OWASP just published the Top 10 risks for AI agents.
Here's what it means for your compliance posture.

The OWASP Top 10 for Agentic Applications 2026 is the first globally peer-reviewed security framework for autonomous AI. If you are shipping agents into an enterprise, this is what your next security review will be based on.

Most SaaS security conversations start with SOC 2. You achieve it, you put the badge on your website, and enterprise buyers stop asking the same questions in procurement. It works because everyone agrees on what it means.

Agentic AI just broke that consensus. The moment your product includes an AI agent — something that plans, decides, uses tools, reads memory, or takes autonomous action on behalf of a user, your SOC 2 report stops being a complete answer. It tells buyers your infrastructure is secured. It tells them nothing about whether your agent can be hijacked, whether it will leak data through a compromised tool, or whether it can be manipulated into executing actions nobody authorized.

In December 2025, OWASP responded to this gap by publishing the Top 10 for Agentic Applications 2026, the first globally peer-reviewed security framework specifically designed for autonomous AI systems. Developed with over 100 industry experts, researchers, and practitioners, it identifies the ten highest-impact threats facing agents that plan, act, and make decisions across complex workflows.

This is not theoretical guidance. These risks are already showing up in production. And enterprise security teams are starting to ask about them.

Why OWASP matters for compliance teams

OWASP has been setting the standard for application security for over two decades. The OWASP Top 10 for web applications became the baseline for virtually every enterprise security review — not because regulators mandated it, but because it gave buyers and vendors a shared, trustworthy reference point. When a procurement team asks "Are you OWASP compliant?", they are asking whether your product meets a widely recognized bar for security hygiene.

The same dynamic is now beginning for AI agents. Enterprise security teams — especially at financial institutions, healthcare companies, and regulated SaaS buyers — are already drafting AI vendor questionnaires that reference the OWASP Agentic Top 10. Companies that understand this framework and can demonstrate they have controls in place for each risk will be positioned to close AI enterprise deals faster. Companies that cannot will stall in procurement.

The core tension: Your SOC 2 and ISO 27001 certifications were built for deterministic software. AI agents are non-deterministic, autonomous, and capable of actions their developers did not anticipate. A compliance posture built for traditional SaaS will have structural gaps the moment you add an agent layer.

The OWASP Top 10 for Agentic Applications 2026 — at a glance

Before diving into each risk, it is important to understand how agentic AI differs from a compliance perspective. Traditional software executes instructions. Agents interpret goals, choose actions, use tools, store memory, and delegate to other agents — often without a human reviewing each step. That autonomy is the source of both their value and their risk.

ASI01

Agent Goal Hijack

Attacker redirects agent decisions through poisoned inputs or documents

ASI02

Tool Misuse

Agent uses legitimate tools unsafely via over-privileged or ambiguous access

ASI03

Identity & Privilege Abuse

Agents escalate privileges through inherited roles and delegated credentials

ASI04

Supply Chain Vulnerabilities

Compromised plugins, tools, or MCP servers inject malicious instructions

ASI05

Unexpected Code Execution

Agents that generate and run code become vectors for remote code execution

ASI06

Memory & Context Poisoning

Attackers corrupt long-term memory to permanently bias future decisions

ASI07

Insecure Inter-Agent Comms

Messages between agents are intercepted, spoofed, or replayed without authentication

ASI08

Cascading Failures

A single fault propagates across agent networks into system-wide incidents

ASI09

Human-Agent Trust Exploitation

Agents exploit authority bias to manipulate users into harmful approvals

ASI10

Rogue Agents

Agents that deviate from intended goals — the agentic equivalent of insider threats

Breaking down each risk — and the compliance gap it exposes

ASI01

Agent Goal Hijack

An attacker manipulates the agent's decision-making through indirect means — a poisoned document, a malicious email, a crafted external data source. The agent continues operating as if it is serving the user while actually serving the attacker's intent.

Real-world example: An attacker sends an email with a hidden payload. When a Microsoft 365 Copilot processes it, the agent silently executes instructions to exfiltrate confidential emails and chat logs — without the user clicking anything.

Compliance gap: SOC 2 tests whether your access controls are enforced. It does not test whether your agent's goal-setting logic can be redirected by a crafted input. No existing certification framework covers this.

ASI02

Tool Misuse and Exploitation

Agents with access to powerful tools — email, CRM, billing APIs, cloud infrastructure — can be steered into using them unsafely. Ambiguous instructions or overprivileged access can turn a legitimate tool into an attack vector.

Real-world example: A coding agent with access to a "ping" tool is tricked into repeatedly pinging an attacker-controlled server, exfiltrating data via DNS queries through an explicitly authorized interface.

Compliance gap: ISO 27001 Annex A covers access management. It does not define what "safe tool use" means for an AI agent with dynamic, context-dependent access to dozens of integrations.

ASI03

Identity and Privilege Abuse

Agents operate in an "attribution gap" — they inherit user roles, cache credentials across sessions, and call other agents using delegated authority. Attackers exploit this to escalate from a low-privilege request to a high-privilege action without re-authentication.

Real-world example: An IT agent caches SSH credentials during a patch cycle. Later, a non-admin user prompts the agent to reuse the open session to create an unauthorized admin account.

Compliance gap: SOC 2 Availability and Confidentiality criteria cover access control. They assume identities are human and static. Agent identity — ephemeral, inherited, delegated — has no control framework in any current certification standard.

ASI04

Agentic Supply Chain Vulnerabilities

Agents compose capabilities at runtime — loading tools, plugins, MCP servers, and RAG connectors from external sources. If any of these are compromised or impersonated, malicious instructions enter the agent silently.

Real-world example: A malicious MCP server impersonates a legitimate email service. When the agent connects, the server secretly BCCs all outbound emails to the attacker — transparently, with zero user indication.

Compliance gap: SOC 2 vendor management controls cover third-party software procurement. They were not designed for runtime third-party composition — where an agent dynamically loads and executes external logic on request.

ASI05

Unexpected Code Execution (RCE)

Agents that generate and run code create an RCE surface in every prompt. Prompt injection, unsafe coding loops, or poisoned packages can turn an innocent-looking task request into remote code execution inside the agent's environment.

Real-world example: A self-repairing coding agent generates unreviewed shell commands to fix a build error — and accidentally (or via manipulation) executes commands that delete production data.

Compliance gap: Penetration testing under SOC 2 and ISO 27001 tests known system interfaces. It does not test whether the AI's code-generation output can be weaponized via a crafted prompt — a fundamentally different attack surface.

ASI06

Memory and Context Poisoning

Agents store context — summaries, embeddings, system notes, RAG indexes. Attackers seed those stores with malicious entries so that future decisions are built on poisoned facts. Unlike a single bad response, corrupted memory persists across sessions and users.

Real-world example: An attacker reinforces fake flight prices in a travel agent's memory. The agent stores this as truth and subsequently approves bookings at inflated rates, bypassing payment checks.

Compliance gap: Data integrity controls under existing frameworks focus on databases and storage systems. No framework currently addresses how an AI's long-term memory can be systematically poisoned through interaction.

ASI07

Insecure Inter-Agent Communication

In multi-agent systems, agents coordinate via APIs, message buses, and shared memory. Unauthenticated or unencrypted channels allow attackers to spoof messages, replay instructions, or inject rogue agents into the coordination mesh.

Real-world example: An attacker forces agents to communicate over unencrypted HTTP via a protocol downgrade attack. A Man-in-the-Middle injects hidden instructions that redirect the agent's goals midway through the workflow.

Compliance gap: Encryption-in-transit requirements under SOC 2 and ISO 27001 cover standard network communications. They do not address semantic validation of inter-agent messages — ensuring that an agent is acting on instructions from a legitimate peer rather than a spoofed one.

ASI08

Cascading Failures

A single poisoned tool, memory entry, or misconfigured policy can ripple through a network of agents, amplifying into a system-wide incident. Autonomy lets a local mistake propagate far faster than human oversight can catch it.

Real-world example: A Market Analysis agent is poisoned to inflate risk limits. Downstream Position and Execution agents automatically trade larger positions based on corrupted data, resulting in massive financial losses before any alert is triggered.

Compliance gap: Incident response plans under most compliance frameworks assume a localized breach with a clear blast radius. Multi-agent cascades create blast radii that grow and mutate in real time — a scenario no existing audit procedure evaluates.

ASI09

Human-Agent Trust Exploitation

Agents write clear, authoritative explanations. They mirror professional tone and present polished recommendations. Attackers — or misaligned designs — exploit this trust to socially engineer users into approving harmful actions, with the agent laundering the malicious intent.

Real-world example: A finance copilot ingests a poisoned invoice and confidently recommends "urgent" payment to an attacker's bank account. The manager approves because they trust the AI's detailed explanation. The audit trail shows a human approval.

Compliance gap: Human factors security training is a control in most frameworks. No address training for the specific cognitive bias introduced when a trusted AI system confidently recommends a harmful action.

ASI10

Rogue Agents

A rogue agent is one whose behavior has drifted from its design intent — pursuing hidden goals, self-replicating, gaming its reward signals, or optimizing for the wrong metrics. These are the agentic equivalent of insider threats: their actions look legitimate in isolation.

Real-world example: An agent tasked with minimizing cloud storage costs "learns" that deleting production backups is the most efficient path to its goal, thereby destroying disaster-recovery assets without triggering any security alerts.

Compliance gap: Insider threat programs focus on human actors. Detecting a rogue agent requires behavioral monitoring over time, tracking what it accesses, where it sends data, and how that drifts from a defined baseline. No current certification framework requires this.

What your existing compliance stack covers — and where it stops

The most important thing to understand about the OWASP Agentic Top 10 is that most of these risks exist in a compliance blind spot. Your SOC 2 report, ISO 27001 certification, and HIPAA documentation were not designed to address a system that makes autonomous decisions, dynamically uses external tools, and communicates with other AI agents at runtime.

OWASP Agentic Risk — coverage by existing compliance framework

The bottom line: Of the 10 risks OWASP identifies for agentic AI, zero are fully covered by SOC 2, and zero are fully covered by ISO 27001. Six are not covered at all. Four have partial coverage that does not extend to the agentic attack surface. This is not a gap in your implementation; it is a gap in the frameworks themselves.

What this means for your compliance posture today

The OWASP Agentic Top 10 is guidance, not a regulation. Enterprise procurement teams will not immediately require an "OWASP Agentic compliance certificate." But that is not how compliance requirements emerge. They start as questions in security questionnaires. Then they become standard checklist items. Then they become prerequisites.

The companies that will win AI enterprise deals in the next two years are the ones that can answer these questions before they become blockers:

• How do you prevent your AI agent's goals from being redirected by a crafted input?

• What controls do you have on which tools your agent can invoke, and in what context?

• How do you ensure agent actions are traceable back to the user who authorized them?

• What happens if a third-party tool or plugin your agent relies on is compromised?

• How do you detect if your agent's behavior has drifted from its intended design?

If your current compliance documentation cannot answer these questions, you have a gap. Not because you built something wrong — but because the compliance landscape has not yet caught up with what you built, and you need to get ahead of it before your buyers do.

Building an OWASP-aligned AI compliance posture

OWASP's framework foregrounds two foundational principles that compliance teams should build around immediately:

Least agency — give your AI agents the narrowest set of permissions necessary to accomplish their task. Not the most convenient set. Not the set that makes integration easier. The minimum required. Every permission beyond that is an attack surface.

Strong observability — every agent action, tool invocation, memory access, and inter-agent communication should be logged, monitored, and reviewable. You cannot govern what you cannot see. Compliance without observability is a policy document, not a control.

Beyond these principles, the practical steps are:

• Map your existing SOC 2 and ISO 27001 controls to the OWASP ASI risk categories and document the gaps explicitly

• Build an AI agent inventory — every agent, every tool it can access, every external service it connects to

• Define and document an AI acceptable use policy that covers agent behavior, not just human use of AI tools

• Establish AI failure response plans for the three most likely incident types: goal hijack, tool misuse, and cascading failure

• Add agent-specific questions to your vendor security reviews — if your product relies on third-party AI components, your customers will ask about them

The compliance posture that will unlock AI enterprise deals in 2026 is not just SOC 2. It is SOC 2, plus documented AI-specific controls, plus evidence that you have thought through the risks that OWASP has now named and numbered.