OWASP Agentic AI Top 10
OWASP Agentic AI Top 10 — Classified and Mapped.
The OWASP Agentic AI Top 10, released December 2025 and NIST-endorsed, is the first authoritative taxonomy for AI agent security risks. VANGUARD is the first commercial intelligence platform built around it. Every finding is classified, stack-specific, and mapped to regulatory obligations across five jurisdictions.
Prompt Injection
What it covers
When external input manipulates an agent’s instructions — overriding intended behaviour, exfiltrating data, or triggering unauthorised actions. The most prevalent AI agent attack vector.
Why it matters
Prompt injection is the most widespread attack vector against AI agents. A single injected instruction can override system prompts, exfiltrate sensitive data, or trigger actions the agent was never authorised to take. Every agent that processes external input is exposed.
Broken Access Control
What it covers
When an agent operates with permissions beyond its intended scope — accessing data, systems, or actions it was never authorised to reach.
Why it matters
Agents with overly broad permissions become lateral movement vectors. A compromised agent with excessive access can reach systems, data, and actions far beyond its intended scope — turning a single vulnerability into an enterprise-wide exposure.
Data Poisoning
What it covers
When training data, memory, or context is corrupted — producing agents that make confident decisions based on compromised information. Persistent across sessions.
Why it matters
Poisoned data corrupts every decision an agent makes. Because the agent has no mechanism to detect the corruption, it acts on compromised information with full confidence — persistently, across sessions, at scale.
Inadequate Sandboxing
What it covers
When an agent’s execution environment lacks proper isolation — allowing it to affect systems, files, or networks outside its intended boundary.
Why it matters
Without proper isolation, an agent can escape its intended boundary and affect systems, files, or networks it should never touch. A sandbox failure turns a contained agent into an uncontained risk.
Insecure Output Handling
What it covers
When an agent’s outputs are trusted without validation — enabling downstream systems to execute malicious content, inject code, or propagate compromised data.
Why it matters
Downstream systems that trust agent output without validation become attack surfaces. Malicious content in agent responses can trigger code execution, injection attacks, or data propagation across your entire pipeline.
Over-Reliance on AI
What it covers
When human oversight mechanisms are absent or insufficient — and an agent’s decisions go unchecked despite operating in high-consequence domains.
Why it matters
Agents operating without human oversight in high-consequence domains make irreversible decisions with no accountability gate. When the agent is wrong, nobody catches it until the damage is done.
Model Denial of Service
What it covers
When an agent can be forced into resource exhaustion, infinite loops, or degraded performance — denying service to legitimate operations.
Why it matters
An attacker who can force your agent into resource exhaustion or infinite loops denies service to every legitimate operation that depends on it. Degraded performance in critical systems has cascading consequences.
Supply Chain Vulnerabilities
What it covers
When plugins, community nodes, marketplace integrations, or third-party dependencies introduce compromised code into an agent’s execution path.
Why it matters
Your agent’s attack surface extends to every plugin, dependency, and integration it touches. A compromised community node or marketplace skill injects malicious code directly into your agent’s execution path.
Insecure Plugin Design
What it covers
When agent plugins accept untrusted input, operate with excessive permissions, or fail to validate interactions with external services.
Why it matters
Plugins that accept untrusted input or operate with excessive permissions become attack vectors. A single poorly designed plugin can compromise the entire agent’s security posture.
Excessive Agency
What it covers
When an agent has the ability to take consequential actions — financial transactions, data deletion, external communications — without adequate constraints or human approval gates.
Why it matters
Agents authorised to take consequential actions without constraints can execute financial transactions, delete data, or send external communications with no human approval gate. The blast radius of a single compromised decision is unlimited.
NIST-endorsed. OWASP-authoritative.
The OWASP Agentic AI Top 10 is the first authoritative taxonomy for AI agent security risks. VANGUARD classifies every finding against it — stack-specific, mapped to regulatory obligations, and continuously updated as the threat landscape evolves.
VANGUARD does not guess what could go wrong. It classifies what does go wrong — against the standard that matters.
Assess your stack against the standard.
See how your AI agent deployments map to the OWASP Agentic AI Top 10. Free assessment. No commitment.