Kaspersky — OWASP Agentic Top 10 (2026): practical risks + controls for AI agents

2026-01-30 • Category: Security

• New framing: OWASP published a Top 10 for Agentic Applications (2026) — a risk list aimed at systems that plan + act, not just chat.
• Key shift: In agentic systems, the main failure mode isn’t “a bad answer” — it’s unsafe actions via tools (APIs, code execution, browsers, automation runners).
• ASI01 (goal hijack): Indirect prompt injection becomes “agent goal hijack” when it bends the multi-step plan rather than a single response.
• ASI02 (tool misuse): Even legitimate tools become dangerous if an agent can be nudged into harmful parameters, high-cost loops, or stealthy exfil flows.
• ASI03 (identity/privilege abuse): Agents tend to reuse tokens, inherit creator permissions, or operate under shared identities — making “who approved this?” fuzzy.
• ASI04 (agentic supply chain): Dynamic tool selection and package installs add new supply-chain angles (typosquatting / “slopsquatting”).
• ASI05 (unexpected code exec / RCE): If an agent can run code, a prompt can become an execution pathway — and once you get a sandbox escape, monitoring often loses visibility.
• ASI06 (memory/context poisoning): Persistent agent memory and RAG stores can be poisoned to create long-lived behavioral backdoors, not just one-off misbehavior.
• ASI08 (cascading failures): The “blast radius” grows when multiple agents hand off tasks quickly; one compromised step can propagate.

Why it matters

• Agent security is operational security: You need controls at runtime (what the agent is doing now), not only at prompt time.
• Classic principles still win: Least privilege, short-lived creds, approvals, and immutable logs matter more when the actor is fast and non-deterministic.
• Defenders need new telemetry: “Tool invocation logs” and “plan/intent logs” become as important as web logs or endpoint logs.

What to do

1. Inventory agent capabilities: List every tool/API the agent can touch and explicitly define what “safe” parameters look like.
2. Enforce least privilege + least autonomy: Prefer read-only access; keep destructive actions behind explicit approvals.
3. Use short-lived, scoped credentials: Treat long-lived API keys inside agents as an incident waiting to happen.
4. Gate tool use: Add deterministic policy checks before executing tool calls (allowlists, cost limits, URL/network egress rules, private-IP blocking).
5. Harden memory/RAG: Separate trusted vs untrusted sources, add attribution, and treat “saved memory” as a data store that needs security review and change control.
6. Log for forensics: Capture prompts, tool calls, parameters, and outcomes to support post-incident reconstruction.

Sources

• Kaspersky: AI agents in your organization: managing the risks
• OWASP (primary): OWASP Top 10 for Agentic Applications for 2026
• AWS Security Bulletin (referenced example): AWS-2025-019
• Kaspersky (background): Slopsquatting supply-chain risk