TL;DR: OWASP’s 2026 Top 10 for Agentic Applications maps the highest-impact failure modes in agentic systems, including goal hijacking, tool misuse, identity and privilege abuse, memory poisoning, and rogue behaviour across autonomous workflows, according to Lasso Security. Traditional AppSec, DLP, and cloud controls were not designed for agents that plan, act, and mutate state at runtime.
NHIMG editorial — based on content published by Lasso Security: OWASP Top 10 for Agentic Applications
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: What breaks when agentic AI inherits human or service credentials?
A: The core failure is that the agent can operate inside the principal’s trust domain with access that was never scoped for dynamic, runtime decision-making.
Q: Why do agentic systems complicate least privilege?
A: Least privilege assumes the needed access can be defined at provisioning time because the actor’s purpose is known in advance.
Q: How do security teams know if an AI agent is operating outside its intended scope?
A: Look for signals such as unexpected tool invocation, abnormal data access, repeated plan changes, or actions that are valid at the protocol level but inconsistent with the original task.
Practitioner guidance
- Inventory every agentic identity and its delegated access Map each AI agent to the human, service account, or workload identity that authorises it, then document every API, browser, file, and workflow permission it can reach.
- Re-scope agent credentials to the narrowest runtime task Issue short-lived, task-specific credentials for each agent workflow and remove broad reuse of the same token across tools.
- Treat memory and retrieval as governed inputs Classify agent memory stores, scratchpads, retrieval sources, and inter-agent messages as security-relevant data flows.
What's in the full article
Lasso Security's full post covers the operational detail this post intentionally leaves for the source:
- The report's ASI01 to ASI10 taxonomy with concrete failure patterns for each agentic vulnerability.
- The runtime protection model for discovery, risk management, and enforcement across agent lifecycles.
- The relationship between agent guardrails, IAM permissions, and red and purple team testing.
- The specific examples of how tool misuse, memory poisoning, and rogue behaviour show up in production.
👉 Read Lasso Security's analysis of OWASP's Top 10 for Agentic Applications →
Agentic AI attack surface: are your controls keeping up?
Explore further
Agentic AI creates an identity problem before it creates an application problem. OWASP’s taxonomy matters because it shows that the dangerous part is not just model output, but runtime behaviour that can select tools, change plans, and act through inherited access. That makes agent governance an identity and privilege discipline, not a narrow AI safety topic. Practitioners should treat agentic systems as controlled identities with observable trust boundaries.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, which means 48% still lack basic visibility into what those systems are touching.
A question worth separating out:
Q: What should organisations do when an agent starts mutating state or rewriting memory?
A: They should treat the agent as potentially compromised and isolate the memory, retrieval, and tool paths that can propagate the bad state. The key is to stop persistence from becoming replayable behaviour across later sessions or other agents that trust the same context.
👉 Read our full editorial: OWASP top 10 for agentic applications exposes new control gaps
Agentic AI creates an identity problem before it creates an application problem. OWASP’s taxonomy matters because it shows that the dangerous part is not just model output, but runtime behaviour that can select tools, change plans, and act through inherited access. That makes agent governance an identity and privilege discipline, not a narrow AI safety topic. Practitioners should treat agentic systems as controlled identities with observable trust boundaries.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, which means 48% still lack basic visibility into what those systems are touching.
A question worth separating out:
Q: What should organisations do when an agent starts mutating state or rewriting memory?
A: They should treat the agent as potentially compromised and isolate the memory, retrieval, and tool paths that can propagate the bad state. The key is to stop persistence from becoming replayable behaviour across later sessions or other agents that trust the same context.
👉 Read our full editorial: OWASP top 10 for agentic applications exposes new control gaps