Compliance · June 15, 2026
OWASP Agentic Top 10: Practical Mitigations for Each Risk
The OWASP Agentic Top 10 (ASI01–ASI10, published December 2025) splits into two halves: deterministic-policy controls (allow/deny rules, identity, and sandboxing) and human-approval / named-signer controls for the consequential decisions. The practical mitigation for the consequential half is per-action human approval routed to a named signer, backed by tamper-evident receipts that record who approved what, when, and under which policy. Below is the mitigation for each of the ten risks.
Definition: what the OWASP Agentic Top 10 is
The OWASP Agentic Top 10 (formally the OWASP Top 10 for Agentic Applications, codes ASI01–ASI10) is a risk framework published in December 2025 by the OWASP Gen AI Security Project's Agentic Security Initiative. It catalogs the ten highest-priority security risks specific to autonomous AI agents and recommends mitigations for each. The recommended mitigations fall into two halves: deterministic policy enforcement (rules a machine evaluates) and human-approval / named-signer controls (decisions a person must own, with a durable record).
The two halves, and why they matter
Most of the OWASP mitigations name two distinct mechanisms side by side: a policy engine that decides allow/deny in software, and a human gate for the actions that are consequential, irreversible, or trust-sensitive. They are not interchangeable. A policy engine is the right place for high-volume, deterministic decisions at sub-millisecond latency. A named-signer approval is the right place for the action that, if wrong, ends up in an incident report or in front of a regulator, because only a named human decision, captured as a tamper-evident receipt, gives you non-repudiation. The mistake is treating the whole framework as one or the other.
Mitigations by coverage type: ASI01–ASI10
| Code | Risk | Primary practical mitigation | Coverage type |
|---|---|---|---|
| ASI01 | Agent Goal Hijack | Signed intent envelopes; confirm out-of-envelope actions | Partial |
| ASI02 | Tool Misuse & Exploitation | Per-action approval on destructive ops; signed receipts | Direct |
| ASI03 | Identity & Privilege Abuse | Per-action authorization; human gate on escalation | Direct |
| ASI04 | Agentic Supply Chain Vulnerabilities | Signed manifests; receipt links manifest/tool versions | Partial |
| ASI05 | Unexpected Code Execution (RCE) | Human approval on elevated runs; versioned allowlists | Direct |
| ASI06 | Memory & Context Poisoning | Human review on high-risk actions; rollback/quarantine | Partial |
| ASI07 | Insecure Inter-Agent Communication | Signed agent cards, mTLS/PKI; gate the resulting action | Paired |
| ASI08 | Cascading Failures | Human gates; tamper-evident, time-stamped receipts | Direct |
| ASI09 | Human-Agent Trust Exploitation | Multi-step explicit approval; immutable signed receipts | Direct |
| ASI10 | Rogue Agents | Signed audit logs; re-approval on attestation drift | Direct |
Coverage type here reflects how a human-approval / named-signer layer such as Permission Protocol maps to each risk: six direct, three partial, one paired. “Direct” means per-action approval and receipts are the primary mitigation; “partial” means human approval contributes one piece alongside a policy or provenance control; “paired” means the risk belongs to the identity / protocol layer and the approval gate composes with it. For the full risk-by-risk mapping, see the OWASP Agentic Top 10 mapping.
The six direct risks: per-action approval + receipts
For ASI02, ASI03, ASI05, ASI08, ASI09, and ASI10 the OWASP mitigations converge on the same pattern, action-level authentication and approval, explicit human confirmation for consequential actions, and immutable, time-stamped logs. The practical implementation is a single choke point that, on any consequential action, routes to a named human signer and emits a receipt:
- ASI02 Tool Misuse. Gate every wrapped tool call; escalate destructive operations to a named signer with a diff/dry-run preview. The receipt records the tool, parameters, signer, and policy applied.
- ASI03 Identity & Privilege Abuse. Make per-action authorization the default and route every privilege escalation to a human. The receipt records the signer identity and the intent the action was bound to.
- ASI05 Unexpected Code Execution. Require a named human approval before any elevated-permission code path runs; keep allowlists under version control. The receipt records the approver and the diff.
- ASI08 Cascading Failures. Put human gates on cross-agent consequential actions and bind tamper-evident, millisecond-stamped receipts to both the human and the originating agent, so lineage is reconstructable after an incident.
- ASI09 Human-Agent Trust Exploitation. Use multi-step explicit confirmation with hard policy gates the agent cannot social-engineer past; sign and immutably record every approval.
- ASI10 Rogue Agents. Treat every receipt as a signed audit log and require fresh human re-approval on attestation drift, a drifted agent cannot transact until a named human signs off, and the receipt records that re-attestation.
The partial and paired risks: compose with policy and identity engines
For ASI01, ASI04, ASI06 (partial) and ASI07 (paired), human approval is one part of the mitigation, not the whole of it:
- ASI01 Agent Goal Hijack. Bind goals and constraints in signed intent envelopes; when a planned action falls outside the envelope, route to a human and bind the signoff to the intent. The envelope itself is a policy-layer construct.
- ASI04 Supply Chain. The core mitigation is signed/attested manifests, prompts, and tool definitions validated at runtime; a receipt contributes provenance by capturing the manifest hash and tool-definition version active at approval time.
- ASI06 Memory & Context Poisoning. Detection and quarantine of poisoned memory is a data/policy concern; the human-approval layer adds a review gate when poisoned context drives a high-risk action, and ties rollback to the authorizing receipt.
- ASI07 Inter-Agent Communication. This belongs to the identity and protocol layer, signed agent cards, PKI attestation, mTLS. The approval gate pairs with it: a verified message that triggers a consequential action still clears the gate, and the receipt links to the originating agent's verified identity. See how the controls map to the named-signer layer.
Common mistakes
- Claiming 10/10 from one tool. The framework spans two different mechanisms. A single product that says it covers all ten is either overclaiming or quietly redefining what the controls require.
- Treating it as only a deterministic-policy problem. Allow/deny rules cannot produce a named human decision. Missing the named-signer half leaves the consequential, irreversible actions without an owner or a record.
- No audit artifact for the human-decision risks. A green checkbox or a dismissible review thread is not non-repudiable. The human-oversight mitigations require a durable, exportable receipt naming the signer, action, time, and policy.
Frequently asked questions
What is the OWASP Agentic Top 10?
It is the OWASP Top 10 for Agentic Applications (ASI01–ASI10), a risk framework published in December 2025 by the OWASP Gen AI Security Project's Agentic Security Initiative. It catalogs the ten highest-priority security risks for autonomous AI agents and recommends mitigations for each. Those mitigations fall into two halves: deterministic policy enforcement and human-approval / named-signer controls.
How do you mitigate the OWASP agentic risks that require human oversight?
For the consequential risks (ASI02, ASI03, ASI05, ASI08, ASI09, and ASI10) the practical mitigation is per-action human approval routed to a named signer, plus a tamper-evident receipt of who approved what, when, and under which policy. The approval must be fail-closed and the receipt must be exportable so it survives as audit evidence. A standard code review or green checkbox is not a durable, non-repudiable record.
Can one tool cover all 10 OWASP agentic risks?
No. The framework splits into two halves mitigated by different mechanisms: deterministic policy, identity, and sandboxing on one side; human-approval / named-signer receipts on the other. A policy engine handles high-volume allow/deny at sub-millisecond latency but cannot produce a named human decision; a human-approval layer produces the legally defensible receipt but is not the place for every micro-decision. They compose, be wary of any single tool claiming 10/10.
Source: OWASP Gen AI Security Project, Agentic Security Initiative. OWASP Top 10 for Agentic Applications. Published December 2025. genai.owasp.org/llm-top-10.
Last updated: June 15, 2026. Permission Protocol is the external authorization layer for AI agent actions, per-action human approval and tamper-evident receipts. For Permission Protocol's position on the framework, see OWASP Just Named the Controls. We Built Them.