The Agentic AI Threat Landscape

Traditional LLM security was built for a request-response world. A user sends a prompt, the model generates text, and a human decides what to do with it. The threat model for that interaction is relatively contained: prompt injection, data leakage, hallucination. Serious problems, but bounded ones.

Agentic AI breaks that model. When an AI system can autonomously plan multi-step tasks, invoke external tools, persist information across sessions, and coordinate with other agents, the attack surface expands from a single input-output boundary to an entire operational architecture. The OWASP Agentic Security Initiative puts it directly: "agentic AI threats are either new or agentic variations of existing threats," with agent memory, tool integration, identity and authorization, and multi-agent coordination as the key new attack surfaces.

Consider the difference. A chatbot that hallucinates produces wrong text. An AI agent that hallucinates might invoke a tool based on fabricated data, write that fabrication to persistent memory, and then propagate it to other agents in the system. The OWASP ASI calls this "destructive reasoning" and flags it as a cascading failure mode unique to agentic architectures.

Three major security frameworks have converged on this problem in 2025: OWASP's Agentic Security Initiative, MITRE ATLAS, and the Cloud Security Alliance's MAESTRO framework. Each approaches the threat landscape from a different angle. Together, they provide the most complete map available of what can go wrong when AI systems gain autonomy. This article walks through all three, maps how they relate, and identifies the threats that matter most for organizations building or deploying agents today.

The OWASP Agentic Security Initiative released its Threats and Mitigations document (v1.0a) in February 2025, building on the OWASP Top 10 for LLM Applications 2025 (published November 2024). It identifies 15 agentic threat categories, organized into threats that are entirely new to agentic AI and those that represent agentic amplifications of existing LLM vulnerabilities.

The framework begins with a reference architecture that maps the components common to agentic systems: one or more LLM models for reasoning, services including built-in functions and external APIs invoked via function calling or tools interfaces, and supporting services such as external storage for long-term memory, vector databases, and RAG data sources. Each component introduces distinct threat surfaces.

Note: The New Agentic / Amplification categorization is an editorial analysis by Tech Jacks Solutions. OWASP's ASI document does not use this taxonomy.

The pattern is striking. Of the 15 threat categories, 11 are entirely new to agentic AI, with no direct equivalent in traditional LLM security. Only 4 are amplifications of existing LLM Top 10 entries. The multi-agent threats (T12, T13, T14) represent an entirely new class of risk that emerges only when agents communicate and coordinate with each other.

The OWASP ASI also defines 10 agentic patterns that shape how threats manifest: reflective agents, task-oriented agents, hierarchical agents, coordinating agents, distributed agent ecosystems, human-in-the-loop collaboration, self-learning and adaptive agents, RAG-based agents, planning agents, and context-aware agents. Each pattern carries a different attack surface profile. A sequential agent with a single LLM and limited API access faces a fundamentally different threat landscape than a collaborative agent swarm with cross-agent cross-session memory.

For deep analysis of the top-ranked threat, see Prompt Injection in Agentic Systems: Why It's the #1 Threat. For the tool-layer risks, see Tool Misuse, Excessive Agency, and the MCP Compositional Risk.

MITRE ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) extends the well-known ATT&CK framework into the AI domain. Where OWASP catalogs vulnerabilities and the MAESTRO framework layers threats architecturally, ATLAS maps adversary tactics, techniques, and procedures (TTPs) specific to machine learning systems.

ATLAS does not yet have agentic-specific sub-techniques beyond prompt injection variants (T0051.000 for direct, T0051.001 for indirect). However, its existing techniques are referenced extensively across both the OWASP ASI and CSA MAESTRO data, providing the adversary behavior taxonomy that connects to the vulnerability catalogs.

The value of ATLAS for agentic security is its adversary-centric perspective. While OWASP describes what can go wrong and MAESTRO describes where it can go wrong, ATLAS describes how adversaries actually attack. This makes it particularly useful for red teaming exercises and threat modeling sessions where the goal is to think like an attacker. The technique AML.T0043 (Craft Adversarial Data) appears as a reference across nearly every agentic threat category, underscoring that adversarial data manipulation is the foundational attack primitive against agent systems.

The Cloud Security Alliance's MAESTRO framework (Multi-Agent Environment Security Threat and Risk Operations) takes a fundamentally different approach from OWASP's vulnerability catalog. MAESTRO organizes threats into seven architectural layers, each representing a distinct stratum of the agentic AI stack. This layered model extends traditional threat modeling approaches like STRIDE with AI-specific concerns at every level.

The architectural approach makes MAESTRO particularly useful for enterprise security teams who need to assign threat ownership. Each layer maps to specific teams, tools, and controls. A foundation model threat (L1) is the responsibility of the ML engineering team. A deployment threat (L5) falls to platform engineering and DevSecOps -- the same teams evaluating cloud agent platforms where these agents run in production. A governance threat (L7) belongs to the compliance and legal functions.

The CSA also published its Agentic AI Red Teaming Guide (August 2025), which complements the MAESTRO framework with 12 practical vulnerability categories and actionable test procedures. These red teaming categories include agent authorization and control hijacking, checker-out-of-the-loop validation, agent critical system interaction, goal and instruction manipulation, hallucination exploitation, impact chain and blast radius assessment, knowledge base poisoning, memory and context manipulation, orchestration and multi-agent exploitation, resource and service exhaustion, supply chain and dependency attacks, and agent untraceability testing.

Where MAESTRO tells you what to worry about, the Red Teaming Guide tells you how to test for it. Together, they provide a complete threat-to-test pipeline for enterprise security programs.

The three frameworks are not competitors. They are complementary lenses on the same problem. OWASP provides the vulnerability catalog with actionable mitigations. MITRE ATLAS provides the adversary behavior model with attack technique references. CSA MAESTRO provides the architectural threat map with layer-by-layer ownership assignments. Understanding how they connect is essential for building a comprehensive threat model.

The table below maps the OWASP ASI threat codes to their primary MAESTRO layer, showing how each OWASP vulnerability fits into the 7-layer architecture. CWE references provide the bridge to traditional software vulnerability databases.

The mapping reveals clear clustering. Agent Architecture (L3) absorbs the most OWASP threats, including all multi-agent categories. Tool & API Integration (L4) captures the operational risk surface. And Monitoring & Observability (L6) represents a category of threats that traditional LLM frameworks largely ignored: the difficulty of auditing, tracing, and attributing autonomous agent actions.

For organizations building governance programs around agents, this mapping provides the connective tissue between security findings and compliance requirements. A MAESTRO L7 gap maps directly to the regulatory obligations covered in the EU AI Act's requirements for high-risk AI systems (see also the EU AI Act Hub for comprehensive compliance guidance). Organizations applying the NIST AI Risk Management Framework will find that MAESTRO layers map cleanly to the MAP and MEASURE functions, while the AI Governance Hub provides broader context on operationalizing these frameworks at enterprise scale.

Across all three frameworks, the severity distribution of threats to agentic systems skews heavily toward high and critical. This is not an artifact of classification inflation. It reflects the reality that autonomous systems with tool access and persistent memory create fundamentally higher-stakes failure modes than passive text generation.

The OWASP severity rankings converge on the same conclusion. Three threats earn the Critical designation: Prompt Injection (LLM01), Excessive Agency (LLM08), and Unexpected RCE (T11). Prompt injection is rated critical because in agentic systems, a successful injection does not just produce wrong text. It can hijack the agent's planning loop, causing it to execute unauthorized tool calls, exfiltrate data through legitimate channels, or propagate malicious instructions to downstream agents.

Excessive Agency (LLM08) is the defining agentic threat. The OWASP ASI describes it as the convergence of excessive functionality, excessive permissions, and excessive autonomy. When an agent has more tools than it needs, broader permissions than its task requires, and less human oversight than the risk warrants, every other threat becomes amplified.

These threats are not theoretical. The OWASP and CSA source documents reference documented incidents and peer-reviewed research demonstrations that validate the threat categories.

The pattern across these incidents is consistent: the autonomous, multi-step nature of agentic systems transforms what would be a contained vulnerability in a traditional LLM application into a cascading failure. The Slack AI exfiltration, for example, exploited the same indirect prompt injection mechanism that exists in any RAG system. But the agent's ability to take action on the injected instructions, retrieving private data and surfacing it through legitimate channels, is what turned a vulnerability into an incident.

Each framework provides defense guidance aligned with its perspective. The OWASP ASI offers structured mitigations for each T-code, the OWASP Securing Agentic Applications Guide provides lifecycle-based security guidance, and the CSA Red Teaming Guide prescribes test-driven validation across its vulnerability categories. Here is a summary of the cross-cutting defenses that appear across all three.

For memory poisoning (T1) and data-layer threats (MAESTRO L2), the OWASP ASI prescribes memory content validation, session isolation, robust authentication for memory access, anomaly detection systems, and regular memory sanitization. AI-generated memory snapshots enable forensic analysis and rollback when contamination is detected.

For tool misuse (T2) and privilege compromise (T3), defenses center on strict tool access verification, tool usage pattern monitoring, agent instruction validation with clear operational boundaries, and execution logs tracking all tool calls for anomaly detection. The CSA Red Teaming Guide adds just-in-time permissions, task-specific access, automatic revocation post-task, and network allow-lists. These controls are explored in detail in Tool Misuse, Excessive Agency, and the MCP Compositional Risk.

The OWASP Securing Agentic Applications Guide (July 2025) maps different attack surface profiles to architecture patterns. A sequential agent with a single LLM, simple workflow, and limited API access has a different threat profile than a hierarchical agent with an orchestrator and specialized sub-agents, or a collaborative agent swarm with peer agents and cross-agent cross-session memory. Each architecture requires different controls. The guide provides component-level attack surface analysis mapped to the T-codes:

• LLMs (KC1): Cascading hallucinations, intent breaking, misaligned behaviors, human manipulation
• Orchestration (KC2): Intent breaking, repudiation, identity spoofing, overwhelming HITL, communication poisoning, rogue agents, human attacks on MAS
• Reasoning/Planning (KC3): Cascading hallucinations, intent breaking, misaligned behaviors, repudiation, human manipulation
• Memory (KC4): Memory poisoning, privilege compromise, cascading hallucinations, intent breaking, repudiation, communication poisoning
• Tool Integration (KC5): Tool misuse, privilege compromise, intent breaking, misaligned behaviors, repudiation, unexpected RCE
• Operational Environment (KC6): Tool misuse, privilege compromise, resource overload, overwhelming HITL, unexpected RCE, communication poisoning, rogue agents, human manipulation

The Securing Agentic Applications Guide also provides runtime-specific guidance: harden the VM base level, contain the agentic runtime through sandboxing, secure agent memory and tools and context, implement observability and forensics, and apply cloud-specific hardening. For organizations deploying agents to production, these runtime controls represent the operational security baseline.

Defense strategy details for specific threat categories are covered in the companion Secure pillar articles: Prompt Injection in Agentic Systems covers the highest-priority injection defenses, and Tool Misuse and Excessive Agency covers tool-layer controls and the emerging MCP compositional risk pattern.