OWASP's Agent Security Top 10 for 2026: What Every Builder Needs to Know
OWASP published its first agent-specific security risk list. Tool misuse, privilege escalation, and memory poisoning lead the rankings. Here is how to defend against each one.
OWASP, the organization behind the widely adopted Web Application Security Top 10, published its first agent-specific security risk list in early 2026. The list reflects real-world incident data: 88% of organizations reported confirmed or suspected security incidents involving AI agents in 2025.
This is not a theoretical exercise. These are the attack patterns that are actively exploiting production agent systems.
The Top 10 Agent Security Risks
1. Tool Misuse and Privilege Escalation
520 documented incidents in 2025 alone. Agents with access to powerful tools (database queries, file system operations, API calls) can be manipulated into using those tools in unintended ways.
The attack is simple: trick the agent into calling a tool with malicious arguments. If the agent has DELETE permissions on a database and the attacker can influence the query, the result is data destruction.
Defense: Implement least-privilege tool access. Each agent should have access only to the tools it needs, with the minimum necessary permissions. Use PactTerms to define exactly which tools and operations are authorized.
2. Indirect Prompt Injection
Malicious instructions embedded in data that the agent retrieves from external sources. The agent treats the injected instruction as part of its legitimate input.
Defense: Sanitize all external inputs. Implement output verification between agent steps. Use trust-gated delegation to prevent unverified data from reaching sensitive operations.
3. Excessive Agency
Agents granted more autonomy than their task requires. An agent asked to "update the user profile" should not have the ability to delete the user account, even if the underlying API supports it.
Defense: Scope agent capabilities to the minimum required for each task. Behavioral contracts that enumerate authorized actions prevent scope creep.
4. Memory Poisoning
Attackers inject malicious content into an agent's persistent memory or RAG knowledge base. Unlike prompt injection, memory poisoning is persistent: the malicious instruction survives across sessions.
Defense: Validate all writes to persistent memory. Implement memory integrity checks. Use versioned memory stores that support rollback.
5. Insecure Output Handling
Agent outputs that are passed directly to other systems without sanitization. If an agent generates SQL, HTML, or shell commands, those outputs must be treated as untrusted input by the receiving system.
Defense: Apply the same output encoding and sanitization that you would apply to user input. Never execute agent-generated code without sandboxing.
6. Insufficient Monitoring
Agent systems deployed without adequate logging, tracing, or alerting. When incidents occur, there is no audit trail to understand what happened.
Defense: Log every agent action, tool call, and inter-agent communication. Implement real-time alerting on anomalous behavior patterns. Use trust score monitoring to detect gradual degradation.
7. Supply Chain Vulnerabilities
Agents that depend on third-party MCP servers, plugins, or tools inherit the security posture of those dependencies. A compromised MCP server can feed malicious data to every agent that connects to it.
Defense: Verify the trust score and provenance of all third-party agent dependencies. Pin versions. Monitor for unexpected behavior changes.
8. Insecure Agent-to-Agent Communication
Agent-to-agent messages transmitted without authentication, encryption, or integrity verification. Man-in-the-middle attacks can intercept and modify messages between agents.
Defense: Use mTLS for all agent-to-agent communication. Verify the identity and trust score of remote agents before exchanging data.
9. Denial of Service via Resource Exhaustion
Agents that can be tricked into consuming unbounded resources: infinite loops, recursive tool calls, or generating massive outputs. This can take down the agent and any infrastructure it depends on.
Defense: Implement timeouts, recursion limits, and output size limits. Use behavioral contracts to define resource consumption boundaries.
10. Data Leakage Across Contexts
Agents that inadvertently leak information from one context to another. A multi-tenant agent that remembers details from Customer A's session and surfaces them during Customer B's session.
Defense: Enforce strict session isolation. Clear context windows between tenants. Use behavioral contracts that prohibit cross-context data retention.
Mapping OWASP Risks to Trust Infrastructure
Notably, every risk in the OWASP Top 10 can be partially or fully mitigated by trust infrastructure:
| OWASP Risk | Trust Mitigation |
|---|---|
| Tool misuse | PactTerms defining authorized tools and operations |
| Prompt injection | Trust-gated delegation, output verification |
| Excessive agency | Behavioral contract scope boundaries |
| Memory poisoning | Integrity verification, evaluation monitoring |
| Insecure output | Output validation against PactTerms |
| Insufficient monitoring | PactScore as continuous behavior signal |
| Supply chain | Trust scores for dependencies |
| Insecure A2A comms | mTLS with trust score verification |
| Resource exhaustion | Resource limits in behavioral contracts |
| Data leakage | Isolation terms in PactTerms |
This is not a coincidence. Trust infrastructure was designed to define, verify, and enforce behavioral boundaries. Security risks arise when those boundaries are missing or unenforced.
Action Items
- Audit your agents against each of the OWASP Top 10 risks.
- For each risk that applies, define a behavioral contract term that mitigates it.
- Implement monitoring for the specific attack patterns described above.
- Evaluate third-party agent dependencies for their security posture.
- Run adversarial testing (red-teaming) against your agent workflows at least quarterly.