" to "what did the actor decide to do next". In the SailPoint survey, 80% of organisations said their AI agents had already acted beyond intended scope, which means the gap is already operational, not theoretical. Teams should align monitoring, approval, and evidence capture to agent behaviour rather than output review.

Identity teams should expect agent governance to converge with PAM and NHI lifecycle practices. The same access logic that limits standing privilege for service accounts now has to account for tool-using agents that can inherit tokens, delegate work, and act across SaaS, cloud, and endpoint environments. Organisations that cannot trace agent actions end to end will struggle to prove compliance or contain incidents.

The practical next step is to treat agent rollout as an identity architecture programme, not a feature deployment. That means assigning ownership for agent identities, validating inter-agent communication, and separating human approvals from machine execution paths. The organisations that do this early will have a clearer route into Analysis of Claude Code Security and other agent security patterns as the market matures.

For practitioners

• Create an identity model for agents and delegated tools Assign each agent a distinct identity, map its inherited permissions, and document which tools, data sets, and approval paths it can reach. Treat delegation as a governed access path, not an implementation detail.
• Reduce inherited privilege before agents reach production Strip broad service permissions, separate human and agent credentials, and prohibit shared tokens where the agent can act independently. Review any permission that would let an agent reach systems unrelated to its task.
• Instrument runtime controls for goal drift and unsafe tool use Monitor intent changes, tool sequences, memory writes, and cross-agent messages in real time. Block or quarantine actions when an agent starts combining permissions in ways that were not approved at design time.
• Build audit trails that follow the full delegation chain Capture who initiated the request, which agent decided, which tool executed, and which downstream agent received the instruction. Preserve those records so investigations can reconstruct behaviour across the chain.

Key takeaways

• Agentic AI introduces a governance problem that sits squarely inside identity security because the actor can decide, access, and act.
• The article’s framework matters because existing model-centric controls do not stop privilege abuse, memory poisoning, or delegated misuse at runtime.
• Practitioners should govern agents as privileged identities with explicit boundaries, real-time oversight, and audit trails that follow the full delegation chain.

Key terms

• Agentic AI: AI systems that can plan, choose tools, and take actions rather than only generate text or predictions. In identity terms, they become actors with delegated access, which means governance must cover permissions, intent, and auditability across the full action chain.
• Agent goal hijack: A failure mode where an attacker changes what an AI agent is trying to do, often through prompt injection or corrupted context. The risk is not only bad output but bad action, because the agent may execute a different plan while still appearing to operate normally.
• Delegation chain: The path of authority from the original requester through intermediate systems, tokens, agents, or sub-agents to the final action. For autonomous and semi-autonomous systems, the delegation chain determines accountability, evidence quality, and how far a compromised instruction can travel.
• Runtime intent integrity: The ability to confirm that an agent’s current goal still matches its authorised purpose while it is executing. This matters because an agent can re-plan, combine tools, or shift scope during the session, so governance must verify intent before action, not only before deployment.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zenity: The OWASP Top 10 for Agentic Applications, a milestone for AI security. Read the original.