the sequel nobody wanted — turns out when you give AI agents tools and let them talk to each other, the threat model gets way worse.
A separate threat taxonomy published by the OWASP Foundation in December 2025 for autonomous and agentic AI systems, using ASI prefix codes (ASI01 through ASI10). Covers cascading hallucination and error propagation, uncontrolled tool and code execution, agent impersonation and identity spoofing, privilege escalation through multi-agent trust chains, memory poisoning, cross-agent escalation, and emergent multi-agent behaviour. Designed to complement the OWASP LLM Top 10, not replace it — the agentic threat model is additive to the LLM threat model.
Why It Matters
The LLM Top 10 assumed a relatively simple architecture: a user submits a prompt, a model generates a response. The Agentic Top 10 addresses what happens when that model gets a body — tools, memory, the ability to delegate tasks to other agents, and the autonomy to take actions without human approval at every step.
This is not an incremental increase in risk. It is a qualitative shift. When Agent A delegates a task to Agent B, and Agent B has database write access, the combined system has capabilities that neither agent was individually authorised to have. When Agent A’s hallucinated output becomes Agent B’s factual input, errors cascade through the system with no human checkpoint to stop them. When an attacker poisons one agent’s memory, that corruption propagates to every agent that trusts it.
The structural challenge is that organisations are deploying agentic systems using security models designed for stateless, single-model applications. They test for prompt injection (LLM01) but not for cascading permissions (ASI03). They implement output filters but not agent identity verification. The Agentic Top 10 names the gap between the security model organisations have and the security model agentic systems require.
The Stress Test
Your organisation deploys a multi-agent system for procurement: Agent A analyses purchase requests, Agent B checks budgets, Agent C issues purchase orders. A red team demonstrates that by manipulating Agent A’s input, they can cause Agent A to generate a request that looks legitimate to Agent B, which approves the budget, which triggers Agent C to issue a purchase order for equipment that was never requested by any human.
The individual agents each performed their function correctly. Agent A analysed the input. Agent B verified the budget. Agent C processed the approval. The failure is systemic: no agent questioned whether the chain of requests originated from a legitimate human decision. The trust architecture assumed that if the previous agent approved it, the request must be valid. That assumption is the vulnerability.
In the Wild
Multi-agent research systems demonstrated a pattern researchers call “hallucination laundering”: Agent A generates a plausible but fabricated claim. Agent B, tasked with verification, retrieves Agent A’s output as a source and cites it as evidence. Agent C synthesises both outputs and presents the fabrication as a verified fact with two independent sources. The hallucination did not just persist — it gained credibility through the multi-agent pipeline.
In a single-agent system, a hallucination is a bad answer. In a multi-agent system, it becomes a manufactured consensus.
Enterprise deployments of multi-agent systems revealed a recurring pattern: Agent A has read access to customer data. Agent B has write access to email systems. Agent A can delegate to Agent B. The combined system can therefore read customer data and email it externally — a capability that no human authorised and no individual agent possesses alone. Security teams that assessed each agent’s permissions independently missed the emergent capability created by their interaction.
Agent permissions are not additive. They are multiplicative. The combined system has capabilities that are the product of individual permissions, not the sum.
Agents with persistent memory — conversation history, learned preferences, cached knowledge — introduced a new attack surface. Researchers demonstrated that injecting malicious instructions into an agent’s memory during one session caused the agent to follow those instructions in subsequent sessions, even with different users. Unlike prompt injection (which is ephemeral), memory poisoning is persistent: the compromise survives across sessions, users, and contexts.
Stateless systems forget attacks between sessions. Stateful agents remember them. That is the difference between a vulnerability and a backdoor.
How to Govern It
Agentic security is not LLM security with more steps. It is a different threat model.
Within the AI Control Index, OWASP Agentic Top 10 governance maps to:
- Security (S2) — Agent identity verification, inter-agent authentication, tool access controls, and adversarial testing programmes that specifically target multi-agent attack surfaces. Default-deny permissions for all tool invocations.
- Applications & Agents (L4) — Orchestrator design patterns, blast radius containment, agent capability boundaries, delegation policies, and human-in-the-loop approval gates for high-impact actions. The orchestration layer is where most agentic risks are governed or not governed.
- Observability (S4) — Runtime monitoring of agent-to-agent communication, tool invocation patterns, memory state changes, and cascading error propagation. If you cannot trace a decision chain across agents, you cannot detect cross-agent compromise.
- AI Engineering (L5) — Secure agent development patterns, memory integrity verification, output validation between agents, and evaluation pipelines that test multi-agent scenarios — not just individual agent behaviour.
- GRC (S1) — Governance frameworks that account for emergent capabilities, documentation of agent interaction patterns, and evidence that multi-agent risk assessments have been conducted.
When It's Relevant
Any deployment where AI systems have agency — tool access, persistent memory, the ability to delegate or communicate with other agents. The Agentic Top 10 is critical when:
- Your AI agents can use tools that have real-world consequences (sending emails, executing transactions, modifying records)
- Multiple agents interact, delegate tasks, or share information in a pipeline or orchestration pattern
- Your agents maintain persistent state (memory, learned preferences, cached context) across sessions
- Your agents operate with autonomy levels that allow actions without per-action human approval
- You have assessed your system against the LLM Top 10 but have not yet assessed agentic-specific risks
Related Terms
References
- [1] OWASP Foundation (2025) OWASP Top 10 for Agentic Applications. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
- [2] OWASP Foundation (2025) OWASP Top 10 for Large Language Model Applications v2025.1. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
- [3] Wang, L., Ma, C., Feng, X., Zhang, Z., Yang, H., Zhang, J., Chen, Z., Tang, J., Chen, X., Lin, Y., Zhao, W.X., Wei, Z. and Wen, J. (2024) ‘A Survey on Large Language Model Based Autonomous Agents’, Frontiers of Computer Science, 18(6), 186345. doi: 10.1007/s11704-024-40231-1.
- [4] Xi, Z., Chen, W., Guo, X., He, W., Ding, Y., Hong, B., Zhang, M., Wang, J., Jin, S., Zhou, E. et al. (2023) ‘The Rise and Potential of Large Language Model Based Agents: A Survey’, arXiv preprint, arXiv:2309.07864.
- [5] Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T. and Fritz, M. (2023) ‘Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection’, arXiv preprint, arXiv:2302.12173.
- [6] NIST (2024) Artificial Intelligence Risk Management Framework: Generative AI Profile (AI 600-1). National Institute of Standards and Technology, U.S. Department of Commerce.
- [7] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens