25. March 2026 | Print article |

OWASP Agentic AI Top 10: When AI Agents Become the Biggest Attack Surface

9 min Reading Time

Software stocks plummet as AI agents are set to automate entire business processes. Yet while executives debate cost savings, a security issue is emerging that most IT teams haven’t even registered: autonomous agents are creating an entirely new attack surface. OWASP has now defined the first framework with its Agentic AI Top 10 – and 48 percent of security professionals already rank AI agents as the number one threat for 2026.

TL;DR

  • OWASP Agentic AI Top 10: In December 2025, OWASP released the first security framework specifically for autonomous AI agents – developed by over 100 experts (OWASP, December 2025).
  • First documented AI cyberattack: In September 2025, a state-sponsored group deployed an AI agent for a multi-day espionage campaign – 80 to 90 percent of the attack execution was autonomous (Anthropic, November 2025).
  • 82 machine identities per human: Companies now have 82 non-human identities for every human identity – AI agents are exacerbating this ratio (CyberArk, 2025).
  • 48 percent see AI agents as top threat: Nearly half of all cybersecurity professionals rank agent-based AI as the biggest attack vector for 2026 – ahead of ransomware and supply chain attacks (Dark Reading, 2026).
  • 492 exposed MCP servers: Trend Micro found nearly 500 exposed Model Context Protocol servers without any authentication in early 2026. The first confirmed malicious MCP server rerouted emails for weeks.
  • Gartner calls for Guardian Agents: By 2028, 40 percent of CIOs will require Guardian Agents – AI systems that monitor other AI agents (Gartner Market Guide, February 2026).

Why AI Agents Represent a New Threat Class

Previous security models for AI systems assumed a simple workflow: a human asks a question, a model responds, the human evaluates the output. The attack surface was limited to the prompt and the response.

Autonomous AI agents function fundamentally differently. An agent receives a goal, plans a sequence of actions, calls external tools, stores information in long-term memory, launches sub-agents, and executes – often without a human reviewing every step. The attack surface now includes every tool invocation, every memory access, every handoff between agents, and every connection to external systems.

On March 24, 2026, AWS confirmed it is building internal AI agents for sales and business development. The software sector lost 4.3 percent in a single day. But while the financial world debates valuations, CISOs face a more pressing question: Who controls what these agents do?

48 %
of security professionals rank AI agents as threat #1 for 2026
Source: Dark Reading Survey, 2026

Case Study: The First Documented AI Cyberattack

That the OWASP risks are not theoretical became clear in September 2025. Anthropic uncovered a multi-day espionage campaign in which a state-sponsored group used an AI agent as an autonomous attack tool. The company described the incident as the first documented case of a large-scale AI-powered cyberattack.

The agent conducted network reconnaissance, independently generated exploit code, collected credentials, and exfiltrated data with automated categorization by intelligence value. Between 80 and 90 percent of the attack execution was autonomous. Attackers bypassed security mechanisms through task fragmentation: the attack was broken into small, seemingly harmless subtasks that individually triggered no alarms.

Around 30 organizations in technology, finance, chemicals, and government were affected. Accounts were locked within ten days, and affected organizations and authorities were notified. For CISOs, the case serves as a wake-up call: the methodology – Agent Goal Hijacking via fragmented tasks – matches OWASP ASI01, the top risk in the Agentic AI Top 10.

The OWASP Agentic AI Top 10 in Detail

The framework released in December 2025 identifies ten critical risks specific to autonomous agents. The three most dangerous:

Agent Goal Hijacking (ASI01) tops the list: attackers inject manipulated inputs – a crafted email, a poisoned document, a compromised website. The agent cannot reliably distinguish between instructions and data and executes the manipulated goals using its legitimate tools and access rights. A single malicious input can redirect the entire agent.

Memory Poisoning is particularly insidious: attackers gradually inject false information into an agent’s long-term memory. Over weeks, decision-making behavior shifts. Traditional anomaly detection fails because the change is too gradual.

Supply chain and MCP server vulnerabilities are already real: Trend Micro found 492 exposed Model Context Protocol servers without any authentication in early 2026. The first confirmed malicious MCP server – postmark-mcp – forwarded every outgoing email via BCC to an attacker-controlled address for weeks before being discovered.

Companies are already exposed to agentic AI attacks – often without knowing that agents are running in their environment.
Keren Katz, OWASP Co-Lead and Senior Group Manager AI Security at Tenable (paraphrased)

NIS2 and the Regulatory Framework

For German companies, an additional dimension comes into play: NIS2 has been in force since December 2025. Around 29,500 entities fall under the new obligations. The law explicitly requires risk management and incident reporting – including for AI systems used in regulated sectors.

ENISA and the European standardization bodies CEN, CENELEC, and ETSI are working to link AI-specific security requirements directly to NIS2’s core obligations. The 2026 NIS2 review will serve as the intersection for technical standards, AI controls, and incident reporting.

The regulatory triad of NIS2, the EU AI Act, and ISO 42001 defines the framework: NIS2 sets the baseline for risk management and reporting obligations. The EU AI Act classifies high-risk AI systems. ISO 42001 provides the management system. Companies using AI agents must address all three layers.

The consequences of violations are severe: up to 10 million Euro or 2 percent of global annual revenue for essential entities. Up to 7 million Euro or 1.4 percent for important entities.

Identity and Access Management for AI Agents

One of the underestimated challenges: AI agents are not human but require identities. They authenticate to APIs, access databases, and send emails on behalf of employees. Traditional IAM is not designed for this.

The scale of the problem is highlighted in the CyberArk State of Machine Identity Security Report 2025: for every human identity in companies, there are already 82 machine identities – API keys, service accounts, certificates, tokens. AI agents exacerbate this ratio because each agent needs multiple identities for different tools and systems.

82 : 1
Ratio of machine to human identities in companies
Source: CyberArk State of Machine Identity Security Report, 2025

If an AI agent with the access rights of a sales manager sends emails, modifies CRM data, and generates quotes – who is responsible in the event of a security incident? Existing role models (RBAC, ABAC) assume human users who understand context and make conscious decisions.

For agents, a new paradigm is needed: Machine Identity Management. Each agent receives its own auditable identity with clearly defined permissions, time-limited tokens, and automatic rotation. Azure Managed Identities and AWS IAM Roles offer approaches, but most companies are not yet using them for agent scenarios.

The OWASP framework recommends: no shared credentials between humans and agents. Every agent access must be logged and traceable separately. If an agent is compromised, revoking its identity must not lock out a human user.

The Gap Between Adoption and Security

The discrepancy is alarming: companies are rolling out AI agents at breakneck speed while security teams lag behind. According to a Dark Reading survey, only 34 percent of companies have AI-specific security controls in place. Meanwhile, Gartner expects that by the end of 2026, 40 percent of enterprise applications will integrate AI agents.

This gap is exacerbated by competitive pressure. After AWS confirmed on March 24 that it is building internal AI agents for sales, the pressure on other companies to follow suit increased. The fear of falling behind is leading to rushed deployments without adequate security architecture.

A typical pattern: the business unit deploys an AI agent for customer communication, connects it to CRM, email, and calendar – without involving the security team. Within hours, the agent has more access rights than most employees. And no one monitors what it does with them.

Guardian Agents: When AI Monitors Other AI

In February 2026, Gartner released the first Market Guide for Guardian Agents – a signal that the industry has recognized the problem. Guardian Agents are AI systems specifically designed to monitor other AI agents and check their actions against defined boundaries. Gartner defines three roles: Reviewers check outputs, Monitors observe ongoing actions, Protectors block rule violations.

The forecasts are clear: by 2028, Gartner expects 40 percent of CIOs to require Guardian Agents for their AI deployments. By 2030, Guardian Agents are projected to account for 10 to 15 percent of the entire agentic AI market. And by 2029, independent Guardian Agents will replace nearly half of today’s security systems for AI agents.

One detail from the report deserves special attention: by 2028, Gartner expects at least 80 percent of unauthorized AI agent transactions to result from internal policy violations – not external attacks. The biggest risk comes from the company’s own agents exceeding their defined boundaries. Guardian Agents address this problem precisely: they create a control layer above operational agents.

Practical Checklist: How to Secure AI Agents

OWASP recommends the principle of minimal autonomy – the agent-specific equivalent of the least-privilege principle. In practice, this means:

1. Create an agent inventory: Which AI agents are running in your environment? Many companies don’t know. Shadow agents in marketing, sales, and finance departments are common.

2. Restrict tool access: Each agent may only use the tools and APIs absolutely necessary for its defined task. No agent needs access to the entire CRM and email system simultaneously.

3. Implement memory provenance: Every piece of information in an agent’s memory receives metadata on source, confidence, and validation status. This helps detect memory poisoning.

4. Red team for agents: Penetration tests must explicitly test prompt injection, tool misuse, and privilege escalation in agent workflows. Standard pentests do not cover the agent-specific attack surface.

5. Secure MCP servers: All Model Context Protocol servers must be protected with authentication and access controls. The postmark-mcp incident shows that a single unsecured server can exfiltrate data for weeks.

6. Evaluate a Guardian Agent strategy: For complex multi-agent deployments, plan a monitoring layer. The Gartner Market Guide provides a framework for selecting and implementing Guardian Agents as an independent control instance.

Conclusion

AI agents are coming – whether as internal AWS tools, replacements for SaaS licenses, or autonomous process automators. The question is not if, but how fast. The Anthropic incident in September 2025 demonstrated that attackers already know how to weaponize AI agents. Meanwhile, 82 machine identities per human are already operating in corporate environments – each a potential entry point.

For security teams, this means: adopt the OWASP Agentic AI Top 10 as a baseline, create an agent inventory, enforce the least-agency principle, and evaluate Guardian Agents as a control layer. The first concrete step remains a shadow agent audit: Which AI agents are already running in your environment, who set them up, and what access rights do they have? Those who wait for the first memory poisoning incident in their own company will have missed the window for proactive security.

Frequently Asked Questions

What are the OWASP Agentic AI Top 10?

A security framework published in December 2025 that identifies the ten most critical risks for autonomous AI agents. Developed by over 100 experts, it complements the existing OWASP LLM Top 10, which applies only to chat-based AI systems with human oversight.

What is Agent Goal Hijacking?

In Agent Goal Hijacking, attackers inject manipulated inputs into an AI agent’s data sources – such as a crafted email or a poisoned document. The agent cannot reliably distinguish between instructions and data and executes the manipulated goals using its legitimate tools and access rights.

What is Memory Poisoning in AI agents?

Memory Poisoning refers to the gradual injection of false information into an agent’s long-term memory. Unlike traditional attacks, the manipulation occurs slowly over weeks, appearing as a normal learning process. Conventional anomaly detection therefore fails to catch it.

What are Guardian Agents?

Guardian Agents are AI systems that monitor other AI agents and check their actions against defined rules and boundaries. Gartner distinguishes three roles: Reviewers check outputs, Monitors observe ongoing actions, and Protectors block rule violations. By 2030, they are expected to account for 10 to 15 percent of the agentic AI market.

What does the 82:1 ratio for machine identities mean?

According to the CyberArk State of Machine Identity Security Report 2025, companies have 82 machine identities – API keys, service accounts, certificates, and tokens – for every human identity. AI agents exacerbate this ratio because each agent requires its own identities for different tools and systems.

Do AI agents fall under NIS2?

Yes, if they are used in one of the 18 regulated sectors. NIS2 requires risk management and incident reporting for all IT systems. ENISA is working to link AI-specific requirements directly to NIS2’s core obligations. The 2026 NIS2 review will provide more concrete guidelines.

How many companies have AI-specific security controls?

Only 34 percent, according to a Dark Reading survey of cybersecurity professionals. This means two-thirds are deploying or planning to deploy AI agents without adequate security measures in place.

What was the postmark-mcp incident?

The first confirmed case of a malicious MCP server. The postmark-mcp module forwarded every outgoing email via BCC to an attacker-controlled address for weeks. Trend Micro found 492 exposed MCP servers without any authentication in early 2026.

Further Reading

Copilot as a Security Risk: When the AI Assistant Leaks Corporate Secrets

Supply Chain Attack on Trivy: When the Security Scanner Becomes a Weapon

NIS2 Registration Requirement: The Practical Checklist Under Paragraph 30 BSIG (Federal Office for Information Security)

More from the MBF Media Network

cloudmagazin: NIS2 and SaaS – The Compliance Gap

Digital Chiefs: AI Liability in the Boardroom

MyBusinessFuture: Cyber Resilience Act

Header Image Source: Pexels / cottonbro studio (px:5473956)

Print article
Benedikt Langer

About the author: Benedikt Langer

More articles by

A magazine by Evernine Media GmbH