OWASP published its first Top 10 for AI Agents. 88% of enterprises already had agent security incidents last year. Here's the breakdown.

OWASP released the Top 10 for Agentic Applications in December 2025 - the first formal risk taxonomy for autonomous AI agents. Not chatbots. Not copilots. Agents that plan, use tools, maintain memory, and act without waiting for permission. Some numbers for context: * 88% of enterprises reported AI agent security incidents in the last 12 months (Gravitee survey, 919 respondents) * Only 21% have runtime visibility into what their agents are doing * 82% of enterprises have unknown agents in their environments (Cloud Security Alliance, April 2026) * 5.5% of public MCP servers contain poisoned tool descriptions. 84.2% attack success rate with auto-approval enabled. Here's the list with the real attacks behind each one: **ASI01 - Agent Goal Hijack:** Prompt injection for agents. Researchers showed this against GitHub's MCP integration - a malicious GitHub issue redirected a coding agent to exfiltrate data from private repos. The agent looked like it was working normally the whole time. **ASI02 - Tool Misuse:** A financial services agent was tricked into running a regex that matched every customer record. 45,000 records exported through one syntactically valid tool call. The agent had permission to query records - just not all of them at once. **ASI03 - Identity and Privilege Abuse:** Agents inherit user permissions and cache credentials. Compromise one agent in a delegation chain and you get the combined permissions of every user in that chain. **ASI04 - Supply Chain Compromise:** OX Security found 7,000+ vulnerable MCP servers and packages totaling 150M+ downloads affected by architectural flaws in Anthropic's MCP SDKs across Python, TypeScript, Java, and Rust. **ASI05 - Unexpected Code Execution:** Check Point demonstrated RCE in Claude Code through poisoned `.claude` config files in repos. Open the repo, agent reads the config, executes the payload with full developer permissions. **ASI06 - Memory Poisoning:** Galileo AI found that one compromised agent poisoned 87% of downstream decision-making within 4 hours in multi-agent systems. Morris-II showed self-replicating adversarial prompts spreading through RAG systems. Demonstrated live against ChatGPT, Gemini, and Claude. **ASI07 - Insecure Inter-Agent Comms:** Multi-agent systems coordinate via message buses and shared memory. No authentication = agent-in-the-middle attacks in natural language. **ASI08 - Cascading Failures:** Natural language errors pass validation checks that would catch malformed data in typed systems. One bad input ripples through the entire agent chain faster than humans can intervene. **ASI09 - Human-Agent Trust Exploitation:** Compromised agent presents a clean summary - "approve this data export." Human clicks OK. Audit trail shows human approval. Real origin was a manipulated agent. **ASI10 - Rogue Agents:** The insider threat equivalent for AI. Individual actions look legitimate. Only detectable through behavioral monitoring over time. The pattern: these are not independent risks. They form a kill chain. Goal hijack leads to tool misuse. Supply chain compromise enables code execution and memory poisoning. Trust exploitation is how rogue agents avoid detection. Full OWASP document [here](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)