OWASP's New Top 10: Why AI Agent Security Can't Wait

If you're handing real work to AI agents — answering leads, processing intake forms, managing customer workflows, the security conversation just changed. In December 2025, OWASP released the Top 10 for Agentic Applications, the first security framework built specifically for autonomous AI systems. It wasn't a theoretical exercise. Over 100 security researchers, NIST, the European Commission, and the Alan Turing Institute contributed. The framework catalogs ten categories of attack that are already happening in production environments, not in labs. For businesses building or buying AI-powered intake, voice agents, or lead qualification tools, this framework isn't optional reading. It's the map of where your vulnerabilities live.

The Ten Risks That Matter

The OWASP Agentic Top 10 maps threats unique to systems that can plan, decide, and act without constant human supervision:

Real Attacks, Not Theory

The framework is grounded in incidents that already occurred: Amazon Q supply chain compromise (July 2025). A malicious pull request slipped into Amazon Q's codebase and injected instructions to delete cloud resources , terminate EC2 instances, empty S3 buckets, remove IAM users. The extension ran with --trust-all-tools --no-interactive flags, meaning no confirmation prompts. Over a million developers had it installed. Amazon said it wasn't functional during the five days it was live. The industry got lucky. Claude Desktop RCE vulnerabilities (November 2025). Three remote code execution flaws were found in Anthropic's own official Chrome, iMessage, and Apple Notes extensions for Claude Desktop. All three had unsanitized command injection in AppleScript execution. A user asking "Where can I play paddle in Brooklyn?" could trigger arbitrary code execution if Claude fetched an attacker-controlled web page in its search results. CVSS 8.9 severity. Malicious MCP server in the wild (September 2025). A package on npm impersonated Postmark's email service. It functioned as a legitimate email MCP server. Every message sent through it was silently BCC'd to an attacker. Any AI agent using it for email operations was unknowingly exfiltrating every message. Slopsquatting via AI hallucinations. The PhantomRaven investigation uncovered 126 malicious npm packages that exploited a pattern where LLMs hallucinate plausible package names. Developers ask for recommendations, trust the AI's suggestion, install the package, and get malware. Attackers registered the hallucinated names.

Why This Matters for Business Automation

If your organization uses AI agents for intake forms, lead qualification, customer support, document processing, or voice agents, you're already exposed to these categories. The threat isn't theoretical , it's operational. A Cleanlab survey of 1,837 engineering leaders found that only 95 had AI agents in production. Among those, the picture is sobering:

• 70% of regulated enterprises rebuild their AI agent stack every three months or faster. The infrastructure is unstable by design.
• Fewer than 1 in 3 teams are satisfied with their observability and guardrail solutions. Reliability is the weakest layer.
• Only 5% of engineering leaders cite accurate tool calling as a top challenge , a sign that most production systems are still at surface-level maturity.
• 63% of enterprises plan to improve observability and evaluation in the next year, making it the top investment priority.
• 42% of regulated enterprises plan to add oversight features like approvals and review controls. The gap between AI agent adoption and security maturity is where breaches happen.

What to Actually Do

The OWASP framework includes detailed mitigations for each category. But for teams deploying AI intake, voice agents, or workflow automation today, here's the operational checklist: 1. Inventory everything your agents touch. Know every MCP server, plugin, API, and tool your agents connect to. You can't protect what you can't see. 2. Enforce least privilege. No agent should have broad credentials. If your voice agent processes intake forms, it doesn't need database admin access. Scope permissions to the minimum required for each task. 3. Monitor behavior, not just code. Static analysis catches known patterns. Runtime monitoring catches what your agents actually do , including actions triggered by injected instructions. Build logging that tracks every tool call, every data access, every output. 4. Build human-in-the-loop governance. For high-stakes actions , sending emails, modifying records, processing payments, require human confirmation. 42% of regulated enterprises are already adding approval workflows. Follow their lead. 5. Maintain a kill switch. When something is compromised, you need to shut it down immediately. Every agent deployment should have a rapid disable mechanism. 6. Treat all external data as untrusted. Any content your agent retrieves , web pages, documents, API responses, may contain injection payloads. Design your system to assume hostile input. 7. Test continuously, not once. Build adversarial test cases. Run red team exercises against your agents. Prompt injection attacks evolve fast; your defenses need to evolve faster.

The Regulatory Is Catching Up

NIST updated its AI Risk Management Framework (AI RMF 2.0) in early 2026 with specific guidance on prompt injection as part of security and resilience requirements. The EU AI Act reaches full enforcement on August 2, 2026. ISO 42001 provides an auditable AI Management System standard. These frameworks are converging on the same message: if you deploy AI agents, you are accountable for their behavior. Governance isn't a nice-to-have. It's a compliance requirement with real legal teeth. OWASP's contribution is the most operationally useful of the bunch because it was built by practitioners tracking real incidents. When the original OWASP Top 10 launched for web security in 2003, it reshaped how organizations approached web application security for two decades. This framework has the same potential for agentic AI.

The Bottom Line

AI agents are high-value targets with broad access, implicit trust, and limited oversight. Attackers have recognized this faster than most security teams. The incidents of 2025 , supply chain compromises, RCE in widely-used tools, silent data exfiltration through malicious plugins, are the opening moves. If your business runs AI-powered intake, voice agents, lead qualification, or workflow automation, security governance is not a future concern. It's a present requirement. Start with the inventory, enforce least privilege, and build the monitoring before your agents encounter something you didn't plan for.

Sources:

• OWASP Top 10 for Agentic Applications 2026 : genai.owasp.org
• OWASP GenAI Security Project announcement, December 10, 2025 : PR Newswire
• Real-world attacks behind the OWASP Agentic Top 10 : BleepingComputer
• Engineering Leaders Survey: AI Agents in Production 2025 : Cleanlab
• NIST AI Risk Management Framework 2.0, updated 2026 : nist.gov