Agentic AI attack surface: are your controls keeping up?

TL;DR: OWASP’s 2026 Top 10 for Agentic Applications maps the highest-impact failure modes in agentic systems, including goal hijacking, tool misuse, identity and privilege abuse, memory poisoning, and rogue behaviour across autonomous workflows, according to Lasso Security. Traditional AppSec, DLP, and cloud controls were not designed for agents that plan, act, and mutate state at runtime.

NHIMG editorial — based on content published by Lasso Security: OWASP Top 10 for Agentic Applications

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: What breaks when agentic AI inherits human or service credentials?

A: The core failure is that the agent can operate inside the principal’s trust domain with access that was never scoped for dynamic, runtime decision-making.

Q: Why do agentic systems complicate least privilege?

A: Least privilege assumes the needed access can be defined at provisioning time because the actor’s purpose is known in advance.

Q: How do security teams know if an AI agent is operating outside its intended scope?

A: Look for signals such as unexpected tool invocation, abnormal data access, repeated plan changes, or actions that are valid at the protocol level but inconsistent with the original task.

Practitioner guidance

• Inventory every agentic identity and its delegated access Map each AI agent to the human, service account, or workload identity that authorises it, then document every API, browser, file, and workflow permission it can reach.
• Re-scope agent credentials to the narrowest runtime task Issue short-lived, task-specific credentials for each agent workflow and remove broad reuse of the same token across tools.
• Treat memory and retrieval as governed inputs Classify agent memory stores, scratchpads, retrieval sources, and inter-agent messages as security-relevant data flows.

What's in the full article

Lasso Security's full post covers the operational detail this post intentionally leaves for the source:

• The report's ASI01 to ASI10 taxonomy with concrete failure patterns for each agentic vulnerability.
• The runtime protection model for discovery, risk management, and enforcement across agent lifecycles.
• The relationship between agent guardrails, IAM permissions, and red and purple team testing.
• The specific examples of how tool misuse, memory poisoning, and rogue behaviour show up in production.

👉 Read Lasso Security's analysis of OWASP's Top 10 for Agentic Applications →

Agentic AI attack surface: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →