OWASP Top 10 for Agentic Applications (2026)

Honest coverage, category by category

We map AgentBouncr against a vendor-neutral, community-governed standard — not a single vendor’s artifact. “Covered” here means operated, not aspirational. There is deliberately no aggregate score: a single number would hide where the deployer’s responsibility begins.

Intent Gate (core mechanism)Partial — building blocksDeliberate gap

Intent Gate (core mechanism) means we provide the deterministic pre-execution chokepoint for the category’s core mechanism — not that we satisfy every guideline in it. Many guidelines are deliberately app-layer (UI trust-cues, the LLM) or infrastructure-layer (sandboxing, mTLS) and belong to the deployer. Policy is our job; App / Infra is the deployer’s.

OWASP names our architecture verbatim

ASI-02 · Prevention #4

“Policy Enforcement Middleware (Intent Gate)” — that is exactly POST /api/evaluate.

ASI-08 · Prevention #4

“Independent policy enforcement / an external policy engine” — that is AgentBouncr’s entire architecture.

The OWASP Top 10 for Agentic Applications is genuinely vendor-neutral — led by Deep Cyber, Tenable and SAP, and reviewed by Google, AWS, NIST and the Alan Turing Institute, among others. We map against a neutral, community-governed standard.

ASI-01 · Agent Goal Hijack

Partial — building blocks
What we operate
A per-tool whitelist bounds what a hijacked goal can actually do; every decision is audited; drift triggers confirmation.
Where the gaps / layers are
Prompt-inspection / intent-capsule belongs to the app/LLM layer; sequence-policies are on our policy-layer roadmap.

ASI-02 · Tool Misuse & ExploitationOWASP-named

Intent Gate (core mechanism)
What we operate
The Intent Gate: evaluate() checks every tool call before execution — per-tool allow/deny, parameter validation, proactive deny, audit/drift, and HUMAN_REVIEW.
Where the gaps / layers are
Egress allowlists are an infrastructure concern; ephemeral/JIT credentials, tool-budgeting and typosquat-pinning are on the policy-layer roadmap.

ASI-03 · Identity & Privilege Abuse

Partial — building blocks
What we operate
Each agent gets its own identity with 8 scopes, SHA-256-hashed keys, tenant RLS and per-action authorization. gov_ agent tokens carry expiry, scopes and revocation.
Where the gaps / layers are
sk_live_ workspace keys are currently long-lived (no expiry yet); signed-intent binding, TOCTOU re-checks and delegation-chains are on the policy-layer roadmap.

ASI-04 · Agentic Supply Chain

Deliberate gap
What we operate
Today only default-deny on unknown tools plus the kill-switch limit exposure.
Where the gaps / layers are
MCP/tool verification, SBOM/AIBOM signing and version pinning are deferred — policy-layer work, demand-driven.

ASI-05 · Unexpected Code Execution

Partial — building blocks
What we operate
Policy can block execute_* / shell_* tool calls before they run (the validation gate).
Where the gaps / layers are
Sandboxing is a deliberate non-goal — it belongs to the deployer’s infrastructure, not a policy engine. Allowlist-as-code is hardening work.

ASI-06 · Memory & Context Poisoning

Deliberate gap
What we operate
AgentBouncr checks tool calls, not memory — so this is out of scope today.
Where the gaps / layers are
Memory-provenance and trust-scoring are policy-layer research; this is an open gap industry-wide, not only here.

ASI-07 · Insecure Inter-Agent Communication

Partial — building blocks
What we operate
Token isolation and tenant RLS separate agents.
Where the gaps / layers are
A2A auth, mTLS, signed agent-cards and anti-replay are policy-layer roadmap (Phase 3).

ASI-08 · Cascading FailuresOWASP-named

Partial — building blocks
What we operate
AgentBouncr IS the external policy engine that separates planner from executor. Kill-switch, lifecycle states, rate-limiting and the append-only hash-chain provide non-repudiation.
Where the gaps / layers are
Auto-circuit-breaker ("blast-radius guardrails"), drift-detection and replay are on the policy-layer roadmap.

ASI-09 · Human-Agent Trust Exploitation

Partial — building blocks
What we operate
Explicit confirmations via HUMAN_REVIEW (real approval requests) and append-only, tamper-evident logs. The hash-chain is a cross-cutting non-repudiation (T8) capability that supports ASI-08/09/10 — not a standalone solution to this category.
Where the gaps / layers are
The core of this category is app/UI: trust-cues, risk-summary UI, side-effect-free preview and anti-manipulation belong to the app layer; plan-divergence is policy-layer.

ASI-10 · Rogue Agents

Partial — building blocks
What we operate
Kill-switch, token revocation, audit forensics and isolation contain a rogue agent on demand.
Where the gaps / layers are
Automated anomaly detection, behavioral manifests and a watchdog (a per-token Trust Score) are on the policy-layer roadmap.

EU AI Act

AgentBouncr’s pre-execution decisions and append-only, tamper-evident audit trail provide evidence support for EU AI Act human-oversight and record-keeping obligations. This is evidence support, not a compliance guarantee — AgentBouncr is one control among the measures an operator needs.

This page reflects only AgentBouncr’s own operated coverage, mapped against the OWASP Top 10 for Agentic Applications (2026), licensed CC BY-SA 4.0. We publish the gaps deliberately — honesty is the brand.