The OWASP Agentic Top 10 and What It Means for NHI Governance
In December 2025, OWASP released the Top 10 for Agentic Applications — the first industry-standard framework for AI agent security risks. Developed by over 100 experts, it acknowledges what security teams have been feeling: AI agents are a fundamentally different attack surface.
But here's what most coverage misses: many of these risks map directly to NHI (Non-Human Identity) governance capabilities. This article breaks down each risk and shows how agent-native NHI governance addresses them.
Why This Framework Matters
OWASP's LLM Top 10 focused on what AI says — prompt injection, hallucinations, data leakage in responses. The Agentic Top 10 focuses on what AI does — tool execution, inter-agent communication, privilege escalation, supply chain attacks.
The framework introduces a key principle: least agency. Only grant agents the minimum autonomy required to perform safe, bounded tasks. This aligns directly with NHI governance — identity, capabilities, and access should be explicit, scoped, and auditable.
Key insight: The OWASP Agentic Top 10 implicitly defines what agent NHI governance must provide. If your NHI strategy doesn't address these risks, you have a gap.
The 10 Risks and NHI Governance Response
Agent Goal Hijack
Risk: Attackers alter agent objectives through malicious text in emails, PDFs, or web content.
NHI Governance Response: Capability enforcement limits what hijacked agents can actually do. Even if an agent's goal is manipulated, it can't exceed its declared capabilities. Audit trails capture the deviation for forensic analysis.
Tool Misuse and Exploitation
Risk: Agents use legitimate tools unsafely, causing destructive parameters or unexpected tool chains.
NHI Governance Response: MCP attestation ensures agents only connect to approved tool servers. Drift detection alerts when tool surfaces change. Capability scoping prevents chaining into unauthorized operations.
Identity and Privilege Abuse
Risk: High-privilege credentials inherited by agents are reused, escalated, or passed across agents without proper scoping.
NHI Governance Response: This is the core NHI governance problem for agents. Cryptographic identity ensures each agent has its own bounded identity — not inherited credentials. Just-in-time access prevents standing privileges. Ownership attribution creates accountability.
Agentic Supply Chain Vulnerabilities
Risk: Dynamically fetched components like MCP servers, plugins, and templates can be compromised.
NHI Governance Response: MCP server attestation creates cryptographic fingerprints of tool surfaces. Supply chain analytics map which agents connect to which servers. Drift detection alerts when tools change unexpectedly.
Unexpected Code Execution
Risk: Agents generate or run code unsafely, including shell commands and scripts.
NHI Governance Response: Capability enforcement can block code execution capabilities entirely or scope them to specific contexts. Behavioral trust scoring detects when agents attempt unauthorized execution patterns.
Memory and Context Poisoning
Risk: Attackers poison memory systems and RAG databases to influence future agent decisions.
NHI Governance Response: While NHI governance doesn't directly address RAG poisoning, audit trails capture the context of agent decisions, enabling forensic analysis when poisoning is suspected. Trust scoring can detect behavioral drift.
Insecure Inter-Agent Communication
Risk: Multi-agent message exchanges lack proper authentication, encryption, or semantic validation.
NHI Governance Response: Agent-to-Agent (A2A) protocol support with cryptographic authentication. Each agent proves its identity in every interaction. Trust relationships between agents are explicit and auditable.
Cascading Failures
Risk: Errors in one agent propagate across planning, execution, memory, and downstream systems.
NHI Governance Response: Supply chain visibility maps agent interdependencies. When one agent fails, you can trace the blast radius. Trust scoring provides early warning when agent behavior degrades.
Human-Agent Trust Exploitation
Risk: Users over-trust agent recommendations, allowing attackers to influence decisions through persuasive language.
NHI Governance Response: Primarily a UX/human factors issue, but governance provides the data for humans to make informed decisions — trust scores, capability usage, behavioral history.
Rogue Agents
Risk: Compromised or misaligned agents act harmfully while appearing legitimate, potentially persisting across sessions.
NHI Governance Response: Lifecycle management enables rapid suspension of rogue agents. Behavioral trust scoring detects misalignment before damage spreads. Orphan detection catches agents without accountable owners.
NHI Governance Coverage Summary
Of the 10 OWASP agentic risks, NHI governance directly addresses 8 — with 4 being critical NHI issues that traditional security tools miss entirely.
| NHI Capability | Risks Addressed |
|---|---|
| Cryptographic Identity | ASI03 (Identity Abuse), ASI07 (Insecure Inter-Agent), ASI10 (Rogue Agents) |
| Capability Enforcement | ASI01 (Goal Hijack), ASI02 (Tool Misuse), ASI05 (Code Execution) |
| MCP Attestation | ASI02 (Tool Misuse), ASI04 (Supply Chain) |
| Trust Scoring | ASI06 (Memory Poisoning), ASI08 (Cascading Failures), ASI10 (Rogue Agents) |
| Supply Chain Analytics | ASI04 (Supply Chain), ASI08 (Cascading Failures) |
| Lifecycle Management | ASI10 (Rogue Agents) |
| Audit Trails | All risks (forensic analysis) |
Deep Dive: ASI03 — Identity and Privilege Abuse
ASI03 deserves special attention because it's the most directly NHI-relevant risk. From the OWASP description:
"High-privilege credentials and tokens inherited by agents are unintentionally reused, escalated, or passed across agents without proper scoping."
This is exactly what happens when agents don't have their own identity. They inherit the credentials of whoever deployed them — often a developer with broad access. Those credentials get:
- Reused across multiple agents with different purposes
- Escalated when agents chain operations together
- Passed to other agents in multi-agent systems
- Forgotten when developers leave the organization
The NHI governance response is clear:
Cryptographic Identity
Each agent gets its own Ed25519 keypair. No inherited credentials. Identity is proven cryptographically on every action.
Ownership Attribution
Every agent is linked to a human owner. When that person leaves, the agent is flagged as orphaned for review.
Just-In-Time Access
No standing privileges. Sensitive operations require explicit, time-limited approval. Access expires automatically.
Capability Scoping
Agents declare what they can do. Everything else is blocked. Escalation is impossible without explicit capability grants.
Deep Dive: ASI04 — Agentic Supply Chain
ASI04 highlights a risk unique to agentic systems: supply chain attacks that target what agents load at runtime, not what developers install at build time.
Real-world example
In September 2025, researchers discovered a malicious MCP server on npm impersonating Postmark's email service. Any AI agent using it for email operations unknowingly exfiltrated every message to attackers.
Traditional software supply chain security (SBOMs, dependency scanning) doesn't catch this. These tools analyze static dependencies at build time. MCP servers are loaded dynamically at runtime — and their tool surfaces can change without notice.
NHI governance addresses this through:
- MCP Server Attestation — Cryptographic fingerprints of approved tool surfaces
- Drift Detection — Alerts when MCP server tools change unexpectedly
- ABOM Generation — Agent Bill of Materials documenting all MCP connections
- Supply Chain Analytics — Visibility into which agents connect to which servers
Using OWASP Agentic Top 10 for Compliance
The OWASP framework provides a compliance roadmap for AI agent deployments. Auditors will increasingly ask: "How do you address the OWASP Agentic Top 10?"
NHI governance platforms provide the controls and evidence:
| Compliance Framework | OWASP Risks Addressed | NHI Evidence |
|---|---|---|
| SOC 2 | ASI03, ASI04, ASI07 | Access control reports, audit logs, supply chain inventory |
| ISO 27001 | ASI03, ASI10 | Identity management, incident response, lifecycle controls |
| NIST AI RMF | All | Risk assessment, continuous monitoring, governance documentation |
What To Do Now
Map your agent deployments to OWASP risks
Which of the 10 risks apply to your current agent implementations? Prioritize the critical NHI-relevant ones: ASI03, ASI04, ASI07, ASI10.
Assess your NHI governance coverage
Does your current NHI strategy address agent identity, MCP attestation, and inter-agent communication? If not, you have gaps.
Implement agent-native controls
Start with cryptographic identity and capability enforcement. These address the highest-impact risks (ASI03, ASI01, ASI02) with the clearest implementation path.
Document for compliance
Use OWASP Agentic Top 10 as your framework when auditors ask about AI agent security. Map your controls to specific risks.
Address OWASP Agentic Risks with NHI Governance
AIM provides the NHI governance capabilities mapped in this article — cryptographic identity, capability enforcement, MCP attestation, trust scoring, and compliance reporting. Open source and free to start.