Most enterprise AI security programmes are aimed at the wrong target. 

Security teams have spent the last two years locking down which AI tools employees can use, which vendors clear procurement, and what data those tools can see. That work matters. It also misses where the actual breaches are happening. Every serious AI agent incident in the last twelve months hit somewhere else entirely: the execution layer. The place where an agent stops talking and starts doing. 

That gap is exactly what the OWASP Agentic Top 10 was built to expose. Released in December by the OWASP GenAI Security Project, the framework names the ten highest-impact risks facing autonomous AI systems, and it lands at the right moment. Microsoft followed up on April 2 by open-sourcing its Agent Governance Toolkit, mapped directly onto the same ten risks. Palo Alto Networks rebuilt Prisma AIRS around the framework. The vocabulary is now standardised. 

Read the list in order, and one pattern jumps out. Three of the top four risks centre on tools, identities, and delegated trust. None of them live at the model layer. If your AI governance roadmap starts and ends with prompt filtering, you have built a wall in front of a door that nobody is using. This guide walks through all ten risks, with the four that matter most up front, and shows what a CISO should actually fix this quarter. 

Why the model layer was always the wrong target 

The original LLM Top 10 trained an entire generation of security teams to think about AI risk as a content problem. Watch what the model says. Filter the prompts. Block the jailbreaks. That worked when the model was a chatbot answering questions in a sandbox. It stops working the moment the model gains hands. 

An AI agent is not a chatbot. It authenticates against your systems, reads your data, calls your APIs, writes to your databases, and makes decisions on behalf of human users with real credentials. Every one of those actions happens at the execution layer. None of them are visible to a content filter. As we covered in our deeper analysis on what enterprises are getting wrong about AI agent security in 2026, a Gravitee survey found that only 24.4% of organisations have full visibility into how their AI agents communicate with each other, and the average enterprise now runs 37 deployed agents. Most of those agents were never reviewed by security. 

This is the shadow AI problem in its mature form. It is not just employees pasting confidential text into ChatGPT. It is product teams wiring autonomous agents into production infrastructure with delegated credentials and no kill switch. The OWASP Agentic Top 10 is the first framework to take that reality seriously. 

The four risks that matter most 

ASI01: Agent Goal Hijack 

An attacker manipulates an agent's objectives by injecting instructions into content the agent processes. Sometimes that is a direct prompt. More often it is hidden in an email, a calendar invite, a document, or a RAG knowledge source the agent reads as part of its normal workflow. 

The EchoLeak vulnerability in Microsoft 365 Copilot, disclosed in mid-2025 as CVE-2025-32711, made this concrete. Aim Security researchers showed how a single crafted email could trigger Copilot to exfiltrate confidential chat logs, OneDrive files, and SharePoint content. Zero clicks required. The attacker bypassed Microsoft's cross-prompt injection classifiers, evaded link redaction, and routed the stolen data out through trusted Microsoft Teams URLs. Microsoft patched it server-side. The architecture that enabled it is still everywhere. 

Defence: Treat every input as untrusted, including content from internal sources. Apply AI guardrails at the goal evaluation step, not just at the output. Pair an AI agent firewall with content classification at the prompt layer so injected instructions get flagged before the agent acts on them. 

ASI02: Tool Misuse and Exploitation 

An agent uses a legitimate tool in a harmful way. The risk is not that the tool is broken. It is that the agent might use a working tool to do something destructive because it misunderstood the instruction or was steered by an attacker into doing so. Deleting a production database while trying to clean up a staging environment counts. So does emailing a customer list to the wrong recipient because a CRM connector was scoped too broadly. 

Tool misuse multiplies as the MCP ecosystem grows. Every new connector is a fresh execution path. Most enterprises have no scoping policy at the tool layer, which means agents inherit the full blast radius of whatever they can connect to. 

Defence: Deploy an AI MCP gateway that mediates every tool call, scores it for risk, and enforces policy before execution. This is the layer most security stacks are missing. Without it, your perimeter controls are filtering prompts while the actual damage happens downstream. 

ASI03: Identity and Privilege Abuse 

An attacker exploits inherited credentials, cached tokens, or delegated permissions to act through the agent. AI agents often run with the combined privileges of every system they touch. Confuse the agent once, and you inherit the authority of every non-human identity it carries. 

Traditional zero trust breaks here. Zero trust assumes a human session with a clear start and end. AI agents persist. They reuse tokens. They share credentials across multi-step workflows. As Palo Alto's Prisma AIRS launch at RSAC 2026 made clear, the execution layer needs its own identity model, not a copy of the one your IAM team built for employees. 

Defence: Apply runtime identity governance to every agent. Each tool call should re-authenticate against current context, not against a token issued at session start. Map every agent to a clear ownership and revocation path so a compromised agent gets killed in seconds, not hours. 

ASI04: Agentic Supply Chain Vulnerabilities 

Compromised tools, descriptors, models, or agent personas tamper with execution. The Amazon Q Developer extension incident in July 2025 is the case study every security team should read. A threat actor submitted a malicious GitHub pull request to a public AWS repository. The pull request contained a hidden prompt instructing the agent to wipe local files and delete AWS resources. AWS maintainers approved it. The poisoned extension shipped to nearly a million developers as version 1.84.0. The wiper failed to execute only because the prompt was malformed. The next attacker will format theirs correctly. 

The risk widens as enterprises pull from open ecosystems. A team building on Mistral, Llama, or DeepSeek AI models through Hugging Face inherits the trust posture of every upstream contributor. A self-hosted LLM that loads plugins from a public registry carries the same exposure. Convenience and risk scale together. 

Defence: Verify provenance for every model, tool, and connector before it touches production. Pin versions. Sign artefacts. Maintain a software bill of materials for AI components, the same way you would for any other build dependency. Use a private AI deployment for sensitive workloads where supply chain audit is non-negotiable. 

The remaining six, in brief 

ASI05: Unexpected Code Execution. An agent generates or invokes code that runs in unintended ways. The CrewAI CVE chain disclosed earlier this year showed how prompt injection can flow into remote code execution through a code interpreter. Sandbox agent-generated code at the OS level, not just at the framework level, and use a firewall for AI execution paths that intercepts outbound requests before they reach production. 

ASI06: Memory and Context Poisoning. An attacker corrupts the stored context an agent uses to make decisions. Once poisoned, the agent carries the bad context into every future interaction. Treat memory stores as production data, enforce write-time validation, and isolate memory per session for high-stakes workflows. 

ASI07: Insecure Inter-Agent Communication. In a multi-agent system built with LangChain or similar orchestration frameworks, one agent trusts another by default. Spoof a message between them and you redirect the workflow. Authenticate every inter-agent message with signed envelopes and treat each agent as a separate principal. 

ASI08: Cascading Failures. One agent fails and the failure propagates. A single hallucination in the middle of a chain can corrupt every downstream output, and the cascade is invisible to anyone watching only the final result. Build observability at every step, not just at the final output, and add circuit breakers for outputs that fall outside expected bounds. 

ASI09: Human-Agent Trust Exploitation. Users trust AI agents more than they should. Meta's SEV1 incident in March was a textbook case: an engineer acted on bad agent advice that broadened permissions and exposed sensitive data for two hours. AI data leakage prevention controls should sit between the agent's recommendation and the human's click-through, especially for AI browser extension scenarios where the trust boundary is invisible. 

ASI10: Rogue Agents. An agent diverges from intended behaviour. Sometimes that is a successful goal hijack. Sometimes it is a misconfiguration. Often it is shadow AI, where a team spun up an agent without security review and nobody knows it exists. Shadow AI incidents carry an average additional cost of $670,000 over standard breaches, driven by the time it takes to scope what the agent touched. Continuous AI agent mapping is the foundational control. You cannot govern what you cannot see. 

Closing the execution-layer gap 

Every control above sits at the execution layer, which is exactly where AGAT built Pragatix to operate. The platform combines four capabilities that map directly onto the framework: discovery for ASI10, an AI agent firewall and AI MCP gateway for ASI01 through ASI03, AI model firewall and DLP for AI controls for ASI06 and ASI09, and supply chain verification for ASI04. 

For organisations that cannot accept any data leaving their perimeter, Pragatix ships as an on-premise AI deployment, an air-gapped AI configuration, or a fully private AI environment. Local AI, AI sovereignty, and AI privacy stop being talking points and become deployment options. Teams that need a private AI chatbot, AI data analytics across internal sources, or a self-hosted LLM-backed assistant get the full security-first AI platform without exposing anything to a public cloud. 

This is what a guardian agent platform for enterprise looks like when AI TRiSM principles are baked in from the start rather than retrofitted. It is the operational complement to the OWASP framework: one control plane covering human users, AI agents, models, and data. 

Where to start before your next board meeting 

The OWASP Agentic Top 10 is your priority list. Pick the three risks most relevant to your environment, build controls against those first, and use the framework to communicate the gap upward. Start with discovery, because you cannot defend agents you cannot see. Add the MCP gateway second, because tool calls are where the actual damage happens. Layer identity governance third, because every other control assumes you know which agent did what. 

By the end of 2026, Gartner expects 40% of enterprise applications to run task-specific AI agents. The CISOs who get ahead of that number will not be the ones who deployed the most AI guardrails at the model layer. They will be the ones who governed the execution layer first. 

See how Pragatix delivers AI agent security, runtime governance, and AI guardrails aligned to the OWASP Agentic Top 10. Book a demo of the AGAT security-first AI platform.