---
title: "Containing the OWASP Agentic Threats"
date: "2026-06-06T22:00:00-07:00"
lastmod: "2026-06-06T22:00:00-07:00"
description: "OWASP's Agentic AI Threats and Mitigations taxonomy is where security reviews of agent systems start. This post runs mission-bound authorization against all fifteen threats and the LLM Top 10, and gives each a verdict instead of a hand-wave: contained by machinery built for it, bounded at the action gate, or delegated to a named complement."
summary: "Security reviewers do not arrive with your framing. They arrive with OWASP\u0026rsquo;s: fifteen agentic threats from memory poisoning to human manipulation, plus the LLM Top 10. This post crosswalks both onto the handbook and refuses the move that makes crosswalks worthless, claiming everything. Each threat gets one of three verdicts. Contained means the threat lands on machinery built for it, with a draft behind it. Bounded means the cause is out of authorization\u0026rsquo;s reach but the blast radius is capped at the action gate. Delegated means it is not an authorization problem and a named complement owns it. Six of the fifteen are contained, nine are bounded, and half the LLM Top 10 is honestly someone else\u0026rsquo;s layer."
slug: "containing-the-owasp-agentic-threats"
tags:
  - "Agentic Identity"
  - "Authorization"
  - "Mission-Bound Authorization"
  - "Security Architecture"
  - "OWASP"
series:
  - "proving-mission-bound-authorization"
---


{{< tldr >}}

- **The framing.** The [OWASP Agentic AI Threats and Mitigations taxonomy](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/), fifteen threats from memory poisoning to human manipulation, plus the [LLM Top 10](https://genai.owasp.org/llm-top-10/). This is the checklist security reviews actually open with.
- **The claim.** Every threat gets a verdict, not a hand-wave: **contained** (machinery built for it, draft behind it), **bounded** (cause untouched, blast radius capped at the action gate), or **delegated** (a named complement owns it). Six of fifteen contained, nine bounded, and half the LLM Top 10 delegated to the model and pipeline layers where it belongs.
- **What lives in this post.** [The fifteen agentic threats in one table](#the-agentic-threats-all-fifteen), [the LLM Top 10 split honestly](#the-llm-top-10-split-honestly), [three threats worth a closer look](#three-threats-worth-a-closer-look), and [what the crosswalk does not claim](#what-the-crosswalk-does-not-claim).
- **The laws.** [All five](/series/mission-bound-authorization/#the-five-laws-of-delegated-authority), with Containment doing the heaviest lifting: manipulated agents, poisoned memory, and rogue delegates all fail at the same gate.
- **Specs (editor's copies).** [Runtime enforcement](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-runtime.html), the [AuthZEN profile](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-authzen.html), [agent harnesses](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-harness.html), and [Audit Transparency](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-audit.html).

**Reading path.** ~12 minutes in order, or jump to [the crosswalk table](#the-agentic-threats-all-fifteen) for every verdict at a glance.

{{< /tldr >}}

# Overview

The first two proofs in this chapter answered a threat model and a
requirements framework. This one answers the checklist. When a
security team reviews an agent deployment, the framing on the table is
usually OWASP's: the
[Agentic AI Threats and Mitigations taxonomy](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
from the GenAI Security Project, fifteen threats spanning single
agents, multi-agent systems, and the humans around them, alongside the
older [Top 10 for LLM Applications](https://genai.owasp.org/llm-top-10/).
If the handbook cannot state its position against that list, threat by
threat, the reviewer is right to treat it as unevaluated.

A crosswalk that claims everything has been fitted, not tested, so
this one grades itself with three verdicts and accepts the tally it
gets:

| Verdict | What it means |
| --- | --- |
| **Contained** | The threat lands on machinery built for it: a structural control with a draft behind it |
| **Bounded** | The cause is out of authorization's reach, but the blast radius is capped at the action gate |
| **Delegated** | Not an authorization problem: a named complement owns it, and the handbook composes with it |

The distinction that drives most rows is the one the
[trifecta post](/notes/splitting-the-lethal-trifecta/) established:
the authorization layer does not make the model resistant to anything.
It makes the model's compromise survivable, because authority was
fixed at approval and every consequential action is checked against it
fresh. Threats that attack authority are contained. Threats that
attack the model, its memory, or its inputs are bounded, because a
fully fooled agent still cannot out-argue a parameter check. Threats
that attack layers the handbook never claimed are delegated, by name.

# The Agentic Threats, All Fifteen

| Threat | The attack | The handbook's answer | Verdict |
| --- | --- | --- | --- |
| T1 Memory Poisoning | Persistent memory is seeded with malicious data that steers future behavior | Poisoned memory can steer proposals, not authority: [shaping fails closed on ambiguity](/notes/mission-approval-integrity/), and every consequential action still needs a fresh parameter-bound permit against the approved Mission | Bounded |
| T2 Tool Misuse | The agent's own tools are driven to unauthorized or harmful invocations | [Per-action PEP/PDP enforcement](/notes/mission-bound-runtime-enforcement-profile/) with parameters bound into the permit, applied at the tool boundary by the [MCP application post](/notes/least-privilege-mcp-tool-calls-need-a-mission/) | Contained |
| T3 Privilege Compromise | Permissions escalate beyond what the task requires | Narrowing: every derivation is a strict subset of the Mission's Authority Set, [Child Missions only narrow](/notes/mission-sub-agents-and-delegation/), and there is no ambient inheritance to escalate into | Contained |
| T4 Resource Overload | Unbounded agent activity exhausts compute, API, or financial budgets | `expires_at` on every Mission, fan-out bounded by count and depth, and [Consumption Metering](https://mcguinness.github.io/mission-bound-authorization/#go.draft-mcguinness-mission-metering.html) (experimental) for spend | Bounded |
| T5 Cascading Hallucination Attacks | False content propagates through memory, messages, and downstream systems | Authorization does not verify truth. It gates consequence: hallucinated content can only reach the world through consequential actions, each needing its own permit | Bounded |
| T6 Intent Breaking and Goal Manipulation | Injection or instruction manipulation redirects the agent's objectives | The enemy sentence, answered: the injected goal cannot widen the committed one, because the PDP checks actions against the approved Mission, not against the agent's current intent | Contained |
| T7 Misaligned and Deceptive Behaviors | The agent acts against its intended purpose or conceals what it does | Deception is not detected, it is out-evidenced: only approved action classes execute, and [Decision and Execution Evidence](/notes/mission-agent-runtime-and-audit/) come from the gate, not from the agent's self-report | Bounded |
| T8 Repudiation and Untraceability | Actions cannot be reliably attributed or audited | Attribution end to end: the `act` chain on every hop, the evidence family joined on `mission_id`, and SCITT keeping the feed tamper-evident | Contained |
| T9 Identity Spoofing and Impersonation | Attackers assume an agent's identity or abuse non-human authentication | [Attested instance identity](/notes/mission-sub-agents-and-delegation/), sender-constrained tokens, and mediated custody keeping the credential out of the agent entirely for mediated classes | Contained |
| T10 Overwhelming the Human in the Loop | Approval volume is weaponized until humans rubber-stamp | Humans approve Missions, machines approve actions: the grain keeps human decisions rare and consequential, with [deferred approval](/notes/mission-approval-integrity/) and the batched [discovery loop](/notes/adopting-mission-bound-authorization/#composing-with-the-ecosystem) absorbing the volume | Bounded |
| T11 Unexpected RCE and Code Attacks | Tool invocations achieve code execution | Sandboxing owns execution. The handbook gates what executed code can reach: consequential effects still need permits, and capabilities are bound to source digests with drift failing closed | Bounded |
| T12 Agent Communication Poisoning | Malicious instructions ride inter-agent messages | Messages can lie, authority cannot: influence carries no authority between agents, because delegation only narrows and every hop is enforced against its own Child Mission | Bounded |
| T13 Rogue Agents | A compromised agent inside the system acts maliciously | A rogue instance holds only mission-bound, instance-bound, revocable authority, and [Termination cascades](/notes/mission-lifecycle-and-change/) through the delegation tree to issuance, permits, and the harness | Contained |
| T14 Human Attacks on Multi-Agent Systems | Operators are manipulated into enabling harm | Social engineering is out of authorization's reach. What holds: a manipulated operator can still only approve [what shaping renders](/notes/you-approve-what-you-were-shown/), and the approval is attributed to them | Bounded |
| T15 Human Manipulation | The agent deceives its own human into approving or enabling harm | Consent Evidence commits the disclosure as rendered, so the record shows exactly what the human saw. An accurately disclosed bad idea remains the human's decision, and the record says so | Bounded |

Six contained, nine bounded, none waved away. The tally is the honest
shape of an authorization layer: the threats that attack authority
(tools, privilege, goals, attribution, identity, rogue delegates) land
on machinery built for them, and the threats that attack the model or
the humans are capped rather than cured, because capping is what a
deterministic gate can truthfully offer.

# The LLM Top 10, Split Honestly

The [Top 10 for LLM Applications](https://genai.owasp.org/llm-top-10/)
predates the agentic taxonomy and mixes layers, which makes it the
better test of the delegated verdict. Half of it is not an
authorization problem, and saying so is the point:

| Entry | The handbook's answer | Verdict |
| --- | --- | --- |
| LLM01 Prompt Injection | [The trifecta post](/notes/splitting-the-lethal-trifecta/) carries this end to end: the injected instruction cannot widen committed authority, and the external leg needs a fresh parameter-bound permit | Bounded |
| LLM02 Sensitive Information Disclosure | [Exposure discipline](/notes/least-exposure-is-broader-than-least-privilege/): bound what the agent may see as deliberately as what it may do, and mediated custody keeps credentials out of the leakable set | Bounded |
| LLM03 Supply Chain | Model and dependency provenance, owned by the software supply chain. One authorization-shaped edge: capabilities bound to source digests fail closed on drift | Delegated |
| LLM04 Data and Model Poisoning | Training and embedding pipeline security, upstream of any authorization decision | Delegated |
| LLM05 Improper Output Handling | Output is only dangerous when it acts. The consequential boundary is where the handbook stands, and nothing crosses it without a permit | Bounded |
| LLM06 Excessive Agency | The direct hit: the entire handbook is the treatment for this entry | Contained |
| LLM07 System Prompt Leakage | Moot by design: authority lives in the Mission and its tokens, not in the prompt, so a leaked prompt discloses instructions, not power | Delegated |
| LLM08 Vector and Embedding Weaknesses | Retrieval pipeline security. What retrieval returns is untrusted content, and the taint response treats it that way | Delegated |
| LLM09 Misinformation | Content truth is semantic, and the gate is structural | Delegated |
| LLM10 Unbounded Consumption | Expiry on every Mission and metering (experimental) on spend | Bounded |

LLM06 deserves the sentence. OWASP's mitigations for Excessive Agency
read like this handbook's table of contents: minimize the extensions
and their permissions, avoid open-ended functions, require human
approval for high-impact actions, enforce authorization in downstream
systems rather than trusting the model, and log everything. The
handbook is what happens when that advice stops being a bullet list
and becomes one architecture with wire drafts behind it.

# Three Threats Worth a Closer Look

**Intent breaking is the taxonomy's center, and the handbook's
enemy.** T6 is prompt injection grown up: the attacker does not need
to breach anything, only to change what the agent is trying to do.
Every mitigation that asks the model to notice the manipulation is
probabilistic. The handbook's answer is the same one it gives the
trifecta: the injection changed the agent's mind, and the agent's mind
was never the source of authority. The Mission was committed at
approval, the permit is checked at execution, and between those two
points there is nothing the injected goal can rewrite. Approval is a
moment, work is a span, and the span is policed against the moment.

**Overwhelming the human in the loop is an argument about grain.** T10
is the taxonomy's sharpest design question, because both naive answers
lose: approve every action and fatigue turns humans into rubber
stamps, approve nothing and governance is gone. The handbook's grain
is the Mission. A human approves the envelope once, against a
[committed disclosure](/notes/you-approve-what-you-were-shown/), and
the per-action volume goes to the PDP, which does not tire. When the
work outgrows the envelope, the
[discovery loop](/notes/adopting-mission-bound-authorization/#composing-with-the-ecosystem)
batches the overflow into a governed expansion request instead of a
stream of interrupts. The residual is real and stated: at Mission
grain, approval fatigue becomes a governance discipline rather than a
solved problem, and disclosure quality is what stands between an
approver and a reflex.

**A rogue agent is an insider, and every agent here is treated as
one.** T13 assumes the attacker is already inside the system, wearing
a legitimate agent. The handbook never trusted that agent more than
its paperwork: its authority is a strict subset of its parent's, its
tokens are bound to its attested instance so they do not travel, its
consequential actions need permits like everyone else's, and when it
is caught, [revocation cascades](/notes/mission-lifecycle-and-change/)
through the delegation tree it belongs to. The multi-agent threats
(T12 through T14) all get the same structural reply: cooperation
happens in messages, but authority never does.

# What the Crosswalk Does Not Claim

- **Bounded is not prevented.** For every bounded row the cause is
  untouched: the memory is still poisoned, the model is still fooled,
  the human is still tired. The gate caps what the compromise can
  reach, and that is the whole claim.
- **The verdicts are only as strong as PEP coverage.** An unmediated
  path is a threat with no verdict at all. The
  [adversary model](/notes/mission-bound-authorization-reference/#adversary-model)
  says this in writing: name your enforcement scope, and count your
  ATMs.
- **The enforcement is structural, not semantic.** An in-bounds action
  can still be a bad idea. The classes where content is the harm
  belong under action-bound human approval.
- **The delegated rows are real dependencies.** Supply chain,
  poisoning, retrieval security, and sandboxing are layers the
  handbook composes with and cannot replace. A deployment that skips
  them has a contained authorization layer inside an uncontained
  system.
- **Inside the approved scope, a turned agent is still turned.** Tight
  scope and short expiry are what keep that sentence tolerable.

The taxonomy's own mitigation columns keep converging on the same
words: least privilege, human approval, complete mediation, audit
trails. Those are adjectives until something turns them into
verifiable artifacts. The crosswalk above is what that looks like, and
the tally, six contained and nine bounded, is what an honest
authorization layer scores against a framing its authors did not
choose. For the reviewer holding this list against any other proposal,
the [vendor test](/notes/mission-based-authorization-vendor-test/)
asks the six questions that separate a verdict from a hand-wave.

