The OWASP Agentic Top 10, Part 2: Five More Risks the Execution Layer Exposes
The second half of the OWASP Agentic Top 10 covers risks that most AI security frameworks don't model at all: memory poisoning, cost exploitation, accountability gaps, and more. All of them require execution-layer visibility to address.
Part 1 of this series covered the first five risks in OWASP’s Top 10 for Agentic Applications 2026: Agent Goal Hijack, Rogue Agent Behavior, Tool Misuse, Insecure Runtime Supply Chain, and Privilege Misuse. Every one of them manifests at the execution layer, in the space between model output and real-world action.
The second half of the list continues that pattern. ASI06 through ASI10 address a different cluster of risks: what happens when agent memory gets corrupted, how errors compound across multi-agent systems, what it costs when an agent runs unconstrained, and what accountability looks like when an agent takes an action nobody can trace back to a decision. These are harder to categorize as simple security failures. They are structural properties of agentic systems that become security and compliance problems at scale.
ASI06: Memory and context manipulation
Agents maintain state. Some of that state is in-context, within a single session window. Some of it is external: written to a knowledge base, a vector store, a shared memory system that other agents or future sessions read from. ASI06 addresses what happens when that memory becomes a manipulation surface.
The attack pattern OWASP identifies is subtle. An adversary does not need to compromise the model or the network. They need to insert content into the external memory that the agent trusts and retrieves. A poisoned document in a knowledge base, a crafted entry in a shared vector store, a previous agent session’s output left in persistent memory with embedded instructions: each of these reaches the model as trusted context, not as untrusted user input.
OWASP’s guidance notes that memory poisoning is particularly difficult to detect because the content often looks legitimate. The malicious instruction is not a clearly-formed attack. It is a subtly modified fact, a rephrased summary, or an embedded directive inside content that would otherwise pass inspection. Catching it requires integrity checking at the memory layer, not at the model layer.
Traditional software doesn’t routinely read from shared knowledge bases and treat retrieved content as executable context. Agents do. That is what makes ASI06 a genuinely new category of risk, not a variation on SQL injection or XSS.
ASI07: Cascading hallucination
Hallucination in a single-model interaction is a known limitation. The model produces a plausible but incorrect output, and a human reading it can push back, verify, or discard it. In a multi-agent pipeline, that dynamic changes significantly.
OWASP’s ASI07 describes the failure mode where a hallucinated output from one agent becomes an input to another, and that second agent acts on it. The error is not corrected because there is no human checkpoint between the two agents. If the second agent’s output feeds a third, the original error compounds. By the time the output reaches a human reviewer or a downstream system, it may be deeply embedded in a chain of reasoning that appears internally consistent.
A 2025 study on multi-agent LLM pipelines found that error propagation in chained agents is non-linear: a single factual error injected at step one could produce significant behavioral deviations by step four, even when each individual agent was operating within normal parameters. No single agent was malfunctioning. The system was.
The execution-layer implication is that you cannot audit this kind of failure by evaluating any single agent in isolation. You need traces across the full pipeline, showing what each agent received, what it produced, and how that output influenced the next step. Without that trace, you can observe the final output but not reconstruct where it diverged.
ASI08: Uncontrolled resource consumption
Most security frameworks do not treat resource consumption as a security risk. OWASP’s inclusion of ASI08 reflects something specific to agentic systems: agents can self-direct the scope of their own execution in ways traditional software cannot.
When an agent is given a broadly scoped goal, it may interpret that goal as license to call tools many times, spin up subagents, query large datasets, or loop until a condition is met. In the absence of hard constraints on token consumption, API calls, wall-clock time, or financial spend, a single misconfigured agent task can generate costs that are real and immediate.
Recorded Future’s 2025 AI security analysis identified cost-based denial of service as an emerging attack vector specific to agentic systems: an attacker who can cause an agent to loop, spawn, or over-query can generate costs against the victim’s infrastructure without compromising any credential or data store. The attack surface is the agent’s goal-directed autonomy, not a conventional vulnerability class.
Beyond adversarial use, the operational risk is equally significant. An agent that runs away from its intended scope does so using real API quotas, real compute, and in many cases real dollars. Organizations that have not implemented per-session cost caps or tool call rate limits have no mechanism to observe this until after the bill arrives.
ASI09: Inadequate consent and transparency
OWASP defines ASI09 as the failure mode where agents take consequential actions without ensuring the relevant humans have given informed consent, understand what is happening, or have meaningful ability to intervene.
This is partly a UX and product design problem, but OWASP frames it as a security risk because the consequences are real. An agent that sends emails on a user’s behalf, modifies shared data, or initiates external transactions without explicit per-action authorization is creating obligations, commitments, and state changes in the real world. If something goes wrong, the question of whether the user actually authorized the action is not just an operational question. It is a legal and compliance question.
OWASP’s framework specifically calls out the gap between “the user authorized the agent to exist” and “the user authorized this specific action at this specific time.” In most current deployments, that gap is not closed. Agents operate under broad initial authorization with no mechanism for checking back when they encounter edge cases, sensitive data, or actions outside their routine scope.
The compliance implications are straightforward. A user who claims they did not authorize a transaction executed by an AI agent is raising a question that the organization must be able to answer with evidence. If the only evidence available is “the agent had permission to use this tool,” that is unlikely to satisfy a regulator or a court.
ASI10: Repudiation and non-attribution
The last risk in the OWASP list is also the one with the clearest long-term compliance exposure. ASI10 addresses what happens when an agent takes an action and there is no reliable record that can establish who authorized it, what the agent’s state was when it decided, or what the chain of reasoning was.
In traditional software systems, audit trails are a solved problem. Actions are logged with timestamps, user IDs, and system state. An agent operating across multiple tool calls, spawning subagents, and drawing on persistent memory is producing a much more complex provenance chain. Without deliberate instrumentation at the execution layer, that chain is not captured. The agent’s reasoning is ephemeral.
OWASP’s guidance frames this as a repudiation risk: if a malicious or erroneous action is taken by an agent, and the execution trace was not preserved, the organization cannot demonstrate that the action was not authorized, what state led to it, or whether the behavior was within bounds. You cannot dispute an action you cannot reconstruct.
Financial services, healthcare, and other regulated industries are already facing this as a practical question. If an AI agent takes an action that affects a customer account and the customer disputes it, what does the audit record look like? In most current deployments: incomplete, or nonexistent.
The full picture
Taken together, the OWASP Agentic Top 10 defines a security surface that looks fundamentally different from what most enterprise security stacks were designed to protect. The ten risks span injection through memory through attribution. They occur before and after model inference, in retrieval pipelines, tool call sequences, cross-agent handoffs, credential stores, and audit logs.
The one consistent requirement across all ten: visibility into what happens during execution, not just at the boundary of the model. That is what the OWASP framework is asking for, and it is what most organizations cannot currently provide.
AI security vendors offering model-level guardrails are addressing a real problem. But Part 1 and this article have shown that nine of the ten risks in OWASP’s framework require something those tools cannot offer: a record of what the agent actually did, what it touched, and what it was authorized to do in the first place.
If you’re mapping this framework to your own agent deployments, we’d like to help. Reach us at hello@omnodex.com.
Sources
- OWASP, “Top 10 for Agentic Applications 2026”, OWASP GenAI Security Project, 2026.
- Wu et al., “Error Propagation in Multi-Agent LLM Pipelines”, arXiv preprint, April 2025.
- Recorded Future, “AI Agent Attack Surface Analysis 2025”, 2025.
- OWASP, “LLM and Generative AI Security Center of Excellence Guide”, OWASP GenAI Security Project, 2025.