Skip to content
InvariantRisk
Agent reliability May 19, 2026

OWASP’s first Agentic Top 10 names the failure modes of production agents — and over-permissioned tool access leads the list.

OWASP’s Top 10 for Agentic Applications 2026, built with 100+ experts, is the first peer-reviewed risk taxonomy for autonomous agents. Goal hijack, excessive agency, and malicious MCP tools in the supply chain top the practical risks.

In December 2025, OWASP published its first Top 10 for Agentic Applications, developed with more than 100 contributors. Unlike the LLM Top 10, which targets model-level issues, this list addresses systems that plan, use tools, hold memory, and coordinate — the agents many teams are now putting into production.

The categories that bite mid-market operators first are not exotic. ASI01 Agent Goal Hijack covers objectives being silently redirected by injected content (the EchoLeak pattern). Excessive agency — agents granted more tool access than the task requires — is repeatedly the shortest path to real damage. ASI04 Agentic Supply Chain covers malicious tools and MCP servers: a documented campaign found hundreds of publicly listed agent “skills” carrying information-stealing malware. ASI08 Cascading Failures covers one compromised agent propagating across a connected fleet.

The useful framing

You do not need to implement all ten controls. You need to know which of the ten your deployment is actually exposed to — which depends on what your agents can touch, what they ingest, and how many of them talk to each other.