The OWASP GenAI Security Project released the Top 10 for Agentic Applications in December 2025. The list is the new threat model for AI agents and Model Context Protocol (MCP) servers — the architecture pattern that has become dominant for AI tool use during 2025-2026.
The OWASP LLM Top 10 addresses risks in LLM applications. Agentic applications add three categories of risk that the LLM list covers incompletely: tool use (the agent can take actions in the world, not just produce text), multi-step reasoning (the agent makes decisions over many turns, where a single prompt-injection can compound), and inter-agent communication (agents talking to other agents through standardized protocols like MCP).
The agentic threat surface is also growing fast. Per Kiteworks’ 2026 research, 67% of organizations are now adopting some form of agentic AI. Anthropic’s Model Context Protocol has become the de facto interface for agents calling tools. Security teams need a threat model designed for this surface.
We summarize the OWASP Top 10 for Agentic Applications 2026 below in plain language. The official list, full risk descriptions, and the project’s reference architecture are at the OWASP source: genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/. Buyers should treat that page as canonical and use this guide as orientation.
Mitigations: Memory partitioning by trust level, periodic memory audits, cryptographic integrity for stored agent memory, anomaly detection on memory writes.
Mitigations: Least-privilege tool design, per-action authorization, scoped tokens, human-in-the-loop for high-impact actions, runtime guardrails (Lakera, Lasso) that inspect the tool-call sequence.
Mitigations: Approval gates for state-changing actions, recursion bounds and step budgets, runtime monitors that pause the agent on policy boundary crossings.
Agents act on behalf of users, but the authorization model often does not flow correctly through to downstream tools. The agent’s token is too broad, the user’s identity is dropped, the audit log loses the human → agent → tool chain.
Mitigations: On-behalf-of token flows, identity propagation through the tool chain, audit logging that records the human, the agent, the prompt, and the resulting actions; identity-aware proxies for tool calls.
Agents talk to other agents. A compromised or malicious agent can manipulate another agent’s behavior through MCP traffic, shared memory, or coordination protocols.
Mitigations: Trust boundaries between agents, signing of inter-agent messages, MCP gateways (Harmonic) that inspect and control inter-agent traffic, segmentation by trust level.
MCP servers are software, often third-party, often pulled from package registries. Compromise of an MCP server is compromise of every agent that uses
Mitigations: Provenance verification for MCP servers, signed MCP packages, isolation of MCP servers per agent or per tenant, vendor risk assessment for MCP providers.
Agents observe — they read web pages, summarize documents, parse emails, query databases. Anything an agent observes can contain instructions intended to override its goals.
Mitigations: Defensive observation patterns (treat all observed content as untrusted input), classification of observed content for instruction-like payloads, runtime defenses, output sanitization before passing observations into the agent’s context.
Agents can spend money. Loops, expensive tool calls, runaway recursion produce real bills. Adversarial cost-amplification is the agentic version of denial-of-wallet.
Mitigations: Per-agent and per-task budgets, step budgets enforced by the runtime, alerting on cost anomalies, halt-on-budget-breach by default.
Agents pursue what is specified, not what is intended. Adversarial users craft goals that look reasonable but produce misaligned behavior; non-adversarial users specify goals incorrectly. Both produce damaging outcomes.
Mitigations: Specification review, intent classification at task assignment, monitoring for goal drift over multi-step tasks, post-hoc audit of agent decision chains
Agents are harder to debug than chat applications. Multi-step reasoning produces decision trees that are not adequately captured by traditional application logs. Without observability, incident response on an agent is forensics in the dark.
Mitigations: Structured logging of every tool call, decision, and observation; replay capability for agent runs; trace IDs that follow a single task across multiple agents and tools; integration with traditional SIEMs.
Anthropic’s Model Context Protocol has become the dominant interface for agents to call tools. MCP servers expose tools — file access, web search, database queries, third-party APIs — to MCP-aware agents. The protocol is open, the ecosystem is growing, and the security implications track every entry on this list.
Tools that operate at the MCP layer — Harmonic Security’s MCP Gateway, Lakera’s AI Agent Security module — are the natural enforcement point for several Top 10 risks. Buyers building agentic AI in 2026 should evaluate at least one product with explicit MCP coverage.
Ask each AI security vendor which agentic Top 10 risks their product addresses. Many will claim coverage; few have a structured story for memory poisoning, multi-agent collusion, and MCP supply chain.
Use the Top 10 as a checklist when reviewing agentic application designs internally. The risks map well onto threat-modeling exercises.
Lakera's red-teaming module covers a substantial subset of the agentic Top 10; commission engagements that explicitly cover this list, not just the LLM Top 10.
Three structural differences from non-agentic LLM applications.
Agents can take actions in the world: call APIs, write to databases, send emails, modify files. The blast radius of a successful prompt injection is bounded by what the agent's tools can do. Tool design is now a security control, not just a product feature.
Agents make decisions over many turns. A single adversarial input can compound across turns — an early prompt-injection that biases the agent's plan, an early tool call that produces output the agent then uses as context, an early observation that the agent treats as instruction. Multi-step reasoning multiplies the prompt-injection attack surface.
Agents talk to other agents, often through standardized protocols like Anthropic's Model Context Protocol (MCP). Trust assumptions between agents are easy to get wrong; a compromised or malicious agent can manipulate other agents through shared memory, MCP traffic, or coordination protocols. These three properties together produce a threat model that the LLM Top 10 covers incompletely. The Agentic Top 10 fills the gap.
Give the agent the minimum capability required for the task. A read-only database role for a summarization agent. A scoped API token for an integration agent. Capability minimization is the most reliable agentic-security control.
Human-in-the-loop for actions that change state — sending email, writing to a database, modifying a configuration. The friction is the point.
Treat all observed content (web pages, documents, emails, customer messages) as untrusted input. Classify observations for instruction-like payloads before passing them into the agent's context.
Bound the number of steps the agent can take before requiring re-authorization. Bound recursion depth. Bound total cost.
Memory written by one user, one task, or one trust level should not flow into a different user, task, or trust level without explicit policy.
Trace IDs that follow a single task across multiple agents and tools. Structured logs of every observation, decision, and tool call. Replay capability for incident response.
Model Context Protocol is the standard protocol for an AI agent to call tools. MCP servers expose tools — file access, web search, database queries, third-party APIs — to MCP-aware agents. The protocol is open, the ecosystem is growing, and the security implications track every entry on the agentic Top 10.
The natural enforcement point for MCP traffic is a gateway. Harmonic Security’s MCP Gateway is the most mature commercial implementation we have seen. The gateway pattern lets a security team inspect, log, and enforce policy on MCP traffic at a single chokepoint, rather than instrumenting every agent and every MCP server individually. Buyers building agentic AI in 2026 should evaluate at least one product with explicit MCP gateway coverage.
