Agentic AI applications — LLM-powered systems that take autonomous action against external tools, services, and APIs based on model reasoning rather than direct user instruction — have moved from research curiosity to production deployment fast enough that the security discipline is still catching up. The class of failures is operationally distinct from non-agentic LLM applications. The OWASP Agentic AI Top 10, published in early 2026, formalizes the risk taxonomy the industry has been converging on. The AWS Agentic AI Security Scoping Matrix (November 2025) provides the most widely-cited operational framework for thinking about agent capability boundaries. Anthropic's published research on browser-use agent security walks the specific defenses against indirect prompt injection in browser-controlling agents. This post walks the agentic-specific risk landscape, the defensive patterns that work in production, and how agentic security work fits inside the broader LLM application security verification covered in the OWASP LLM Top 10 2025 field guide.
What Makes Agentic AI Distinct From "Regular" LLM Applications
A non-agentic LLM application takes user input, produces model output, and returns the output to the user. The security boundary is well-defined: the user sees the model's response and decides what to do with it. An agentic AI application takes user input (or, in the increasingly common case, no direct user input — the agent runs against scheduled or event-triggered goals), produces a sequence of model outputs, and acts on each output by invoking tools that affect external systems. The security boundary is fundamentally different: the model's output is not just presented to a user, it is operationalized as system action.
The consequence of this difference is that every defensive pattern that worked for non-agentic LLM applications still applies, but the cost of bypass is fundamentally higher. A prompt injection in a non-agentic chatbot can cause the model to say something harmful; a prompt injection in an agentic system can cause the model to act in a way that exfiltrates data, modifies records, sends messages, executes code, or performs any other action the agent's tools permit. The defensive surface area expands accordingly — the application must defend not only the model's reasoning but every tool the agent can invoke and every action that tool can take.
The second-order consequence is that agentic systems operate at a tempo that human review cannot keep up with. A non-agentic chatbot's outputs are reviewed implicitly by the user reading them; an agentic system's actions may complete tens of tool invocations per minute, with no human in the loop on any individual decision. This tempo forces the defensive architecture toward policy-based mediation — every tool invocation is checked against a policy that determines whether it is allowed — rather than human-review-based mediation, which does not scale at agentic tempo.
The OWASP Agentic AI Top 10
The OWASP Agentic AI Top 10, released through the OWASP GenAI Security Project, identifies the ten risk categories most consequential for agentic AI deployments. The categories are deliberately structured to be operationally distinct from the LLM Top 10, even though several categories share thematic overlap. The list as of early 2026:
AAI01 — Tool Misuse. The agent invokes tools in ways the application owner did not intend — using a tool with arguments outside the expected range, invoking a tool in a sequence that produces an unintended outcome, or chaining multiple tool invocations into a composite action that bypasses individual tool's safety checks.
AAI02 — Unauthorized Actions. The agent takes actions the user did not authorize, typically because the agent's reasoning convinced it that the action was implied by the user's goal even though the user did not explicitly request it. The most common production manifestation is the agent inferring "delete the old records" from "clean up the database" when the user intended only to deduplicate.
AAI03 — Goal Manipulation. An attacker manipulates the agent's perception of its goal through prompt injection at the goal-setting stage. The most common vector is indirect injection through content the agent is processing on behalf of its goal — an agent summarizing emails is prompt-injected by an email content into expanding its goal beyond summarization.
AAI04 — Resource Exhaustion. The agent enters loops or expands its goal scope to consume disproportionate resources — compute, API quota, financial budget. The class includes both unintentional (the agent's reasoning produces a goal-expansion loop) and adversarial (an attacker manipulates the agent into a resource-exhausting path) variants.
AAI05 — Multi-Agent Privilege Escalation. In systems where multiple agents collaborate, one agent can be manipulated into acting on behalf of another agent with elevated privileges, bypassing the intended privilege boundary. The class is new in agentic systems and has no direct non-agentic analog.
AAI06 — Identity Confusion. The agent acts under credentials, scopes, or identity assertions that do not correspond to the originating user — either through misconfiguration (the agent has access to credentials beyond what its current task requires) or through manipulation (the agent is induced to act under a different identity than intended).
AAI07 — Persistent Memory Manipulation. Agents that maintain memory across interactions can be manipulated into storing attacker-controlled information that influences future agent behavior. The class includes both factual manipulation (storing false information the agent will later treat as ground truth) and behavioral manipulation (storing instructions the agent will treat as preferences in future interactions).
AAI08 — Inter-Agent Trust Exploitation. Multi-agent systems often establish trust relationships between agents — agent A trusts agent B's outputs as inputs without independent verification. An attacker who can compromise agent B can use that trust relationship to influence agent A. The defense is to treat inter-agent communication as untrusted input requiring the same verification as user input.
AAI09 — Insufficient Observability. The agent's reasoning, tool invocations, and decision points are not adequately logged or monitorable, making both forensic analysis after incidents and proactive anomaly detection impractical. The category is meta — it does not describe an attack, but the absence of the operational visibility needed to defend against the other nine.
AAI10 — Cascading Failures. An error or failure in one agent or tool invocation propagates through the agent's reasoning into further error states, ultimately producing outcomes far worse than the original failure would suggest. The class is particularly prominent in systems with weak error handling at the tool-invocation layer where exceptions are surfaced to the agent's reasoning rather than mediated by application logic.
The AWS Agentic AI Security Scoping Matrix (November 21, 2025)
The aws agentic ai security scoping matrix nov 21 2025 release — published by AWS as part of their generative AI security guidance refresh — has become the most-referenced operational framework for thinking about agent capability boundaries. The matrix structures the agent's capabilities along two axes — the scope of resources the agent can affect (single record, multiple records, entire dataset, multiple datasets, organization-wide) and the reversibility of the actions the agent can take (immediately reversible, reversible within hours, recoverable from backup, unrecoverable). The intersection of these axes produces a risk profile for any given agentic deployment, and the defensive controls scale with the profile.
The November 21 2025 publication date matters because the AWS guidance was the first major cloud-provider operational framework to formalize the scope-vs-reversibility risk-profile model that the discipline had been converging on informally. The document is freely available on AWS's security documentation site and is increasingly referenced in procurement security questionnaires asking how vendors structure their agentic AI deployments.
The pragmatic reading of the matrix is that the most-defensible agentic deployments live in the lower-left quadrant — narrow resource scope and immediately reversible actions. An agent that can read user-owned records but only the requesting user's records, and that can only suggest changes for human approval rather than apply them directly, requires modest defenses because the consequence of any compromise is bounded by both axes. An agent that can affect organization-wide records and take unrecoverable actions requires defense-in-depth across every architectural layer, because the consequence of compromise is unbounded.
The matrix's operational use in production deployments is to push agent designs toward the lower-left quadrant by default, with deliberate justification required for any move toward higher-risk quadrants. An agent that "would be more useful if it could affect more records" is a design choice that requires explicit risk acceptance, not an unstated default. The same applies to reversibility — an agent that "would be faster if it could apply changes directly" is choosing to trade reversibility for performance, and that tradeoff should be visible to security review.
Defensive Patterns That Work in Production
The defensive patterns for agentic AI cluster around six families. Each addresses a specific class of risk from the Agentic Top 10; in combination they produce defense-in-depth that survives most attack scenarios short of full credential compromise.
Scope limitation. The agent has access to exactly the tools needed for its intended function, with no "general-purpose" tools that an attacker could chain into harmful actions. A code-review agent does not need an "execute shell command" tool; an email-summary agent does not need a "send email" tool. Adding tools should require explicit justification and threat modeling for the new capability.
Action mediation. Every tool invocation passes through a policy layer that determines whether the invocation is allowed. The policy can be rule-based (this tool with these arguments is permitted), risk-based (high-impact invocations require additional verification), or context-based (the invocation is allowed only if the agent's current goal aligns with the tool's purpose). Modern agent frameworks (LangChain's tool-policy systems, AWS Bedrock Agents' action guardrails) expose this mediation layer as configuration; older agent implementations require explicit wrapping of tool calls.
Out-of-band confirmation for high-impact actions. Actions with significant consequence — deleting records, sending external messages, modifying configurations, executing code in production environments — require explicit confirmation through a channel the agent cannot manipulate (email confirmation to the originating user, Slack message requiring human approval, multi-factor re-authentication). The agent cannot self-authorize confirmation. This pattern adds latency but is the single most effective defense against agent-side compromise.
Per-user identity propagation. When the agent acts on behalf of a user, it acts under that user's identity scope, not under a shared service identity. The agent's tool invocations are subject to the same access controls the user would face if acting directly. This pattern eliminates entire classes of privilege escalation and identity confusion attacks because the agent has no privilege beyond what the originating user already had.
Comprehensive observability. Every reasoning step, tool invocation, and decision the agent makes is logged with sufficient context for forensic reconstruction. The log captures the input the agent was processing, the reasoning the agent produced, the tool it chose to invoke, the arguments it constructed, the result it received, and the next step it took. Without this observability — explicitly called out as AAI09 in the OWASP list — defending against agent compromise becomes empirical rather than analytical.
Continuous red-teaming. The agent is exercised with adversarial inputs on a defined cadence, including indirect prompt injection through content the agent processes, goal manipulation attempts, and resource-exhaustion patterns. The red-team findings drive defensive improvements; agent deployments without continuous red-team programs accumulate undetected vulnerabilities at a rate that operational debugging cannot keep up with.
Mitigating the Risk of Prompt Injections in Browser Use — Anthropic's Worked Example
Anthropic's published research on mitigating the risk of prompt injections in browser use anthropic engineering and security teams have shared in 2025-2026 — agents that operate a browser on the user's behalf to accomplish web tasks — is one of the most operationally detailed treatments of agentic AI security available in the open literature as of 2026. The browser-use case is illustrative because the attack surface is extreme: every web page the agent visits is an indirect prompt injection vector, and the agent's tools (clicking, typing, navigating, submitting forms) can take consequential actions on the user's behalf across any site the browser can reach.
Real-World Attacks Behind OWASP Agentic AI Top 10
The real-world attacks behind owasp agentic ai top 10 categories — and the real-world attacks behind the owasp agentic ai top 10 list more generally — cluster around five concrete incident patterns documented in 2025-2026. First, indirect prompt injection through web content the agent processes: customer-support agents reading attacker-controlled support tickets, code-review agents reading PR diffs, email-summarization agents reading email bodies. Second, tool chaining attacks where the agent's reasoning links individually-safe tools into a harmful composite — read user's records, then format the data, then exfiltrate via an allowed network egress. Third, persistent memory poisoning where attacker content stored in agent memory shapes future agent behavior across sessions. Fourth, multi-agent privilege escalation where one agent trusts another agent's output as a reasoning input, with the trusted agent having been compromised. Fifth, goal manipulation through contextual phrasing — the agent's interpretation of its goal expands or shifts based on the framing of the input. The documented incidents form the empirical basis for the Agentic Top 10 categories rather than the categories being derived theoretically.
The defenses Anthropic published center on three patterns. First, capability constraints at the browser layer — the browser-use agent operates in an isolated browser profile without the user's authentication state, so even if the agent is compromised it cannot act under the user's identity at arbitrary sites. Second, action confirmation at consequential boundaries — actions like submitting forms with monetary impact, sending messages, or making purchases trigger out-of-band confirmation that the agent cannot self-authorize. Third, runtime monitoring of agent reasoning — the agent's chain of thought is analyzed for indicators of goal manipulation, and deviations trigger pause-and-confirm cycles rather than continued action.
The pattern generalizes beyond browser-use. Any agentic system that operates against an attack-controllable input surface (web pages, emails, documents, forum posts, social media) needs the same three layers: capability constraints that bound the consequence of compromise, action confirmation that breaks the agent's autonomy at high-impact moments, and runtime monitoring that detects compromise before it propagates. The specific implementations vary; the structural pattern does not.
Where Agentic Security Fits in the Broader Program
Agentic AI security is not a separate discipline from the rest of application security — it is an extension of it. The verification activities that anchor a mature application security program (covered in the ASVS 5.0 developer guide) apply to agentic systems with extensions for the agentic-specific risks. The threat modeling activities that anchor secure design (covered in the threat modeling for developers guide) apply to agentic systems with extensions for the Agentic Top 10 categories. The secure SDLC that anchors the broader program (covered in the secure SDLC guide) applies unchanged at the program level, with agentic-specific activities embedded in each phase.
The integration with the LLM Top 10 — covered in the OWASP LLM Top 10 2025 field guide — is bidirectional. Agentic AI systems are LLM applications and inherit all LLM Top 10 risks. The Agentic Top 10 adds the categories specific to autonomous action that the LLM Top 10 does not cover comprehensively. A complete agentic AI security program addresses both.
The defensive maturity arc for agentic AI in 2026 looks similar to the maturity arc for traditional application security in 2010 — the discipline is rapidly stabilizing around a small set of recognized patterns, the early production deployments are accumulating incident data that drives the next iteration of defenses, and the gap between current practice and best practice is wide. Organizations adopting agentic AI now will benefit substantially from explicit engagement with the OWASP Agentic Top 10, the AWS Scoping Matrix, and the published research on specific deployment patterns — the patterns work, but only when applied deliberately.
Tracking the Current Landscape — News, Coding Agents, Cybersecurity Use
The pace of change in this space is fast enough that a developer trying to stay current needs explicit channels for ongoing input. The agentic ai security news flow worth tracking in 2026: the OWASP GenAI Security Project's blog and release notes (the working group publishes incremental guidance between major Top 10 releases), the cloud-provider security advisories (AWS, Google Cloud, Azure all publish agentic-AI-specific security updates), and a handful of independent practitioner blogs that cover production agentic deployment incidents with technical depth.
The agentic ai coding news subset deserves separate attention because coding agents — Anthropic's Claude Code, GitHub Copilot Workspace, Cursor's agent mode, and the rapidly-growing ecosystem of code-writing agents — operate at the intersection of agentic AI security and supply-chain security. Coding agents that can read source repositories, write code, and submit pull requests carry the agentic-AI risks (prompt injection through processed content, tool misuse) plus the supply-chain risks (the code they produce flows into production). The defensive patterns combine the Agentic Top 10 disciplines with the SLSA-aligned supply-chain disciplines covered in the cloud-native security guide.
The agentic ai for cybersecurity application — autonomous security operations centers, automated incident response agents, AI-driven threat hunting — is the domain where agentic AI has the most positive use cases alongside the security risks the technology itself introduces. The 2025-2026 deployments show that agentic AI can substantially accelerate routine SOC work (triage, initial investigation, evidence collection) while creating the same risks any agentic deployment faces. The defensive frame is identical — Agentic Top 10 categories apply to security-purpose agents the same as they apply to business-purpose agents — but the threat model includes adversarial inputs explicitly designed to manipulate the security agent's analysis.