The OWASP Agentic Security Initiative (ASI) Top 10

When the OWASP Top 10 for LLM Applications landed in 2023, it gave the security community its first shared language for large language model risks. Prompt injection, insecure output handling, training data poisoning — these categories mapped cleanly to a world where an LLM received a single prompt and returned a single response. But that world is disappearing. AI agents operate in persistent loops. They remember previous conversations, invoke external tools, chain multi-step reasoning across minutes or hours, and take real-world actions with real-world consequences.

The OWASP Agentic Security Initiative (ASI) recognized that the original LLM taxonomy was insufficient for this new paradigm. An agent is not a chatbot with extra features — it is a fundamentally different computational model. Where a chatbot processes input and produces output, an agent perceives its environment, forms plans, executes tool calls, updates its memory, and iterates. Each of those capabilities introduces attack surface that the LLM Top 10 was never designed to address.

The Paradigm Shift

Consider prompt injection. In a chatbot, prompt injection tricks the model into producing unintended output — embarrassing, potentially harmful, but ultimately bounded by the stateless nature of the interaction. In an agent, the same attack vector becomes intent breaking and goal manipulation (ASI T6). The injected instruction does not merely alter one response. It corrupts the agent's planning across multiple reasoning steps, potentially redirecting the agent's entire mission from legitimate research to data exfiltration — and the agent will use its tools to execute that corrupted plan.

This is the core insight that drove the creation of the ASI Top 10: agentic autonomy amplifies every vulnerability. Memory persistence means data poisoning attacks carry across sessions. Tool access means manipulated outputs translate to real-world actions. Multi-agent coordination means a single compromised agent can cascade failures through an entire fleet. The ASI taxonomy addresses these amplified risks with ten categories specifically calibrated for autonomous AI systems.

Why a Separate Taxonomy Was Needed

The LLM Top 10 remains valuable for securing the language model layer itself. But agents stack additional capabilities on top of the model — reasoning loops, persistent memory, tool orchestration, multi-agent delegation, and autonomous decision-making. Each capability creates threat vectors that require dedicated analysis. The ASI Top 10 does not replace the LLM Top 10; it extends it into the agentic dimension. Throughout this guide, we map each ASI threat back to its LLM Top 10 ancestor to show how the risk evolves when autonomy enters the equation.

The ASI Top 10 organizes agentic threats into ten categories spanning the full attack surface of autonomous AI systems. Each threat is rated by severity — Critical, High, or Medium — based on potential impact, exploitability, and the scope of downstream consequences. Four threats are rated Critical because they can directly lead to data exfiltration, unauthorized real-world actions, or complete agent compromise.

The interactive explorer below presents all ten threats. Click any card to expand its full details, review attack scenarios in terminal-style breakdowns, and check off mitigations you have already implemented in your environment. Your coverage score updates in real time as you mark mitigations complete.

The ten ASI threats are not isolated risks. They form an interconnected attack graph where one compromised vector amplifies others. Memory poisoning (T1) can feed cascading hallucinations (T5), which can mask misaligned behaviors (T7), which become invisible without adequate traceability (T8). Effective defense requires addressing the full taxonomy as a system, not patching individual threats in isolation.

Understanding why the ASI Top 10 exists requires grasping how fundamentally the attack surface expands when an LLM evolves into an agent. A traditional LLM interaction is stateless and bounded: one prompt goes in, one response comes out, and the model retains nothing between calls. An agentic system, by contrast, operates as a persistent computational loop with memory, tool access, multi-step planning, and the ability to coordinate with other agents.

Each of these capabilities introduces distinct attack surface. The agentic loop — perception, reasoning, memory, action — creates four separate stages where adversarial input can enter, propagate, and compound. The comparison below illustrates this expansion.

How Each Capability Adds Attack Surface

Persistent memory creates the attack surface for T1 (Memory Poisoning) and T5 (Cascading Hallucinations). When an agent remembers prior interactions, poisoned data persists and compounds across sessions rather than evaporating after a single response.

Tool access enables T2 (Tool Misuse) and T3 (Privilege Compromise). An LLM that can only generate text is limited in the damage it can cause. An agent that can execute API calls, modify databases, or send emails translates manipulated reasoning into real-world harm.

Multi-step planning amplifies T6 (Intent Breaking). In a stateless LLM, a prompt injection affects one turn. In an agent with planning capabilities, a single injected instruction can corrupt an entire reasoning chain spanning dozens of steps and tool calls.

Multi-agent coordination creates the attack surface for T5 (Cascading Hallucinations) and T9 (Identity Spoofing). When agents delegate tasks to other agents, errors propagate across the system. Without strong agent-to-agent authentication, a malicious agent can impersonate a trusted coordinator.

Autonomous execution intensifies T4 (Resource Overload) and T10 (Overwhelming HITL). Agents that operate without continuous human oversight can enter infinite loops, exhaust budgets, or generate so many approval requests that human reviewers lose the ability to exercise meaningful oversight.

Defending against the ASI Top 10 requires a layered strategy that maps controls to specific threat categories. The five defense layers below organize mitigations into a coherent architecture, with each layer addressing a cluster of related threats. This structure aligns with the NIST AI Risk Management Framework functions of Map, Measure, Manage, and Govern — ensuring that your defense posture integrates with broader enterprise AI governance.

From Taxonomy to Implementation

The ASI Top 10 is a threat identification framework, not an implementation guide. Translating these ten categories into production controls requires combining ASI threat awareness with the specific mitigations from the CSA MAESTRO taxonomy (which provides 39 granular controls across seven operational layers) and the compliance mapping from the Agent Governance Stack (which bridges NIST AI RMF, ISO 42001, and EU AI Act requirements).

The practical path forward is to use the ASI Top 10 as your threat enumeration layer, CSA MAESTRO as your control implementation layer, and the NIST-ISO-EU governance stack as your compliance and accountability layer. Together, these three frameworks provide end-to-end coverage from threat identification through control deployment to regulatory reporting. For organizations deploying agents in regulated industries, the Behavioral Bill of Materials (BBOM) documents exactly which ASI threats apply to each agent and which controls are in place — creating the audit trail that regulators and enterprise risk committees require.