Compliance · May 21, 2026
OWASP Just Named the Controls. We Built Them.
In December 2025, the OWASP Gen AI Security Project published the Top 10 for Agentic Applications. It is the most consequential external validation of the agentic authorization category to date. Half the document is Permission Protocol's product, written in OWASP's vocabulary. We thought it was worth saying so out loud.
The framework
The OWASP Agentic Top 10 identifies ten security risks specific to autonomous AI agent systems. The codes run from ASI01 to ASI10 and cover goal hijack, tool misuse, identity abuse, supply chain compromise, code execution, memory poisoning, inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents. The project was led by John Sotiropoulos at Deep Cyber, Keren Katz at Tenable, and Ron F. Del Rosario at SAP, with an expert review board including NIST, Microsoft AI Red Team, the Alan Turing Institute, Exabeam, Oracle, and Zenity.
We mention the contributor list because it matters. This document is not a vendor pitch dressed up as a standard. It is a working consensus from security practitioners across the industry on what good looks like for agent governance.
What OWASP actually called for
Read past the headlines and look at the mitigations. The recurring vocabulary across the ten risks:
- Signed intent envelopes binding the agent's declared goal to the action it actually takes (ASI01).
- Action-level authentication and approval with pre-execution diff previews and immutable invocation logs (ASI02).
- Per-action authorization and human-in-the-loop for privilege escalation (ASI03).
- Human approval for elevated runs on any path touching production code execution (ASI05).
- Tamper-evident, time-stamped logs bound to cryptographic agent identities, with explicit non-repudiation (ASI08).
- Multi-step approval and immutable, tamper-proof logs of queries and actions (ASI09).
- Signed audit logs naming the human who authorized reintegration of a drifted agent (ASI10).
These are not aspirational. They are the listed mitigations on a public standards document. They describe Permission Protocol.
PP's honest coverage
We are not going to claim 10 of 10. Other vendors will. We claim direct coverage of the six risks where named-human signers and tamper-evident receipts are explicitly the listed control:
- ASI02 — Tool Misuse and Exploitation
- ASI03 — Identity and Privilege Abuse
- ASI05 — Unexpected Code Execution
- ASI08 — Cascading Failures
- ASI09 — Human-Agent Trust Exploitation
- ASI10 — Rogue Agents
Plus partial coverage on three more (ASI01, ASI04, ASI06) where we contribute a piece, and ASI07 which pairs with the identity and protocol layer. The full per-risk mapping is on the compliance page.
Where deterministic policy engines fit
Microsoft's Agent Governance Toolkit claims 10/10 coverage as a deterministic policy engine. That is fair on its own terms. AGT decides what an agent can do, in software, at sub-millisecond latency. It is excellent at routine allow/deny.
What AGT does not do — and OWASP's mitigations explicitly require — is name a human signer or produce a legally durable receipt. The Merkle-chained audit log is tamper-evident, but it does not answer the regulator's actual question: who specifically authorized this action?
The clean line:
Policy engines decide what an agent can do. Permission Protocol records who said it could.
Mature agentic stacks need both. The two compose. They cover different halves of the same OWASP framework. Read the full AGT vs Permission Protocol comparison for the technical breakdown.
Why the receipt is the artifact
The OWASP document is written for security teams and platform builders. The Chief Compliance Officer, the CFO, and the external auditor speak a different language. They do not read tamper-evident Merkle logs. They read receipts.
A Permission Protocol receipt names the human who signed (or the policy clause that auto-approved), the action taken, the resource affected, the policy applied, the evidence consulted, and the time to the millisecond. It is cryptographically signed, retained for years, and exportable to any audit pipeline.
When an examiner asks “show me who approved this agent's action”, the receipt is the answer. The OWASP framework is the structure. PP is what fills it.
What this means for buyers
If your team is shipping agents into production this year, the OWASP Agentic Top 10 is the checklist your security review board is about to ask for. The good news: the controls have been built. The work is integration, not invention. Single-tenant evaluations stand up in under a week.
We are also building toward broader contributor engagement with the OWASP Agentic Security Initiative. If you work on agent governance and want to compare notes on receipt format specifications, we want to hear from you.
Source: OWASP Gen AI Security Project, Agentic Security Initiative. OWASP Top 10 for Agentic Applications 2026. Published December 2025. genai.owasp.org/llm-top-10