OWASP Top 10 for Agentic Applications (2026)
Honest coverage, category by category
We map AgentBouncr against a vendor-neutral, community-governed standard — not a single vendor’s artifact. “Covered” here means operated, not aspirational. There is deliberately no aggregate score: a single number would hide where the deployer’s responsibility begins.
Intent Gate (core mechanism) means we provide the deterministic pre-execution chokepoint for the category’s core mechanism — not that we satisfy every guideline in it. Many guidelines are deliberately app-layer (UI trust-cues, the LLM) or infrastructure-layer (sandboxing, mTLS) and belong to the deployer. Policy is our job; App / Infra is the deployer’s.
OWASP names our architecture verbatim
ASI-02 · Prevention #4
“Policy Enforcement Middleware (Intent Gate)” — that is exactly POST /api/evaluate.
ASI-08 · Prevention #4
“Independent policy enforcement / an external policy engine” — that is AgentBouncr’s entire architecture.
The OWASP Top 10 for Agentic Applications is genuinely vendor-neutral — led by Deep Cyber, Tenable and SAP, and reviewed by Google, AWS, NIST and the Alan Turing Institute, among others. We map against a neutral, community-governed standard.
ASI-01 · Agent Goal Hijack
Partial — building blocks- What we operate
- A per-tool whitelist bounds what a hijacked goal can actually do; every decision is audited; drift triggers confirmation.
- Where the gaps / layers are
- Prompt-inspection / intent-capsule belongs to the app/LLM layer; sequence-policies are on our policy-layer roadmap.
ASI-02 · Tool Misuse & ExploitationOWASP-named
Intent Gate (core mechanism)- What we operate
- The Intent Gate: evaluate() checks every tool call before execution — per-tool allow/deny, parameter validation, proactive deny, audit/drift, and HUMAN_REVIEW.
- Where the gaps / layers are
- Egress allowlists are an infrastructure concern; ephemeral/JIT credentials, tool-budgeting and typosquat-pinning are on the policy-layer roadmap.
ASI-03 · Identity & Privilege Abuse
Partial — building blocks- What we operate
- Each agent gets its own identity with 8 scopes, SHA-256-hashed keys, tenant RLS and per-action authorization. gov_ agent tokens carry expiry, scopes and revocation.
- Where the gaps / layers are
- sk_live_ workspace keys are currently long-lived (no expiry yet); signed-intent binding, TOCTOU re-checks and delegation-chains are on the policy-layer roadmap.
ASI-04 · Agentic Supply Chain
Deliberate gap- What we operate
- Today only default-deny on unknown tools plus the kill-switch limit exposure.
- Where the gaps / layers are
- MCP/tool verification, SBOM/AIBOM signing and version pinning are deferred — policy-layer work, demand-driven.
ASI-05 · Unexpected Code Execution
Partial — building blocks- What we operate
- Policy can block execute_* / shell_* tool calls before they run (the validation gate).
- Where the gaps / layers are
- Sandboxing is a deliberate non-goal — it belongs to the deployer’s infrastructure, not a policy engine. Allowlist-as-code is hardening work.
ASI-06 · Memory & Context Poisoning
Deliberate gap- What we operate
- AgentBouncr checks tool calls, not memory — so this is out of scope today.
- Where the gaps / layers are
- Memory-provenance and trust-scoring are policy-layer research; this is an open gap industry-wide, not only here.
ASI-07 · Insecure Inter-Agent Communication
Partial — building blocks- What we operate
- Token isolation and tenant RLS separate agents.
- Where the gaps / layers are
- A2A auth, mTLS, signed agent-cards and anti-replay are policy-layer roadmap (Phase 3).
ASI-08 · Cascading FailuresOWASP-named
Partial — building blocks- What we operate
- AgentBouncr IS the external policy engine that separates planner from executor. Kill-switch, lifecycle states, rate-limiting and the append-only hash-chain provide non-repudiation.
- Where the gaps / layers are
- Auto-circuit-breaker ("blast-radius guardrails"), drift-detection and replay are on the policy-layer roadmap.
ASI-09 · Human-Agent Trust Exploitation
Partial — building blocks- What we operate
- Explicit confirmations via HUMAN_REVIEW (real approval requests) and append-only, tamper-evident logs. The hash-chain is a cross-cutting non-repudiation (T8) capability that supports ASI-08/09/10 — not a standalone solution to this category.
- Where the gaps / layers are
- The core of this category is app/UI: trust-cues, risk-summary UI, side-effect-free preview and anti-manipulation belong to the app layer; plan-divergence is policy-layer.
ASI-10 · Rogue Agents
Partial — building blocks- What we operate
- Kill-switch, token revocation, audit forensics and isolation contain a rogue agent on demand.
- Where the gaps / layers are
- Automated anomaly detection, behavioral manifests and a watchdog (a per-token Trust Score) are on the policy-layer roadmap.
EU AI Act
AgentBouncr’s pre-execution decisions and append-only, tamper-evident audit trail provide evidence support for EU AI Act human-oversight and record-keeping obligations. This is evidence support, not a compliance guarantee — AgentBouncr is one control among the measures an operator needs.
This page reflects only AgentBouncr’s own operated coverage, mapped against the OWASP Top 10 for Agentic Applications (2026), licensed CC BY-SA 4.0. We publish the gaps deliberately — honesty is the brand.