PERMISSION/PROTOCOL

OWASP Agentic Top 10 · December 2025

OWASP just named the controls. We built them.

The OWASP Top 10 for Agentic Applications (2026) defines the ten most critical risks for autonomous AI agents. Permission Protocol directly covers the six risks that require named-human signers and tamper-evident receipts: ASI02, ASI03, ASI05, ASI08, ASI09, ASI10. We partial-cover three more and pair cleanly with policy engines for the rest.

Direct coverage

6 / 10

The six risks where named-human signoff and tamper-evident receipts are the listed mitigation. These are Permission Protocol's core product surface.

Partial coverage

3 / 10

Three risks where Permission Protocol contributes a piece — signed intent envelopes, receipt provenance, or human-review hooks for high-risk derivatives of the underlying threat.

Pairs with

1 / 10

One risk that belongs to the identity and protocol layer. Permission Protocol composes with engines like Microsoft AGT — together you get full framework coverage.

The compliance argument

Policy engines decide what an agent can do. Permission Protocol records who said it could.

OWASP's Agentic Top 10 treats deterministic policy enforcement and named-human approval as distinct controls across multiple risks. Both are required. Neither is sufficient alone. The mitigations under ASI02, ASI03, ASI08, ASI09, and ASI10 explicitly call for “immutable logs,” “non-repudiation,” “multi-step human approval,” and “signed audit logs naming the approver.” That is Permission Protocol's product.

Risk-by-risk mapping

All ten OWASP Agentic risks, mapped honestly.

We do not claim 10/10. We claim direct coverage of the six risks that explicitly require named-human signers and immutable receipts. The other four pair with policy and identity layers.

ASI01

Agent Goal Hijack

Partial

Attackers manipulate agent objectives via prompt injection, deceptive tool outputs, or poisoned external data.

OWASP mitigation

Require confirmation via human approval, policy engine, or platform guardrails. Bind goals and constraints in a signed intent envelope.

Permission Protocol control

When a planned action falls outside the signed intent envelope, Permission Protocol routes to a named human signer. The signoff and underlying intent are bound together in the receipt.

ASI02

Tool Misuse & Exploitation

Direct

Agents misuse legitimate tools due to prompt injection, unsafe delegation, or ambiguous instructions.

OWASP mitigation

Action-level authentication and approval. Human confirmation for destructive actions. Pre-execution dry-run and diff previews. Immutable logs of tool invocations.

Permission Protocol control

Every wrapped tool call is gated. Destructive operations escalate to a named signer with diff preview. The receipt records the tool, the parameters, the signer, and the policy applied. Immutable by design.

ASI03

Identity & Privilege Abuse

Direct

Exploitation of dynamic trust/delegation chains, role inheritance, or cached credentials to escalate access.

OWASP mitigation

Mandate per-action authorization. Apply human-in-the-loop for privilege escalation. OAuth tokens bound to signed intent (subject, audience, purpose, session). Re-authentication on context switch.

Permission Protocol control

Per-action authorization is the core Permission Protocol primitive. Privilege escalations always route to a human signer. Receipts include the signer identity, the authority chain, and the intent the action was bound to.

ASI04

Agentic Supply Chain Vulnerabilities

Partial

Compromised models, tools, MCP/A2A interfaces, registries, plug-ins, or runtime-loaded components introduce malicious behavior.

OWASP mitigation

Signed and attested manifests, prompts, and tool definitions. Continuous validation at runtime.

Permission Protocol control

Receipts capture and link to the manifest hash and tool-definition version active at the moment of approval, providing provenance evidence at the action layer.

ASI05

Unexpected Code Execution (RCE)

Direct

Prompt injection, unsafe eval, deserialization, or tool chaining results in arbitrary host or container code execution.

OWASP mitigation

Human approval required for elevated runs. Allowlists under version control.

Permission Protocol control

Elevated-permission code paths require a named human approval before execution. The receipt records the approver, the diff, and the policy that classified the action as elevated.

ASI06

Memory & Context Poisoning

Partial

Adversaries corrupt stored or retrievable context to bias future reasoning across sessions.

OWASP mitigation

Human review for high-risk actions. Rollback and quarantine support.

Permission Protocol control

When an agent's memory or RAG context drives a high-risk action, Permission Protocol gates the action for human review. Rollback signals can be tied to the receipt that authorized the original action.

ASI07

Insecure Inter-Agent Communication

Pairs

Weak authentication or integrity in agent-to-agent messaging enables interception, spoofing, replay, or semantic manipulation.

OWASP mitigation

Signed agent cards, PKI-backed attestation, mTLS, continuous verification.

Permission Protocol control

This belongs to the identity and protocol layer (Microsoft AGT, SPIFFE/SVID, similar). Permission Protocol composes with those — a verified inter-agent message that triggers a consequential action still must clear PP before execution, and the receipt links to the verified identity of the originating agent.

ASI08

Cascading Failures

Direct

A single fault (hallucination, poisoned input, corrupted tool) propagates across autonomous agents into system-wide harm.

OWASP mitigation

Output validation and human gates. Tamper-evident, time-stamped logs bound to cryptographic agent identities. Lineage metadata for forensic traceability and non-repudiation.

Permission Protocol control

Human gates on cross-agent consequential actions. Receipts are tamper-evident, time-stamped to the millisecond, and bound to both the signing human and the originating agent. Lineage across the receipt chain provides forensic reconstruction. Non-repudiation by design.

ASI09

Human-Agent Trust Exploitation

Direct

Adversaries exploit user over-reliance, anthropomorphism, fake explainability, or authority bias to bypass oversight.

OWASP mitigation

Explicit confirmations and multi-step approval. Immutable, tamper-proof logs of queries and actions. Content provenance with digital signature validation.

Permission Protocol control

Multi-step approval workflows where consequential actions require explicit confirmation, with hard policy gates the agent cannot social-engineer past. Every approval is cryptographically signed and immutably recorded.

ASI10

Rogue Agents

Direct

Agents deviate from intended scope, exhibiting goal drift, scheming, collusion, self-replication, or reward hacking.

OWASP mitigation

Signed audit logs. Identity attestation. Signed behavioral manifests. Fresh attestation and human approval before reintegration.

Permission Protocol control

Every receipt is a signed audit log. Behavioral manifests can be bound to PP policy, with re-approval required on attestation drift. A drifted agent cannot transact until a named human signs off — and the receipt records exactly that re-attestation event.

Composition with Microsoft AGT

A mature agentic stack uses both.

Microsoft Agent Governance Toolkit claims 10/10 OWASP Agentic coverage as a deterministic policy engine. Permission Protocol claims direct coverage of the six risks that require a named human signer and a durable, legally defensible receipt. The two compose:

  • AGT handles routine agent actions in software at sub-millisecond latency. Allow or deny.
  • Permission Protocol handles consequential actions that require a named human signer and produces the receipt the regulator and auditor actually need.

Together: every agent action is governed, with routine decisions at machine speed and consequential decisions on a named human's record. Read more in our AGT vs Permission Protocol comparison.

For the auditor and the CCO

Same controls. Regulator-readable output.

The OWASP Agentic Top 10 is written for security teams and platform builders. The Chief Compliance Officer, the CFO, and the external auditor speak a different language. Permission Protocol's receipts translate OWASP-mapped controls into the artifact those audiences need:

  • A named human signed this action
  • This policy applied
  • This data informed the decision
  • This is when it happened, to the millisecond
  • This is the immutable record

Source

OWASP Gen AI Security Project, Agentic Security Initiative (ASI). OWASP Top 10 for Agentic Applications 2026. Published December 2025. Project leads: John Sotiropoulos (Deep Cyber), Keren Katz (Tenable), Ron F. Del Rosario (SAP). genai.owasp.org

Map this to your AI agent program.

We can walk through how Permission Protocol covers each OWASP Agentic risk in your specific agent stack. Most enterprise evaluations stand up a single-tenant sandbox in under a week.