We do not claim 10/10. We claim direct coverage of the six risks that explicitly require named-human signers and immutable receipts. The other four pair with policy and identity layers.
ASI01
Agent Goal Hijack
PartialAttackers manipulate agent objectives via prompt injection, deceptive tool outputs, or poisoned external data.
OWASP mitigation
Require confirmation via human approval, policy engine, or platform guardrails. Bind goals and constraints in a signed intent envelope.
Permission Protocol control
When a planned action falls outside the signed intent envelope, Permission Protocol routes to a named human signer. The signoff and underlying intent are bound together in the receipt.
ASI02
Tool Misuse & Exploitation
DirectAgents misuse legitimate tools due to prompt injection, unsafe delegation, or ambiguous instructions.
OWASP mitigation
Action-level authentication and approval. Human confirmation for destructive actions. Pre-execution dry-run and diff previews. Immutable logs of tool invocations.
Permission Protocol control
Every wrapped tool call is gated. Destructive operations escalate to a named signer with diff preview. The receipt records the tool, the parameters, the signer, and the policy applied. Immutable by design.
ASI03
Identity & Privilege Abuse
DirectExploitation of dynamic trust/delegation chains, role inheritance, or cached credentials to escalate access.
OWASP mitigation
Mandate per-action authorization. Apply human-in-the-loop for privilege escalation. OAuth tokens bound to signed intent (subject, audience, purpose, session). Re-authentication on context switch.
Permission Protocol control
Per-action authorization is the core Permission Protocol primitive. Privilege escalations always route to a human signer. Receipts include the signer identity, the authority chain, and the intent the action was bound to.
ASI04
Agentic Supply Chain Vulnerabilities
PartialCompromised models, tools, MCP/A2A interfaces, registries, plug-ins, or runtime-loaded components introduce malicious behavior.
OWASP mitigation
Signed and attested manifests, prompts, and tool definitions. Continuous validation at runtime.
Permission Protocol control
Receipts capture and link to the manifest hash and tool-definition version active at the moment of approval, providing provenance evidence at the action layer.
ASI05
Unexpected Code Execution (RCE)
DirectPrompt injection, unsafe eval, deserialization, or tool chaining results in arbitrary host or container code execution.
OWASP mitigation
Human approval required for elevated runs. Allowlists under version control.
Permission Protocol control
Elevated-permission code paths require a named human approval before execution. The receipt records the approver, the diff, and the policy that classified the action as elevated.
ASI06
Memory & Context Poisoning
PartialAdversaries corrupt stored or retrievable context to bias future reasoning across sessions.
OWASP mitigation
Human review for high-risk actions. Rollback and quarantine support.
Permission Protocol control
When an agent's memory or RAG context drives a high-risk action, Permission Protocol gates the action for human review. Rollback signals can be tied to the receipt that authorized the original action.
ASI07
Insecure Inter-Agent Communication
PairsWeak authentication or integrity in agent-to-agent messaging enables interception, spoofing, replay, or semantic manipulation.
OWASP mitigation
Signed agent cards, PKI-backed attestation, mTLS, continuous verification.
Permission Protocol control
This belongs to the identity and protocol layer (Microsoft AGT, SPIFFE/SVID, similar). Permission Protocol composes with those — a verified inter-agent message that triggers a consequential action still must clear PP before execution, and the receipt links to the verified identity of the originating agent.
ASI08
Cascading Failures
DirectA single fault (hallucination, poisoned input, corrupted tool) propagates across autonomous agents into system-wide harm.
OWASP mitigation
Output validation and human gates. Tamper-evident, time-stamped logs bound to cryptographic agent identities. Lineage metadata for forensic traceability and non-repudiation.
Permission Protocol control
Human gates on cross-agent consequential actions. Receipts are tamper-evident, time-stamped to the millisecond, and bound to both the signing human and the originating agent. Lineage across the receipt chain provides forensic reconstruction. Non-repudiation by design.
ASI09
Human-Agent Trust Exploitation
DirectAdversaries exploit user over-reliance, anthropomorphism, fake explainability, or authority bias to bypass oversight.
OWASP mitigation
Explicit confirmations and multi-step approval. Immutable, tamper-proof logs of queries and actions. Content provenance with digital signature validation.
Permission Protocol control
Multi-step approval workflows where consequential actions require explicit confirmation, with hard policy gates the agent cannot social-engineer past. Every approval is cryptographically signed and immutably recorded.
ASI10
Rogue Agents
DirectAgents deviate from intended scope, exhibiting goal drift, scheming, collusion, self-replication, or reward hacking.
OWASP mitigation
Signed audit logs. Identity attestation. Signed behavioral manifests. Fresh attestation and human approval before reintegration.
Permission Protocol control
Every receipt is a signed audit log. Behavioral manifests can be bound to PP policy, with re-approval required on attestation drift. A drifted agent cannot transact until a named human signs off — and the receipt records exactly that re-attestation event.