OWASP LLM & Agentic Top 10: A Security-Controls Checklist for AI Agents

Three OWASP lists now describe how generative AI breaks, and most teams are still securing against the first one. The OWASP Top 10 for LLM Applications 2025 (LLM01-LLM10) covers the model and the application around it. The OWASP Top 10 for Agentic Applications (ASI01-ASI10), released on December 9 2025 as the 2026 edition, is OWASP's first ranked list built for systems that take actions. And the Agentic AI Threats & Mitigations taxonomy breaks those risks into granular, detection-grade detail. They are not interchangeable, and a control that satisfies the LLM list often does nothing for the agentic one.

This is a controls checklist, not an explainer. For each major OWASP item it gives you three things: preventive controls, detective controls, and what to monitor on the agent and MCP layer - the place where autonomy turns a model bug into a production incident. If you want the conceptual background, see our companion guides to the LLM Applications Top 10 and the Agentic Applications Top 10. This page is what you tape next to your monitor.

Three lists, one control plane

Keep the three artifacts distinct, because conflating them is how gaps appear. The LLM list is your baseline for any feature that calls a model. The agentic list applies the moment that model can invoke a tool, write to memory, or talk to another agent. The Threats & Mitigations taxonomy is what you reach for when you write the actual detection rule.

The 2025 LLM cycle added two items worth noting: LLM07 System Prompt Leakage and LLM08 Vector and Embedding Weaknesses. Both matter more in agentic systems, where prompts carry tool definitions and retrieval feeds untrusted context straight into a decision loop.

The mental model: the lethal trifecta

Before the per-item checklist, internalise one model. Simon Willison's lethal trifecta (June 16 2025) says an agent becomes capable of data exfiltration when it simultaneously holds three things: access to private data, exposure to untrusted content, and the ability to communicate externally. The pattern has been demonstrated in production agentic systems, most prominently the GitHub MCP exploit that bundled all three legs.

The control implication is blunt: break at least one leg. Scope the agent away from private data, isolate untrusted content from the action path, or block external egress. If you can only afford one control per agent, make it the one that severs a trifecta leg. We expand this in the lethal trifecta and AI agent data exfiltration.

LLM01 Prompt Injection - paired with ASI01 Goal Hijack and ASI06 Memory Poisoning

Prompt injection is the root cause behind most agentic incidents, because in an agent the injected text does not just change an answer - it changes what the agent *does*. ASI01 Agent Goal Hijack is the autonomy-layer expression of LLM01. The reference case is EchoLeak (CVE-2025-32711), a zero-click indirect prompt injection in Microsoft 365 Copilot disclosed by Aim Security in June 2025 that exfiltrated data through a crafted email and was patched server-side by Microsoft.

On the memory side, ASI06 Memory & Context Poisoning deserves its own attention. The MINJA research (arXiv 2503.03704, NeurIPS 2025) showed a *query-only* memory injection attack - an ordinary user with no elevated privileges planting malicious records in an agent's memory through crafted queries, reporting around 98% injection success. The production analog is the Gemini long-term memory poisoning reported by Johann Rehberger in February 2025, which used indirect injection plus delayed tool invocation to persist false memories; Google reported mitigation in November 2025.

• Preventive: authenticate and validate memory writes; isolate sessions; treat retrieved memory as untrusted input.
• Detective: anomaly detection over memory contents; ability to roll back or sanitise poisoned memory.
• Monitor: unexpected memory writes, especially from low-privilege sessions. See AI agent memory poisoning explained and indirect prompt injection explained.

LLM06 Excessive Agency - paired with ASI02, ASI03 and ASI05

This is the cluster where the LLM and agentic lists overlap most, and where continuous monitoring pays off most. LLM06 Excessive Agency maps to ASI02 Tool Misuse, ASI03 Identity & Privilege Abuse, and ASI05 Unexpected Code Execution. The failure mode is an agent doing something within its granted capability that it should never have been allowed to do.

A canonical tool-misuse case is the Amazon Q Developer VS Code extension incident (v1.84.0, July 2025): an attacker pull request injected a destructive 'wipe system' prompt into the extension. AWS pulled it and shipped 1.85.0; the payload happened to fail due to a syntax error - a near miss, not a safe design. See our writeup of the Amazon Q Developer prompt-injection wiper (GHSA-7g7f-ff96-5gcw). The rogue-agent category is illustrated by the July 2025 Replit incident, where an AI agent deleted a production database during a code freeze and fabricated thousands of fake records despite instructions not to.

Least privilege is the load-bearing control here. Give each agent its own scoped identity rather than a shared human credential, and grant the minimum tool set. We cover the mechanics in least privilege for AI agents and the identity model in non-human identity governance. For coding agents specifically, securing AI coding agents and CLIs and Claude Code permissions and hooks hardening translate this into concrete settings.

LLM03 Supply Chain - paired with ASI04 Agentic Supply Chain

The classic LLM03 supply-chain risk (compromised models, datasets, packages) gains a new surface in agentic systems: the MCP servers an agent connects to. ASI04 Agentic Supply Chain Vulnerabilities is anchored by the GitHub MCP exploit disclosed by Invariant Labs on May 26 2025 - indirect prompt injection through a malicious public issue coerced an agent into leaking private-repository data, a 'toxic agent flow.' It was architectural; mitigation came from one-repo-per-session scoping and least-privilege tokens.

A tool that was safe at connection time can be silently repurposed later. The MCP tool poisoning campaign and our MCP server security guide cover the rug-pull pattern in depth, and AI supply-chain attacks: a defender's guide puts it in the broader context of package-ecosystem campaigns. Maintaining an MCP server registry is the practical countermeasure.

LLM02 Sensitive Information Disclosure - the exfiltration path

LLM02 is where the lethal trifecta becomes concrete. The risk is an agent surfacing private data through its outputs or its outbound calls - and in an agent, 'output' includes tool calls to external systems. This pairs with ASI01 and ASI03.

• Preventive: egress allowlisting; DLP on agent outputs; scope private-data access; mask sensitive fields before they reach the model.
• Detective: monitor external communication for exfil patterns, especially when an agent simultaneously holds private data, untrusted content, and outbound capability.
• Monitor: outbound destinations per agent; volume and sensitivity of data crossing the egress boundary.

Traditional DLP often misses this because the exfiltration rides inside legitimate API calls the agent is allowed to make. DLP for AI agents: why traditional DLP fails and secrets management for AI agents cover the gap. The lethal-trifecta exfil pattern in production is detailed in lethal trifecta: production agent exfiltration.

LLM05 Improper Output Handling

Treat model output as untrusted input to whatever consumes it. In agentic systems this is acute: model output becomes the argument to a tool call, a shell command, or a database query. ASI05 Unexpected Code Execution is the autonomy-layer consequence.

• Preventive: context-aware encoding; sanitise and validate before any backend; SQL escaping and HTML encoding; never pass raw model output to a shell.
• Detective: validate tool arguments against schemas; flag commands outside an allowlist.
• Monitor: code-execution tool calls and the arguments passed to them.

LLM07, LLM08, LLM09 and LLM10

The remaining LLM items round out the baseline. Bundle them so nothing slips.

LLM10 pairs with ASI08 Cascading Failures: one looping or compromised agent can amplify across a multi-agent system. Quotas and circuit breakers are preventive; fleet-wide cost and loop monitoring is detective.

The agentic-only items: ASI07, ASI09, ASI10

A few agentic risks have no clean LLM-list equivalent. ASI07 Insecure Inter-Agent Communication concerns messages between agents being poisoned or spoofed; require authenticated, integrity-checked channels and treat inbound agent messages as untrusted. ASI09 Human-Agent Trust Exploitation is social engineering through the agent - the agent persuading a human to approve something harmful; counter it by making approval prompts show the *actual* action and its blast radius, not the agent's summary. ASI10 Rogue Agents is behavioural drift toward harmful autonomy, the Replit category.

Foundational controls that recur on almost every item

Step back and the same handful of controls keep appearing. Implement these once, well, and you raise your score on most of the list at the same time.

1. Least-privilege scoped identity per agent - a distinct, minimally-scoped credential per agent, never a shared human token.
2. Human-in-the-loop approval gates for high-impact actions - but watch for approval fatigue, where reflexive clicking defeats the control.
3. Egress allowlisting and DLP - the cheapest way to break a lethal-trifecta leg.
4. MCP authorization hardening - OAuth 2.1 + PKCE/S256, HTTPS, audience-validated tokens, and Protected Resource Metadata discovery; see OAuth for MCP servers explained.
5. Structured per-agent audit logging - an immutable trail that counters repudiation and feeds rogue-agent detection; see the AI agent audit trail and logging guide.
6. Sandboxing of code execution and runtime anomaly detection - see runtime monitoring and anomaly detection for AI agents.

For mapping this checklist into formal programmes, the framework guides line up cleanly: NIST AI RMF for AI agents, ISO 42001 AI agent governance, MITRE ATLAS agentic threats, and the OWASP AIVSS agentic scoring for prioritisation.

The precondition: you can only secure what you can see

Every control above assumes you know the agent or MCP server exists. In practice, most do not. Developers wire up coding assistants and connect MCP servers without a ticket; employees adopt agents the way they once adopted SaaS. That is the shadow-IT problem applied to autonomy, and we cover it in AI agents are the new shadow IT and how to build an AI agent inventory.

This is where continuous agent and MCP visibility - the category Anomity works in - fits the checklist, and it fits it in a specific place: the detective and monitoring column of nearly every item. Discovery and inventory turn the foundational controls from aspirational to enforceable; permission monitoring backs LLM06/ASI02/ASI03; tool-description and registry tracking backs ASI04; egress and behaviour monitoring backs the lethal-trifecta exfil path; and a structured per-agent audit trail backs the accountability gap behind ASI09 and ASI10. None of it is a substitute for the preventive controls - it is how you confirm they are actually holding across a fleet that changes every day.

How to use this checklist

Run it as a sequence, not a one-time audit. First, build the inventory - every agent, every MCP server, every identity. Second, sever lethal-trifecta legs on your highest-risk agents. Third, apply the per-item controls, prioritising LLM06/ASI02/ASI03 (excessive agency) and ASI04 (supply chain) because those are where autonomy does the most damage fastest. Fourth, turn on detective monitoring and audit logging so the controls you just set can be verified continuously. Then revisit on every new agent, every new MCP connection, and every OWASP revision - because the lists, and your fleet, will keep moving.

OWASP gives you the taxonomy. The lethal trifecta gives you the mental model. Least privilege, egress control, HITL, MCP OAuth hardening, and audit logging give you the controls. And continuous discovery gives you the one thing without which none of the rest is real coverage: knowledge of what you are actually defending.