PERMISSION/PROTOCOL

Compliance · June 15, 2026

OWASP Agentic Top 10: Practical Mitigations for Each Risk

The OWASP Agentic Top 10 (ASI01–ASI10, published December 2025) splits into two halves: deterministic-policy controls (allow/deny rules, identity, and sandboxing) and human-approval / named-signer controls for the consequential decisions. The practical mitigation for the consequential half is per-action human approval routed to a named signer, backed by tamper-evident receipts that record who approved what, when, and under which policy. Below is the mitigation for each of the ten risks.

Definition: what the OWASP Agentic Top 10 is

The OWASP Agentic Top 10 (formally the OWASP Top 10 for Agentic Applications, codes ASI01–ASI10) is a risk framework published in December 2025 by the OWASP Gen AI Security Project's Agentic Security Initiative. It catalogs the ten highest-priority security risks specific to autonomous AI agents and recommends mitigations for each. The recommended mitigations fall into two halves: deterministic policy enforcement (rules a machine evaluates) and human-approval / named-signer controls (decisions a person must own, with a durable record).

The two halves, and why they matter

Most of the OWASP mitigations name two distinct mechanisms side by side: a policy engine that decides allow/deny in software, and a human gate for the actions that are consequential, irreversible, or trust-sensitive. They are not interchangeable. A policy engine is the right place for high-volume, deterministic decisions at sub-millisecond latency. A named-signer approval is the right place for the action that, if wrong, ends up in an incident report or in front of a regulator, because only a named human decision, captured as a tamper-evident receipt, gives you non-repudiation. The mistake is treating the whole framework as one or the other.

Mitigations by coverage type: ASI01–ASI10

CodeRiskPrimary practical mitigationCoverage type
ASI01Agent Goal HijackSigned intent envelopes; confirm out-of-envelope actionsPartial
ASI02Tool Misuse & ExploitationPer-action approval on destructive ops; signed receiptsDirect
ASI03Identity & Privilege AbusePer-action authorization; human gate on escalationDirect
ASI04Agentic Supply Chain VulnerabilitiesSigned manifests; receipt links manifest/tool versionsPartial
ASI05Unexpected Code Execution (RCE)Human approval on elevated runs; versioned allowlistsDirect
ASI06Memory & Context PoisoningHuman review on high-risk actions; rollback/quarantinePartial
ASI07Insecure Inter-Agent CommunicationSigned agent cards, mTLS/PKI; gate the resulting actionPaired
ASI08Cascading FailuresHuman gates; tamper-evident, time-stamped receiptsDirect
ASI09Human-Agent Trust ExploitationMulti-step explicit approval; immutable signed receiptsDirect
ASI10Rogue AgentsSigned audit logs; re-approval on attestation driftDirect

Coverage type here reflects how a human-approval / named-signer layer such as Permission Protocol maps to each risk: six direct, three partial, one paired. “Direct” means per-action approval and receipts are the primary mitigation; “partial” means human approval contributes one piece alongside a policy or provenance control; “paired” means the risk belongs to the identity / protocol layer and the approval gate composes with it. For the full risk-by-risk mapping, see the OWASP Agentic Top 10 mapping.

The six direct risks: per-action approval + receipts

For ASI02, ASI03, ASI05, ASI08, ASI09, and ASI10 the OWASP mitigations converge on the same pattern, action-level authentication and approval, explicit human confirmation for consequential actions, and immutable, time-stamped logs. The practical implementation is a single choke point that, on any consequential action, routes to a named human signer and emits a receipt:

  • ASI02 Tool Misuse. Gate every wrapped tool call; escalate destructive operations to a named signer with a diff/dry-run preview. The receipt records the tool, parameters, signer, and policy applied.
  • ASI03 Identity & Privilege Abuse. Make per-action authorization the default and route every privilege escalation to a human. The receipt records the signer identity and the intent the action was bound to.
  • ASI05 Unexpected Code Execution. Require a named human approval before any elevated-permission code path runs; keep allowlists under version control. The receipt records the approver and the diff.
  • ASI08 Cascading Failures. Put human gates on cross-agent consequential actions and bind tamper-evident, millisecond-stamped receipts to both the human and the originating agent, so lineage is reconstructable after an incident.
  • ASI09 Human-Agent Trust Exploitation. Use multi-step explicit confirmation with hard policy gates the agent cannot social-engineer past; sign and immutably record every approval.
  • ASI10 Rogue Agents. Treat every receipt as a signed audit log and require fresh human re-approval on attestation drift, a drifted agent cannot transact until a named human signs off, and the receipt records that re-attestation.

The partial and paired risks: compose with policy and identity engines

For ASI01, ASI04, ASI06 (partial) and ASI07 (paired), human approval is one part of the mitigation, not the whole of it:

  • ASI01 Agent Goal Hijack. Bind goals and constraints in signed intent envelopes; when a planned action falls outside the envelope, route to a human and bind the signoff to the intent. The envelope itself is a policy-layer construct.
  • ASI04 Supply Chain. The core mitigation is signed/attested manifests, prompts, and tool definitions validated at runtime; a receipt contributes provenance by capturing the manifest hash and tool-definition version active at approval time.
  • ASI06 Memory & Context Poisoning. Detection and quarantine of poisoned memory is a data/policy concern; the human-approval layer adds a review gate when poisoned context drives a high-risk action, and ties rollback to the authorizing receipt.
  • ASI07 Inter-Agent Communication. This belongs to the identity and protocol layer, signed agent cards, PKI attestation, mTLS. The approval gate pairs with it: a verified message that triggers a consequential action still clears the gate, and the receipt links to the originating agent's verified identity. See how the controls map to the named-signer layer.

Common mistakes

  • Claiming 10/10 from one tool. The framework spans two different mechanisms. A single product that says it covers all ten is either overclaiming or quietly redefining what the controls require.
  • Treating it as only a deterministic-policy problem. Allow/deny rules cannot produce a named human decision. Missing the named-signer half leaves the consequential, irreversible actions without an owner or a record.
  • No audit artifact for the human-decision risks. A green checkbox or a dismissible review thread is not non-repudiable. The human-oversight mitigations require a durable, exportable receipt naming the signer, action, time, and policy.

Frequently asked questions

What is the OWASP Agentic Top 10?

It is the OWASP Top 10 for Agentic Applications (ASI01–ASI10), a risk framework published in December 2025 by the OWASP Gen AI Security Project's Agentic Security Initiative. It catalogs the ten highest-priority security risks for autonomous AI agents and recommends mitigations for each. Those mitigations fall into two halves: deterministic policy enforcement and human-approval / named-signer controls.

How do you mitigate the OWASP agentic risks that require human oversight?

For the consequential risks (ASI02, ASI03, ASI05, ASI08, ASI09, and ASI10) the practical mitigation is per-action human approval routed to a named signer, plus a tamper-evident receipt of who approved what, when, and under which policy. The approval must be fail-closed and the receipt must be exportable so it survives as audit evidence. A standard code review or green checkbox is not a durable, non-repudiable record.

Can one tool cover all 10 OWASP agentic risks?

No. The framework splits into two halves mitigated by different mechanisms: deterministic policy, identity, and sandboxing on one side; human-approval / named-signer receipts on the other. A policy engine handles high-volume allow/deny at sub-millisecond latency but cannot produce a named human decision; a human-approval layer produces the legally defensible receipt but is not the place for every micro-decision. They compose, be wary of any single tool claiming 10/10.


Source: OWASP Gen AI Security Project, Agentic Security Initiative. OWASP Top 10 for Agentic Applications. Published December 2025. genai.owasp.org/llm-top-10.

Last updated: June 15, 2026. Permission Protocol is the external authorization layer for AI agent actions, per-action human approval and tamper-evident receipts. For Permission Protocol's position on the framework, see OWASP Just Named the Controls. We Built Them.