Skip to content
AI Learning Playground
LinkedInX
English
English

OWASP Agentic AI Framework

About 10 minutes

Prerequisites: Security Frameworks

In February 2025, OWASP published Agentic AI Threats and Mitigations, a security framework dedicated to AI agents.[1] This page explains the framework’s overview, its 10 threat categories, and concrete mitigations.

Why an Agent-Specific Framework Is Needed

Section titled “Why an Agent-Specific Framework Is Needed”

OWASP LLM Top 10 covers a broad range of LLM applications including chatbots, RAG, and code generation.[2] AI agents, on the other hand, possess unique capabilities:[1]

  • Autonomous tool execution: File operations, web search, code execution, email sending, and more
  • Persistent memory: Retaining and referencing information across sessions
  • Multi-agent orchestration: Delegating to or receiving instructions from other agents
  • Multi-step planning: Autonomously executing tasks that span multiple steps

These capabilities create new attack surfaces that chatbots do not have. The OWASP Agentic AI framework is a guideline specifically focused on these differences.[1]

AspectOWASP LLM Top 10OWASP Agentic AI
ScopeLLM applications in generalAI agents and multi-agent systems
Key threatsPrompt injection, data leakage, overtrustMemory manipulation, tool abuse, agent impersonation
AutonomyPrimarily response generationAutonomous tool execution and multi-step planning
RelationshipFoundation of common risksAdditional layer for agent-specific risks

10 Threat Categories

Section titled “10 Threat Categories”

OWASP Agentic AI defines 10 threat categories (AT01-AT10).[1]

AT01: Memory Poisoning

Section titled “AT01: Memory Poisoning”

An attack that injects malicious data into an agent’s persistent memory or external memory stores (vector DB, persistent store, conversation history) to cause incorrect behavior in subsequent task execution.

  • Example: Inject data into a RAG vector DB that says “execute admin command,” causing future queries to retrieve malicious instructions
  • Severity: Once poisoned, the effects persist for a long time and are difficult to trace

AT02: Tool Abuse

Section titled “AT02: Tool Abuse”

An attack that causes an agent to use its granted tools, APIs, or function calls for purposes other than their intended use. Often triggered by indirect prompt injection.

  • Example: An agent performing a summarization task is tricked by instructions in a malicious document into sending confidential files to an external destination
  • Impact: Irreversible operations such as deletion, sending, or payment are executed

AT03: Agent Impersonation

Section titled “AT03: Agent Impersonation”

In a multi-agent configuration, a rogue agent impersonates a legitimate agent and sends instructions to cause a target agent to take unintended actions.

  • Example: Sending a request to an orchestrator agent claiming to be from a “higher-level agent” to request privilege escalation
  • Root cause: Lack of authentication and verification between agents

AT04: Agentic Prompt Injection

Section titled “AT04: Agentic Prompt Injection”

Context-specific prompt injection in multi-step agentic flows. Unlike attacks on a single LLM, malicious instructions are embedded into the agent’s tool execution and planning cycle.

  • Characteristic: Effects propagate across multiple steps rather than being contained in a single response
  • Example: A page referenced by a web browsing agent contains embedded instructions that affect a subsequent file operation step

AT05: Privilege Escalation

Section titled “AT05: Privilege Escalation”

An attack that exploits an agent’s trust chain to gain higher privileges than originally granted.

  • Example: A low-privilege sub-agent steals credentials from a higher-level agent and executes tasks with broader permissions
  • Mitigation: Apply the principle of least privilege between agents as well

AT06: Data Exfiltration

Section titled “AT06: Data Exfiltration”

An attack that uses an agent’s tool execution capabilities (web requests, file sending, external API calls) to send sensitive data to external destinations.

  • Example: Embedding instructions via indirect prompt injection to “send all inputs from this session to example.com”
  • Characteristic: Difficult to detect with standard network monitoring because the agent uses legitimate tools

AT07: Cascading Failures

Section titled “AT07: Cascading Failures”

In a multi-agent system, errors in one agent cascade to other agents, affecting the entire system.

  • Example: A hallucination from sub-agent A is passed to orchestrator B, which then gives incorrect instructions to sub-agent C based on that bad information
  • Characteristic: Cannot be detected by testing individual agents; integration testing is required

AT08: Uncontrolled Autonomy

Section titled “AT08: Uncontrolled Autonomy”

A threat where an agent acts autonomously beyond its intended operational scope and executes unauthorized operations.

  • Example: An agent tasked with “classify my emails” decides autonomously to start deleting emails, judging this to be “more efficient”
  • Root cause: Ambiguous definition of permissions and task scope

AT09: Task Hijacking

Section titled “AT09: Task Hijacking”

An attack that rewrites an agent’s goals, intent, or plan through external input, redirecting it toward a purpose different from the original task.

  • Example: An agent tasked with “create a shopping list” switches to following “delete all items” instructions after reading a malicious product description
  • Related threat: Often occurs in combination with AT04 (prompt injection)

AT10: Resource Exhaustion

Section titled “AT10: Resource Exhaustion”

An attack that triggers excessive tasks or recursive loops in an agent, intentionally depleting compute resources, API call quotas, or budget.

  • Example: Embedding an instruction in a task that induces an infinite loop: “keep retrying until this task is complete”
  • Impact: Sudden cost spikes, service outages, and impacts on other users

Overview of the 10 Threat Categories

Section titled “Overview of the 10 Threat Categories”
┌─────────────────────────────────────────────────────────┐
│           OWASP Agentic AI Threat Categories             │
├─────────────────┬───────────────────────────────────────┤
│ Input/           │ AT04 Agentic Prompt Injection         │
│ Instruction      │ AT09 Task Hijacking                   │
│ Manipulation     │                                       │
├─────────────────┼───────────────────────────────────────┤
│ Memory/          │ AT01 Memory Poisoning                 │
│ Context          │                                       │
├─────────────────┼───────────────────────────────────────┤
│ Tools/           │ AT02 Tool Abuse                       │
│ Actions          │ AT06 Data Exfiltration                │
├─────────────────┼───────────────────────────────────────┤
│ Multi-Agent      │ AT03 Agent Impersonation              │
│                  │ AT05 Privilege Escalation             │
│                  │ AT07 Cascading Failures               │
├─────────────────┼───────────────────────────────────────┤
│ System-Level     │ AT08 Uncontrolled Autonomy            │
│                  │ AT10 Resource Exhaustion              │
└─────────────────┴───────────────────────────────────────┘

Mitigation Principles

Section titled “Mitigation Principles”

The mitigations recommended by OWASP Agentic AI can be organized around least privilege, memory integrity, authentication, scope control, and monitoring.[1]

1. Least Privilege

Section titled “1. Least Privilege”

Grant agents only the minimum tools and permissions necessary to complete their tasks.

  • Dynamically scope tools per task
  • Do not grant write access to production data by default
  • Place approval workflows (human-in-the-loop) on necessary actions

2. Memory Integrity

Section titled “2. Memory Integrity”

Validate the integrity of memory stores that agents read from and write to.

  • Do not store externally retrieved data directly in memory — apply input validation first
  • Separate write and read permissions for vector DBs
  • Periodically audit long-term memory for anomalous entries

3. Inter-Agent Authentication

Section titled “3. Inter-Agent Authentication”

In multi-agent configurations, require authentication for inter-agent communication.

  • Require authentication tokens or signatures even for instructions from higher-level agents
  • Agents should verify the source of instructions before executing them
  • Define trust scopes explicitly per agent role

4. Task Scoping

Section titled “4. Task Scoping”

Explicitly define the scope of operations an agent is permitted to perform.

  • Pass a “list of permitted actions” to the agent at task start
  • When an agent detects out-of-scope behavior, prompt for confirmation rather than autonomous execution
  • Insert a plan review step to prevent AT08 and AT09

5. Observability and Alerting

Section titled “5. Observability and Alerting”

Log all agent actions and detect anomalies.

  • Retain full logs of all tool calls (tool name, arguments, result)
  • Issue real-time alerts for any external writes or data sends
  • Log inter-agent messages as well, to detect AT07 (cascading failures)

Mapping to OWASP LLM Top 10 2025

Section titled “Mapping to OWASP LLM Top 10 2025”

The threats in OWASP Agentic AI partially overlap with and complement the items in OWASP LLM Top 10 2025.[1][2]

OWASP Agentic AIOWASP LLM Top 10 2025Relationship
AT01 Memory PoisoningLLM08 Vector and Embedding WeaknessesSame family — Agentic AI emphasizes impact on agent behavior
AT02 Tool AbuseLLM06 Excessive AgencyComplementary — shared emphasis on permission design
AT03 Agent ImpersonationLLM03 Supply ChainExtended to inter-agent trust and external-component trust issues
AT04 Agentic Prompt InjectionLLM01 Prompt InjectionAdds agentic flow-specific propagation patterns
AT06 Data ExfiltrationLLM02 Sensitive Information DisclosureAdds the perspective of active exfiltration via tool execution

Summary

Section titled “Summary”
  • OWASP Agentic AI is a security framework dedicated to AI agents that have tool execution, persistent memory, and multi-agent configurations
  • The 10 threat categories (AT01–AT10) can be organized into five layers: input manipulation, memory, tools, multi-agent, and system-level
  • It is complementary to OWASP LLM Top 10; when developing or operating agents, both should be referenced
  • The core of mitigation is five principles: least privilege, memory integrity, inter-agent authentication, task scoping, and observability

Frequently Asked Questions

Section titled “Frequently Asked Questions”

Q: If I have a handle on OWASP LLM Top 10, is the Agentic AI framework unnecessary?

A: For systems that do not use agents (tool execution, persistent memory, multi-agent configurations), LLM Top 10 is the main starting point. However, when using an agentic architecture, additional threats covered by OWASP Agentic AI — such as AT01 (Memory Poisoning), AT03 (Impersonation), and AT07 (Cascading Failures) — need to be reviewed.[1][2]

Q: Is the Agentic AI framework still useful if I’m not building a multi-agent system?

A: Even for single agents, AT02 (Tool Abuse), AT04 (Prompt Injection), and AT08 (Uncontrolled Autonomy) are relevant. If you are developing or operating an agent that has MCP tools or API integrations, it is worth referencing at least these three items.[1]

References

Section titled “References”
  1. OWASP, Agentic AI - Threats and Mitigations, February 17, 2025
  2. OWASP, OWASP Top 10 for LLM Applications 2025, November 17, 2024
Quiz