How does AiEGIS map to the OWASP Agentic Top 10?

All ten ASI categories are covered by at least one primary layer plus at least one defence-in-depth layer in the AiEGIS 15-layer runtime enforcement chain (L1 Identity through L15 Correlation). For each category we name the primary layer that would be cited in a customer-facing compliance argument and a defence-in-depth layer that catches the same risk if the primary control is bypassed. The full per-category mapping is on this page.

Which layers cover ASI01 Agent Goal Hijack?

Primary layers L6 Input-Sanitizer and L2 Instruction-Language; defence-in-depth layers L4 Scope and L12 Behavioral. L6 strips or quarantines injected instructions in user input, tool output, and retrieved documents before they reach the model. L2 detects imperative-mood drift between the agent's declared goal and the actual prompt stack. L4 checks every emitted action against the principal's declared scope before egress. L12 flags goal-shape anomalies.

Which layers cover ASI03 Identity & Privilege Abuse?

Primary layers L1 Identity and L4 Scope; defence-in-depth layer L9 Meta. L1 requires every action to present a verifiable Ed25519 passport at /api/protect; missing or invalid passport returns immediate DENY. L4 caps privilege at the passport scope claim. L9 binds the passport to machine plus principal (act.sub per RFC 8693), preventing credential reuse across hosts.

Which layers cover ASI10 Rogue Agents?

Primary layers L12 Behavioral and L15 Correlation; defence-in-depth layer L9 Meta. L12 drift-detects against the agent's declared behaviour baseline and DENYs deviations beyond the configured envelope. L15 surfaces concealment patterns via cross-action correlation. L9 ensures every decision is appended to the append-only audit log (SQL triggers verified live at /grid/ledger/retention); a rogue agent's actions cannot be retroactively hidden.

OWASP Agentic Top 10 — AiEGIS 15-Layer Coverage Map

What it is

The benchmark for agentic security.

The OWASP Top 10 for Agentic Applications is the OWASP Agentic Security Initiative's prioritised list of the ten most prevalent and impactful security risks specific to autonomous AI agents. It was launched on 2025-12-09 and uses the ASI prefix (Agentic Security Issue), numbered ASI01 through ASI10, ordered by prevalence and impact across 2024–2025 deployments.

The list is distinct from the OWASP Top 10 for LLM Applications — it focuses on risks that surface specifically when an LLM is used as the planning core of an autonomous agent that takes actions in the world (tool calls, API requests, multi-agent communication, persistent memory).

The canonical resource page is at genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/; the parent initiative is at genai.owasp.org/initiatives/agentic-security-initiative/.

10 / 10

ASI categories covered

AiEGIS layers

2 +

Layers per ASI (primary + DiD)

1825 d

Audit retention floor

The 15 layers

AiEGIS reference chain.

The AiEGIS 15-layer chain runs on every POST /api/protect call. Each layer returns a signed reason code with a layer name and decision_ms latency. The chain is:

L1 – L15

L1 Identity · L2 Instruction-Language · L3 Compliance / PII · L4 Scope · L5 Model-Gate · L6 Input-Sanitizer · L7 Memory · L8 Tool-Sandbox · L9 Meta · L10 Data-Protection · L11 Network · L12 Behavioral · L13 MCP-Registry · L14 Confidence · L15 Correlation

L5 Model-Gate is implicit across every ASI category — it is the model-side rail that L1–L4 + L6–L10 compose around — and is therefore not separately enumerated per category below.

Per-category mapping

ASI01 – ASI10, layer-by-layer.

ASI01

Agent Goal Hijack

Hidden prompts redirect the agent to unintended objectives (e.g. silent data exfiltration).

L6 Input-Sanitizer — strips or quarantines injected instructions in user input, tool output, and retrieved documents before they reach the model.
L2 Instruction-Language — detects imperative-mood drift between the agent's declared goal and the actual prompt stack reaching the model.
L4 Scope (DiD) — even if hijack succeeds at the model, every emitted action is checked against the principal's declared scope before egress.
L12 Behavioral (DiD) — flags goal-shape anomalies (e.g. a customer-support agent suddenly emitting wire_transfer tool calls).

ASI02

Tool Misuse

Agents weaponise legitimate tools to produce harmful outcomes beyond intended purpose.

L8 Tool-Sandbox — every tool invocation routes through a per-tool allowlist with argument-shape validation; out-of-policy calls return DENY at /api/protect before the tool runs.
L13 MCP-Registry — pins which MCP servers are reachable plus which tool IDs each one is authorised to expose; rogue tool registration is blocked at MCP discovery.
L4 Scope (DiD) — tool calls outside the agent's declared scope claim are rejected at L1-tied policy evaluation.

ASI03

Identity & Privilege Abuse

Exposed credentials let agents operate with unauthorised scope and permissions.

L1 Identity — every action must present a verifiable Ed25519 passport (sub + act.sub + scope) at /api/protect; missing or invalid passport returns immediate DENY.
L4 Scope — passport scope claim is the cap; any privilege-escalation attempt to a wider scope is rejected.
L9 Meta (DiD) — passport binding to machine + principal (act.sub per RFC 8693) prevents credential reuse across hosts.

ASI04

Agentic Supply Chain Vulnerabilities

Runtime components and dynamic ecosystems become susceptible to poisoning attacks (model weights, MCP servers, tool packages).

L13 MCP-Registry — MCP server identity + tool-list pinning; refuses unregistered servers and drift-detects tool-shape changes between registrations.
L10 Data-Protection — signed-pack-only policy load; the unsigned-pack path is gated behind a runtime warning sentinel reserved for local development.
L9 Meta (DiD) — runtime attestation of the harness binary itself (built-from-source hash check) detects component substitution.

ASI05

Unexpected Code Execution

Natural-language processing creates dangerous pathways for remote code execution.

L8 Tool-Sandbox — code-execution tools (shell, eval, exec) sit behind a per-call policy gate with argument-pattern matching; ; rm -rf / style injection blocked at L8 before the subprocess runs.
L6 Input-Sanitizer — strips known shell-meta and AppleScript abort sequences (+, backticks, $(...)) from any field that flows toward a tool argument.
L11 Network (DiD) — egress-network policy denies outbound to non-allowlisted hosts even if the code does execute, containing blast radius.

ASI06

Memory & Context Poisoning

Malicious data modifications alter agent behaviour persistently after initial interactions.

L7 Memory — every write to long-term memory is policy-checked; PII and secret patterns are rejected at write, untrusted-source content is quarantined-tagged for downstream filtering.
L6 Input-Sanitizer — incoming retrieved documents (RAG context) pass the same sanitiser as direct user input; a poisoned document cannot inject instructions.
L14 Confidence (DiD) — confidence scoring on memory-derived claims; poisoned-memory-driven actions get a low-confidence flag that propagates into L12 and L15.

ASI07

Insecure Inter-Agent Communication

Spoofed messages between agents cause misdirection across distributed systems.

L1 Identity — agent-to-agent messages on Grid require signed passports both ways; X-AEGIS-Tag is verified at every hop, including peer-to-peer negotiation.
L11 Network — TLS plus mTLS at the network layer for inter-agent traffic; passport signature is verified inside that tunnel, defeating MITM-then-replay.
L15 Correlation (DiD) — message-chain hash linking (prev_hash + event_hash on the grid_ledger) makes mid-stream substitution detectable post-hoc.

ASI08

Cascading Failures

Incorrect signals propagate through automated pipelines with compounding negative effects.

L12 Behavioral — rate caps + anomaly thresholds break feedback loops before they cascade; e.g. the JSONLogic rate-cap pack rejects the N-th call within a window.
L14 Confidence — low-confidence outputs from an upstream agent flow into downstream policy as a confidence_low flag that can trigger HUMAN_REVIEW at L9 Meta.
L15 Correlation (DiD) — cross-agent action correlation surfaces the cascade pattern (e.g. "Agent A's denial → Agent B's retry → Agent C's escalation") for circuit-breaking.

ASI09

Human-Agent Trust Exploitation

Persuasive explanations manipulate human operators into approving harmful actions.

L9 Meta — HUMAN_REVIEW gates emit a structured decision card (sub, act.sub, scope, deciding_rule, layer) rather than free-form natural-language explanation, making social-engineering reframing visible.
L14 Confidence — confidence and provenance metadata are surfaced alongside the action, not hidden in the agent's narrative; the operator sees "this is L8-DENY at confidence 0.42" not the agent's prose.
L3 Compliance / PII (DiD) — Article 26 deployer-obligation surfacing forces explicit human acknowledgment of legal-significance decisions, defeating "small print" social pressure.

ASI10

Rogue Agents

Agents exhibit misalignment, concealment, and self-directed behaviour contrary to oversight.

L12 Behavioral — drift detection against the agent's declared behaviour baseline; any deviation beyond the configured envelope triggers DENY plus alert.
L15 Correlation — cross-action correlation surfaces concealment patterns (e.g. action-X-then-action-Y combos that individually pass but jointly indicate exfiltration).
L9 Meta (DiD) — every decision is appended to the append-only audit ledger (SQL BEFORE DELETE / BEFORE UPDATE triggers on both agent_logs and grid_ledger; grid_ledger is additionally hash-chained); a rogue agent's actions cannot be retroactively hidden. Verify live at /grid/ledger/retention.

Coverage summary

Every category, named layers.

Every ASI category has at least one primary layer (the layer cited in a customer-facing compliance argument) and at least one defence-in-depth layer (a layer that catches the same risk if the primary control is bypassed).

ASI	Primary layers	Defence-in-depth
ASI01 Agent Goal Hijack	L6, L2	L4, L12
ASI02 Tool Misuse	L8, L13	L4
ASI03 Identity & Privilege Abuse	L1, L4	L9
ASI04 Agentic Supply Chain	L13, L10	L9
ASI05 Unexpected Code Execution	L8, L6	L11
ASI06 Memory & Context Poisoning	L7, L6	L14
ASI07 Insecure Inter-Agent Comms	L1, L11	L15
ASI08 Cascading Failures	L12, L14	L15
ASI09 Human-Agent Trust Exploitation	L9, L14	L3
ASI10 Rogue Agents	L12, L15	L9

Verify the chain

Public endpoints, signed decisions.

The 15-layer chain isn't a slide. It runs on POST /api/protect for every agent action. Each layer returns a signed reason code with a layer name and a decision_ms latency. Decisions persist to an append-only ledger with a 5-year retention floor.

# Public endpoint — layer-attributed decisions:
curl -X POST https://aiegis.ie/api/protect \
  -H "X-AEGIS-Tag: $PASSPORT_JWT" \
  -H "Content-Type: application/json" \
  -d '{"action":"<your-agent-action>","target":"<resource>"}'

# Append-only ledger receipts — verify the 5-year retention floor:
curl https://aiegis.ie/grid/ledger/retention
# {"retention_floor_days":1825,"append_only_enforced":true,
#  "triggers_present":["trg_grid_ledger_no_delete","trg_grid_ledger_no_update"], …}

# Per-event Merkle proof for any event seq:
curl https://aiegis.ie/grid/ledger/verify/1

Frequently asked

OWASP Agentic, in plain English.

What is the OWASP Top 10 for Agentic Applications?

The OWASP Top 10 for Agentic Applications (2026) is the OWASP Agentic Security Initiative's prioritised list of the ten most prevalent and impactful security risks specific to autonomous AI agents. The taxonomy uses the ASI prefix (Agentic Security Issue), numbered ASI01 through ASI10, ordered by prevalence + impact across 2024 and 2025 deployments. It was launched on 2025-12-09.

How is it different from the OWASP Top 10 for LLM Applications?

The LLM Top 10 focuses on risks at the model boundary (prompt injection, training data poisoning, model denial-of-service). The Agentic Top 10 focuses on risks that surface specifically when an LLM is used as the planning core of an autonomous agent that takes actions in the world — tool calls, API requests, multi-agent communication, persistent memory. The two lists overlap but are not duplicates.

How does AiEGIS cover all ten categories?

The AiEGIS 15-layer enforcement chain (L1 Identity through L15 Correlation) covers every ASI category with at least one primary layer plus at least one defence-in-depth layer. The per-category table above names the layers. The chain runs on every POST /api/protect call and emits signed reason codes per layer with a decision_ms latency field.

How do I verify the coverage claims?

Three public endpoints let an auditor or customer verify the chain end-to-end. POST /api/protect returns layer-attributed decisions. /grid/ledger/retention confirms the append-only triggers and the 5-year retention floor. /grid/ledger/verify/<seq> returns a Merkle proof for any event in the ledger. Code paths are in the open-source harness at the public reference implementation.

Is there a machine-readable version of this mapping?

The canonical mapping lives in the AiEGIS harness reference at compliance/owasp_agentic_top_10.md. The page you are reading is the authoritative customer-facing rendering. The mapping is additive to existing AiEGIS compliance evidence (Article 26 at /article-26-walkthrough and Article 12 retention via /grid/ledger/retention).

Where is the OWASP Agentic Top 10 specification?

The OWASP Gen AI Security Project landing page is at genai.owasp.org/llm-top-10/. The Agentic Security Initiative is at genai.owasp.org/initiatives/agentic-security-initiative/. The Top 10 for Agentic Applications 2026 resource page is at genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/.

OWASP AgenticTop 10 — Coverage Map