OWASP Top 10 for Agentic AI: The Governance Gap

AI agents are the hottest thing in enterprise tech right now. Every major vendor is shipping agentic capabilities. Every consulting deck features autonomous systems that book meetings, write code, manage workflows, and make decisions. The pitch is compelling: delegate complex tasks to AI, scale operations without scaling headcount, move faster than competitors stuck doing things manually.

But how exactly are organisations securing these systems? What happens when an agent gets compromised?

In December 2025, OWASP published the Top 10 for Agentic Applications, the first security framework dedicated specifically to autonomous AI systems. It turns out that agents introduce an attack surface that traditional security frameworks don't adequately address. The risks aren't theoretical. They're already showing up in production.

The distinction that changes everything

A chatbot answers questions. An agent executes tasks. That distinction matters enormously for security.

When you give an AI system the ability to call APIs, access databases, send emails, and execute code, you've created something with real operational authority. A compromised chatbot might hallucinate incorrect answers. A compromised agent can exfiltrate data, manipulate records, or sabotage infrastructure, and it can do all of this at machine speed with legitimate credentials.

The OWASP framework identifies ten risk categories. Three of them keep us up at night.

Agent Goal Hijack (ASI01). Unlike traditional software where attackers need to modify code, agents can be redirected through natural language. If your agent processes external content like emails, documents, web pages, or calendar invites, that content can contain hidden instructions that reprogram the agent's objectives entirely. A customer service agent with email access becomes a phishing engine. A code assistant with repository access becomes a supply chain weapon.

This isn't speculative. In July 2025, attackers compromised Amazon Q's VS Code extension and injected destructive prompt instructions. Nearly a million developers had the extension installed. The injected code instructed the agent to "clean a system to near-factory state" and delete file-system and cloud resources. Combined with flags that disabled confirmation prompts, the agent would have executed these commands silently. The attack surface wasn't the code. It was the text the agent read.

Identity and Privilege Abuse (ASI03). Agents inherit permissions. When you deploy an agent with access to production databases, customer records, or financial systems, that agent's credentials become a target. If an attacker can confuse the agent through goal hijacking or prompt injection, they inherit every privilege that agent possesses.

The compounding effect is what makes this dangerous. ASI01 is frequently the pathway to ASI03: redirect the agent's goals, then leverage its legitimate credentials to cause damage. Traditional identity management wasn't designed for principals that can be socially engineered through natural language.

Memory and Context Poisoning (ASI06). Agents remember. They maintain context across sessions, consult RAG indexes, and accumulate knowledge over time. If attackers can taint these memory stores, the corruption persists long after the initial interaction. Future planning and tool use will be prejudiced or malevolent without any visible sign of compromise.

In the Gemini memory attack, researchers demonstrated how persistent instructions could be embedded in an agent's context that would influence all subsequent interactions, even across sessions. The agent looked normal. It behaved normally most of the time. But it had been quietly reprogrammed weeks earlier.

Where governance is trailing

Here's what I find most striking about the current moment: organisations are deploying agents into production without governance infrastructure that matches the risk profile.

The flashy agentic demos get all the attention, but the bread-and-butter work of securing these systems is where the real risk accumulates. The same enterprise that would never ship a customer-facing application without security review is deploying autonomous agents that can execute code, access sensitive data, and make decisions. No formal risk assessment. No mapped controls. No documented mitigations. No monitoring for anomalous behavior.

Part of the problem is that security and compliance teams don't have a shared language for agentic risks. OWASP's Top 10 provides that language. But a risk taxonomy is only useful if it's operationalized, if it maps to controls, links to evidence, and integrates into the governance workflows that enterprises already use.

At Modulos, we've done exactly that. The OWASP Top 10 for Agentic Applications is now available as a framework in our platform, joining our existing support for OWASP's LLM Top 10. Each risk category maps to specific controls. Each control links to testable requirements. Evidence collection and continuous monitoring are built into the governance graph. For organisations already governing AI systems under the EU AI Act or ISO 42001, shared controls mean you're not duplicating work across frameworks.

Looking forward

Will enterprises take agentic security seriously before the first major incident dominates headlines? I don't know. The organisations building governance infrastructure now will have a significant advantage when the audit requests start arriving. The ones waiting for something to go wrong will be scrambling to reconstruct evidence after the fact.

The agents are already in production. The question is whether the governance will catch up before the next vulnerability does.