OWASP top 10 risks for AI agents: What every organization should know

AI is entering a new phase. For years, most AI tools behaved like assistants. You asked a question, they generated an answer. But the next generation of systems is different. AI agents don’t just respond - they plan, decide, and act.
Now, agents can retrieve data, send emails, update records, trigger workflows, and coordinate tasks across multiple systems. In many cases, they operate with minimal supervision, handling tasks that previously required human intervention. That power makes them incredibly useful. But it also introduces a new category of risk.
The OWASP framework for AI agent security
As AI agents become more autonomous, security researchers and developers are working to identify the new risks these systems introduce. One of the most widely recognized organizations doing this work is OWASP (Open Worldwide Application Security Project) - a global nonprofit community that publishes widely adopted security frameworks for modern software systems.
OWASP is best known for the OWASP Top 10, a list of the most critical security risks for web applications. Over time, these frameworks have helped organizations understand and prioritize emerging threats across technologies.
Recognizing that AI agents introduce entirely new attack surfaces, the OWASP community recently introduced the ASI Top 10 (Agentic System Issues). This framework identifies the most common ways AI agents can be manipulated, compromised, or pushed to act outside their intended goals. While the framework highlights the risks, organizations building agentic systems must also focus on practical safeguards and architectural guardrails to ensure these systems operate safely in real-world environments.
Here’s a plain-language look at what those risks mean in practice.
ASI01 – goal hijacking
AI agents rely on instructions to determine what actions to take. Attackers can hide malicious instructions inside emails, documents, or webpages that the agent processes. These instructions may cause the agent to ignore its original objective and follow the attacker’s directions instead.
For example, a document might contain hidden prompts instructing the agent to extract and send confidential information externally.
What practitioners can do:
Treat all external inputs as untrusted and enforce strict separation between system instructions and user-provided content.
ASI02 – tool misuse
AI agents often interact with enterprise tools such as email systems, APIs, databases, or payment platforms. If manipulated, the agent may misuse these tools to perform harmful actions like sending sensitive data, deleting records, or triggering unauthorized workflows.
The danger is not the tools themselves, but the agent being tricked into using them incorrectly.
What practitioners can do:
Apply the least-privilege principle to tool access and require approvals for high-risk actions like financial transactions or data sharing.
ASI03 – identity abuse
Agents often operate with specific permissions or identities within enterprise systems. If attackers escalate those privileges or impersonate the agent, they may gain access to sensitive resources.
This can turn the AI agent into an unintended entry point into enterprise infrastructure.
What practitioners can do:
Implement strong authentication, identity verification, and privilege scoping for all agent actions.
ASI04 – supply chain attacks
AI agents frequently depend on external services such as APIs, plugins, and third-party tools. If one of these components is compromised, attackers may manipulate the information the agent receives or influence its behavior indirectly.
For example, a malicious plugin might feed inaccurate data into the agent’s decision-making process.
What practitioners can do:
Validate external integrations carefully and monitor third-party dependencies for unusual behavior.
ASI05 – malicious code execution
Some agents generate or execute code as part of their workflows. While this capability can automate complex tasks, it also introduces the risk of executing unsafe or malicious scripts.
If not properly controlled, generated code may alter files, access restricted systems, or introduce vulnerabilities.
What practitioners can do:
Execute generated code in sandboxed environments and enforce strict validation before execution.
ASI06 – memory poisoning
Many agents maintain memory to improve performance over time. However, persistent memory can be manipulated if attackers feed misleading or malicious information into the system.
Over time, this poisoned memory may influence the agent’s future decisions and outputs.
What practitioners can do:
Limit persistent memory for sensitive tasks and periodically audit or reset stored context.
ASI07 – insecure communication
Agents increasingly collaborate with other agents and services. If communication channels are not properly secured, messages could be intercepted, altered, or spoofed.
This could allow attackers to manipulate entire chains of automated decisions.
What practitioners can do:
Secure inter-agent communication using authentication, encryption, and message validation protocols.
ASI08 – cascading failures
AI agents are often integrated into automated workflows. If an agent makes an incorrect decision, that error may trigger additional automated actions across systems.
In highly automated environments, small errors can quickly escalate into widespread operational issues.
What practitioners can do:
Introduce checkpoints or human approvals in critical workflows to prevent automated error propagation.
ASI09 – trust exploitation
People tend to trust AI-generated recommendations, especially when they appear confident or authoritative. Attackers can exploit this trust by manipulating the inputs the AI receives, influencing the outputs it generates.
This may lead users to approve harmful actions or make poor decisions.
What practitioners can do:
Design systems that encourage verification of AI outputs and flag sensitive recommendations for review.
ASI10 – rogue agents
Agents may drift away from their intended purpose due to faulty prompts, corrupted inputs, or weak guardrails. Over time, this can cause them to behave unpredictably or pursue unintended objectives.
Without proper monitoring, these deviations may go unnoticed.
What practitioners can do:
Implement strong guardrails, continuous monitoring, and audit logs to ensure agents remain aligned with intended goals.
The key principle: Least agency
One of the most important ideas emerging from the OWASP framework is “least agency.”
Just as cybersecurity follows the principle of least privilege, AI agents should only have the minimum autonomy and system access required to perform their tasks.
That means:
- limiting tool permissions
- validating actions before execution
- isolating agent environments
- maintaining detailed logs and monitoring
Security controls must evolve alongside AI capabilities. As agents gain more autonomy, organizations need stronger guardrails to ensure those systems remain aligned with their intended purpose.
What this means for teams building AI agents
The OWASP ASI Top 10 highlights an important reality: agent security isn’t just about protecting models, it’s about governing how AI interacts with the real world.
In practice, building secure AI agents requires a combination of architectural and operational safeguards, including:
- Input validation layers to filter malicious prompts and external content
- Least-agency design, limiting how much autonomy agents actually have
- Secure tool access controls for APIs, databases, and enterprise systems
- Human-in-the-loop approvals for sensitive decisions
- Continuous observability, including logs of agent reasoning, actions, and tool usage
Organizations deploying agentic AI must think about these guardrails from day one - because once agents are connected to operational systems, their decisions can have real-world consequences.
Conclusion: Building safer agentic systems
AI agents will soon power everything from customer support to financial operations and enterprise automation.
Their potential is enormous, but so is their impact if something goes wrong.
Turning secure agent design into practice
As enterprises move toward agent-driven automation, security must be embedded directly into how these systems are designed and deployed.
At Firstsource, our AI-led offerings and platforms proactively address these OWASP Top 10 risks through built-in safeguards like automated threat detection, privilege scoping, secure inter-agent protocols, and continuous monitoring, ensuring enterprise-grade protection while enabling safe agentic automation for our clients.
These platforms incorporate safeguards such as:
- controlled tool permissions to prevent unintended actions
- secure agent communication protocols
- privilege scoping and policy enforcement layers
- continuous monitoring and observability of agent activity
These guardrails help ensure that AI agents can operate autonomously while remaining aligned with enterprise governance and security requirements.
As organizations increasingly rely on AI agents to drive workflows and decision-making, combining industry frameworks like OWASP with practical implementation guardrails will be key to scaling agentic systems safely.


