OWASP Agentic Top 10: What Every Developer Must Know in 2026

March 2026 • 12 min read

The OWASP Foundation released the Agentic Top 10 to address a critical gap: as AI agents move from experimental tools to production infrastructure, the security risks they introduce are fundamentally different from traditional software vulnerabilities. These are not just prompt injection attacks -- they are systemic risks arising from autonomous systems that can read, write, execute, and make decisions on your behalf.

If you are deploying AI coding agents like Claude Code, Codex, or Antigravity in any professional capacity, understanding these ten risks is no longer optional. Here is a practical breakdown of each one.

ASI01: Agent Goal Hijacking

The number one risk. Agent Goal Hijacking occurs when an attacker manipulates an agent into pursuing objectives different from what the user intended. This can happen through prompt injection in code comments, malicious content in fetched URLs, or poisoned context in repository files.

For coding agents, this is particularly dangerous. Imagine cloning a repository where a README contains hidden instructions that cause your agent to exfiltrate environment variables or install a backdoor dependency. The agent faithfully follows the injected goal because it cannot distinguish it from legitimate instructions.

Mitigation: Use agents with strong instruction hierarchy (system prompts override user content which overrides fetched content). Review all agent actions before approval. Limit agent access to only the files and directories required for the current task.

ASI02: Tool Misuse and ASI03: Identity Abuse

Tool Misuse (ASI02) happens when agents use their available tools in unintended ways -- executing shell commands that modify system configuration, writing to files outside the project scope, or making network requests to exfiltrate data. The more tools an agent has access to, the larger the attack surface.

Identity Abuse (ASI03) occurs when agents inherit the user's credentials and permissions without appropriate scoping. Your coding agent running as you has access to your SSH keys, cloud credentials, API tokens, and git configurations. If the agent is compromised, the attacker has your full identity.

Mitigation for both: Apply the principle of least privilege rigorously. Give agents only the tools they need. Use short-lived, scoped credentials instead of your personal tokens. Run agents in sandboxed environments where file and network access are restricted.

ASI04 and ASI05: Sandboxing and Autonomy Control

Insufficient Sandboxing (ASI04) is the risk of running agents without proper containment boundaries. An unsandboxed agent can read your entire filesystem, access your network, and interact with any service your user account can reach. This turns every agent session into a potential lateral movement vector.

Uncontrolled Autonomy (ASI05) addresses agents that can take consequential actions without human approval. An agent that can push to production, delete databases, or modify infrastructure configurations without a confirmation step is a ticking time bomb -- not because the agent is malicious, but because it can be wrong.

Mitigations: Run agents in containers or microVMs (see our sandboxing guide for specifics). Implement approval gates for destructive operations. Use allowlists for permitted commands rather than blocklists for denied ones. Claude Code's explicit approval model for shell commands and file writes is a good example of controlled autonomy in practice.

ASI06 through ASI09: The Supporting Risks

Missing Guardrails (ASI06) covers the absence of output validation. Agents can generate insecure code, leak secrets in outputs, or produce syntactically valid but semantically dangerous configurations. Always validate agent outputs against security policies before deployment.

Broken Trust Boundaries (ASI07) occurs in multi-agent systems where agents communicate with each other. If Agent A trusts Agent B's output without verification, a compromise of Agent B cascades to Agent A. Every inter-agent communication channel needs the same scrutiny as a network API boundary.

Insufficient Logging (ASI08) makes it impossible to investigate incidents after the fact. Every agent action -- file reads, writes, command executions, API calls -- should be logged with timestamps and full context. Without audit trails, you cannot determine what an agent did or why.

Agent Denial of Service (ASI09) covers resource exhaustion attacks where an agent is tricked into infinite loops, excessive API calls, or memory-consuming operations. Rate limiting and resource quotas are essential safeguards.

ASI10: Rogue Agents

The most dramatic risk, though currently the least likely. Rogue Agents refers to scenarios where an agent operates outside its intended parameters -- not through external attack, but through emergent behavior, misconfiguration, or compromised model weights. While current AI coding agents are not truly autonomous in a way that makes this an immediate threat, the trend toward greater agent autonomy makes this risk increasingly relevant.

Mitigation: Implement kill switches. Set hard time limits on agent sessions. Monitor for anomalous behavior patterns (sudden spike in file writes, unexpected network connections, access to unusual directories). Use agents from reputable providers who conduct regular red-teaming and safety evaluations.

The Principle of Least Agency

Across all ten risks, one principle applies universally: least agency. Give agents the minimum permissions, tools, and autonomy required for the task at hand. This is the agentic equivalent of the principle of least privilege, extended to cover not just access rights but also decision-making authority.

In practice, this means:

• Scope agent file access to the current project directory only
• Use read-only mode when the agent only needs to analyze code
• Require explicit approval for shell commands, especially those involving network access or system modification
• Rotate credentials between agent sessions
• Review and limit the MCP tools and servers your agent can access

The OWASP Agentic Top 10 is not a reason to avoid AI coding agents -- it is a framework for using them responsibly. The teams that take these risks seriously today will be the ones that can safely scale their agentic workflows tomorrow.