Agentic AI governance: OWASP Top 10 risks and what your team needs now

Agentic AI security is the practice of governing autonomous AI agents that plan, decide, and execute multi-step tasks using tools, memory, and credentials. The top risks, per the OWASP Top 10 for Agentic Applications (December 2025), are goal hijacking, privilege abuse, and memory poisoning. Standard application security and LLM controls do not cover them.

AI agents are the hottest thing in enterprise tech right now. Every major vendor is shipping agentic capabilities. Every consulting deck features autonomous systems that book meetings, write code, manage workflows, and make decisions. The pitch is compelling: delegate complex tasks to AI, scale operations without scaling headcount, move faster than competitors stuck doing things manually.

The question almost no one is answering: how exactly are organisations securing these systems, and what happens when an agent gets compromised?

In December 2025, OWASP published the Top 10 for Agentic Applications, the first security framework dedicated specifically to autonomous AI systems. Agents introduce an attack surface that traditional security frameworks do not adequately address. The risks are not theoretical. They are already showing up in production.

What is agentic AI?

Agentic AI is the class of AI systems that can plan, decide, and execute multi-step tasks with some autonomy, using tools, accessing data, and calling APIs to achieve goals. The difference between an agent and a chatbot is operational authority. A chatbot answers your question. An agent goes and does the thing.

Three properties distinguish an agent from the LLM-powered applications that preceded it:

• Autonomy. Agents decide what to do next without a human in the loop for every step.
• Tool use. Agents call APIs, execute code, query databases, send emails, and interact with other systems. They act in the world.
• Persistence. Agents maintain memory and context across sessions. They accumulate state.

Enterprises are adopting agentic AI because it scales. A single agent can run customer support tickets, reconcile invoices, triage alerts, or generate code at machine speed across a queue that previously required a team. The commercial case is obvious. The governance case is where most organisations are behind.

Why agentic AI security is different from LLM security

A chatbot answers questions. An agent executes tasks. That distinction changes the entire threat model.

When you give an AI system the ability to call APIs, access databases, send emails, and execute code, you have created something with real operational authority. A compromised chatbot might hallucinate incorrect answers. A compromised agent can exfiltrate data, manipulate records, or sabotage infrastructure, and it can do all of this at machine speed with legitimate credentials.

OWASP's LLM Top 10 covered prompt injection and data leakage at the model boundary. The Agentic Top 10 covers what happens when that model is wired into your production systems with tools and memory. You need both frameworks. One does not replace the other.

The OWASP Top 10 for Agentic Applications: three risks that matter most

The OWASP framework identifies ten risk categories. Three of them dominate the incident data so far.

Agent goal hijack (ASI01)

Unlike traditional software where attackers need to modify code, agents can be redirected through natural language. If your agent processes external content like emails, documents, web pages, or calendar invites, that content can contain hidden instructions that reprogram the agent's objectives entirely. A customer service agent with email access becomes a phishing engine. A code assistant with repository access becomes a supply chain weapon.

This is not speculative. In July 2025, attackers compromised Amazon Q's VS Code extension and injected destructive prompt instructions. Nearly a million developers had the extension installed. The injected code instructed the agent to "clean a system to near-factory state" and delete file-system and cloud resources. Combined with flags that disabled confirmation prompts, the agent would have executed these commands silently. The attack surface was not the code. It was the text the agent read.

Identity and privilege abuse (ASI03)

Agents inherit permissions. When you deploy an agent with access to production databases, customer records, or financial systems, that agent's credentials become a target. If an attacker can confuse the agent through goal hijacking or prompt injection, they inherit every privilege that agent possesses.

The compounding effect is what makes this dangerous. ASI01 is frequently the pathway to ASI03: redirect the agent's goals, then leverage its legitimate credentials to cause damage. Traditional identity management was not designed for principals that can be socially engineered through natural language.

Memory and context poisoning (ASI06)

Agents remember. They maintain context across sessions, consult RAG indexes, and accumulate knowledge over time. If attackers can taint these memory stores, the corruption persists long after the initial interaction. Future planning and tool use will be prejudiced or malevolent without any visible sign of compromise.

In the Gemini memory attack, researchers demonstrated how persistent instructions could be embedded in an agent's context that would influence all subsequent interactions, even across sessions. The agent looked normal. It behaved normally most of the time. But it had been quietly reprogrammed weeks earlier.

Why agentic AI governance is trailing deployment

Organisations are deploying agents into production without governance infrastructure that matches the risk profile.

The flashy agentic demos get all the attention, but the bread-and-butter work of securing these systems is where the real risk accumulates. The same enterprise that would never ship a customer-facing application without a security review is deploying autonomous agents that can execute code, access sensitive data, and make decisions. No formal risk assessment. No mapped controls. No documented mitigations. No monitoring for anomalous behaviour.

Part of the problem is that security and compliance teams do not have a shared language for agentic risks. OWASP's Top 10 provides that language. But a risk taxonomy is only useful if it is operationalised, if it maps to controls, links to evidence, and integrates into the governance workflows that enterprises already use.

How agentic AI security maps to ISO 42001 and the EU AI Act

Agentic systems do not escape existing AI governance obligations. They concentrate them.

Under the EU AI Act, an agent deployed in a high-risk use case (credit scoring, hiring, critical infrastructure, law enforcement) inherits the full Article 9 through 17 stack: risk management, data governance, logging, human oversight, accuracy, robustness, cybersecurity. Tool use and memory are in scope. The Act does not carve out agents as a special category. Whatever the agent can do, you are accountable for.

Under ISO/IEC 42001, agentic systems fall inside the AI management system and must be assessed through the same impact assessment, control-selection, and monitoring loop as any other AI system. Agent-specific controls (tool permissioning, memory integrity, human oversight on destructive actions) map cleanly onto Annex A controls around AI system operation, data management, and information for interested parties.

The practical consequence: if you already have an ISO 42001 programme or an EU AI Act high-risk pipeline, you extend it. You do not start over.

Operationalising OWASP for agentic AI

At Modulos, we operationalised exactly this. The OWASP Top 10 for Agentic Applications is now available as a framework in our platform, joining our existing support for OWASP's LLM Top 10. Each risk category maps to specific controls. Each control links to testable requirements. Evidence collection and continuous monitoring are built into the governance graph. For organisations already governing AI systems under the EU AI Act or ISO 42001, shared controls mean you are not duplicating work across frameworks.

Modulos helped Xayn become the first German company to achieve ISO/IEC 42001 certification, completing the process in four weeks through SGS. The platform is purpose-built to map frameworks like OWASP onto the same governance graph as ISO 42001, the EU AI Act, and the NIST AI RMF, so shared controls produce shared evidence. We are a member of the US AI Safety Institute Consortium at the Center for AI Standards and Innovation (CAISI, formerly NIST AISI) and contributed to the drafting of the EU AI Act code of practice for general-purpose AI.

Frequently asked questions

What is agentic AI security?

Agentic AI security is the discipline of protecting autonomous AI agents, and the systems they act on, from misuse, compromise, and cascading failure. It extends traditional application security and LLM security to cover tool use, persistent memory, inherited credentials, and multi-step autonomous decision-making.

How is agentic AI security different from LLM security?

LLM security focuses on the model boundary: prompt injection, jailbreaks, data leakage, harmful output. Agentic AI security covers what happens after the model decides to act: tool invocation, API calls, code execution, memory writes, and credential use across sessions. An agent with a perfectly secure LLM can still be catastrophically compromised through goal hijacking or memory poisoning.

What are the top risks in the OWASP Top 10 for Agentic Applications?

OWASP identifies ten categories. The three that dominate real-world incidents are agent goal hijack (ASI01), identity and privilege abuse (ASI03), and memory and context poisoning (ASI06). The Amazon Q VS Code extension compromise and the Gemini memory attack are public examples of the first and third.

How do you secure agentic AI?

Treat the agent as a privileged actor, not a feature. Minimise tool permissions, sandbox destructive actions behind human approval, validate all external content that enters the agent's context, monitor tool-call patterns for anomalies, isolate memory stores per user and per tenant, and log every tool invocation with the prompt that produced it. Map each mitigation to a named OWASP risk and to your ISO 42001 or EU AI Act controls.

Is agentic AI covered by the EU AI Act?

Yes. The EU AI Act regulates AI systems by use case and risk, not by architecture. An agent deployed in a high-risk use case inherits the full high-risk obligation stack under Articles 9 to 17. Tool use and memory are in scope. General-purpose agentic systems may additionally trigger GPAI obligations under Chapter V.

Does ISO 42001 cover agentic AI?

Yes. ISO/IEC 42001 is architecture-agnostic. Any AI system operated by the organisation falls inside the AI management system and must be risk-assessed, controlled, and monitored. Agent-specific controls extend the existing Annex A mappings; they do not create a parallel programme.

What is agent goal hijacking?

Agent goal hijacking is an attack in which adversarial content in the agent's input (an email, a web page, a document, a calendar invite) contains instructions that redirect the agent's objective. The agent then uses its legitimate credentials to act on the attacker's behalf. It is the agentic equivalent of social engineering, except the target is a system that executes commands.

Looking forward

Will enterprises take agentic AI security seriously before the first major incident dominates headlines? I do not know. The organisations building governance infrastructure now will have a significant advantage when the audit requests start arriving. The ones waiting for something to go wrong will be scrambling to reconstruct evidence after the fact.

The agents are already in production. The question is whether the governance will catch up before the next vulnerability does.

For the broader framing, see our guide to AI governance or learn more about the Modulos AI governance platform.