OWASP Agentic AI Top 10 · Offensive techniques · Defensive countermeasures
| # | Risk | Defense module |
|---|---|---|
| ASI01 | Goal Hijacking | 6.3 |
| ASI02 | Prompt Leakage | 9 |
| ASI03 | Excessive Agency | 2.4, 6.1 |
| ASI04 | Memory Poisoning | 4.3 |
| ASI05 | Tool/Skill Abuse | 2.4 |
| ASI06 | Cascading Hallucination | 9 |
| ASI07 | Insecure Output | 5.3 |
| ASI08 | Supply Chain (MCP) | 2.3 / C2 S12 |
| ASI09 | Resource Exhaustion | 5.4, 7.2 |
| ASI10 | Broken Access Control | 5.3, F06 |
This is why defense-in-depth matters — no single layer is sufficient. The 5-query finding means a determined attacker gets through one layer; they must be stopped by the SECOND or THIRD.
| Layer | Module | Defends |
|---|---|---|
| Untrusted-tagging | 2.4 | Indirect injection |
| Capability perms | 2.4 | Excessive agency, tool abuse |
| Memory gating | 4.3 | Memory poisoning |
| FS/network scoping | 5.3 | Insecure output, broken access |
| Risk-tiered approval | 6.1 | Goal hijacking, destructive |
| Instruction isolation | 11.3 | Direct injection, leakage |
| Verification | 9 | Cascading hallucination |
| Signed manifests | C2/S12 | Supply chain |
| Resource caps + breaker | 5.4/7.2 | Resource exhaustion |
Task: "summarize README"
│
read_file (README contains injection)
│
┌─── Defense: untrusted-tagging ON?
│
├─ YES → tag → model treats as DATA → safe
│
└─ NO → raw to model → model may COMPLY → compromised The fork IS the lesson: same input, two paths. Defense holds (green) vs bypassed (red).
Next: Module 12 — Capstone. Build a production harness from scratch.