The Open Web Application Security Project (OWASP) has announced the publication of its Securing Agentic Applications Guide v1.0, a comprehensive, open-source framework designed to address the unique security challenges posed by agentic AI systems. Released on July 28, 2025, this guidance arrives in response to the rapid adoption of autonomous AI agents in business, critical infrastructure, and digital operations.
Understanding Agentic AI and Its Risks
Agentic AI applications are distinguished from traditional large language model (LLM) implementations by their elevated autonomy. These systems can initiate actions, interact with diverse tools, access sensitive environments, and sometimes manage critical workflows with minimal or no ongoing human oversight. Their increased independence, however, also exposes organizations to a novel set of risks that legacy application security protocols cannot fully mitigate.
Key Components of the OWASP Guidance
The new guide provides targeted recommendations across the entire AI system lifecycle, with a special emphasis on the following pillars:
- Securing Agentic Architectures: Organizations are urged to embed security at the platform level, incorporating robust authentication and user privilege controls. This includes requiring explicit credentials when agents access sensitive systems or initiate workflow changes.
- Security by Design and Development: Developers are advised to integrate security guardrails from the start. Measures such as enforced instruction adherence help prevent malicious attempts to override core agent directives.
- Operational Connectivity Risks: Given the interconnectedness of agentic systems with APIs, databases, and external code interpreters, the guide recommends granular access controls and vigilant monitoring to prevent exploitation via business and system integrations.
- Supply Chain Security: Since agentic AI often utilizes third-party tools and libraries, regular vulnerability scanning and permission management are essential to reducing exposure to compromised software dependencies.
- Deployment and Assurance: OWASP advocates for continuous assurance practices such as red teaming, dynamic vulnerability scanning, and robust CI/CD checks before live deployment.
- Runtime Hardening: The guidance highlights a multi-layered approach—combining traditional virtual machine (VM) isolation, sandboxing, comprehensive auditing, and behavioral monitoring tailored to autonomous agent behavior.
Identifying Agent-Specific Security Threats
OWASP’s guidance outlines several emerging threats unique to this domain, including:
- Memory Poisoning: Adversaries may attempt to manipulate agents by corrupting their operational memory, inducing them to perform unauthorized actions.
- Tool Misuse: Unintended or malicious invocation of integrated APIs and automated tools can lead to privilege escalation or unauthorized flow of sensitive information.
- Privilege Compromise: Attackers may exploit flaws in agent decision-making or identity handling to gain elevated access within IT ecosystems.
Additional details
The guide breaks down agentic applications into their fundamental components and analyzes their attack surfaces:
- LLMs: The models themselves can be vulnerable to prompt injection, data poisoning, and model stealing.
- Orchestration: The logic that manages the flow between components can be exploited to manipulate agent behavior.
- Reasoning/Planning Modules: Flaws in these modules can lead to unintended actions or incorrect decision-making.
- Memory Modules: Sensitive data stored in memory (short-term, long-term, vector databases) is a target for exfiltration or manipulation.
- Tool Integration: The connections to external tools (APIs, databases, code interpreters) introduce significant risks if not properly secured.
- Operational Environment: The underlying infrastructure hosting the agent needs traditional security controls.
It then outlines secure architecture patterns to mitigate these risks:
- Sequential Agentic Architectures: Linear workflows with clear input/output.
- Hierarchical Agentic Architectures: Agents with sub-agents, requiring robust trust boundaries.
- Collaborative Swarm Architectures: Multiple agents working together, demanding strong inter-agent communication security and consensus mechanisms.
Agentic Developer Guidelines
This section is crucial for developers, offering security best practices at each stage:
- Secure Design: Emphasizes threat modeling specific to agentic systems and designing for least privilege.
- Secure Build: Covers system prompt engineering (e.g., safeguarding against prompt injection, specifying guardrails), secure coding practices for agent code, and content moderation for both inputs and outputs.
- Secure Deployment: Focuses on securing the deployment pipeline and environment.
- Secure Operation: Includes human-in-the-loop (HITL) design for critical decisions, memory security (encryption, access control, sanitization), input/output validation (for all interactions, especially with tools), and robust authorization and authentication for agent access and actions.
Enhanced Security Actions
The guide provides specific, tailored security actions based on the agent’s architecture:
- Single-Agent Systems: Focus on strong input/output validation, prompt hardening, and secure tool usage.
- Multi-Agent Systems (Central Orchestrator): Emphasizes secure communication channels between agents and the orchestrator, and strict access controls.
- Multi-Agent (Swarm Architecture): Requires advanced controls for inter-agent trust, consensus mechanisms, and preventing malicious agents from subverting the swarm. These actions cover authentication, data protection, code security, monitoring, incident response, and prompt security.
Key Operational Capabilities
This section addresses securing the agent’s interactions with various external systems:
- API Access: Secure API keys, rate limiting, and input validation.
- Code Execution: Sandboxing, strict resource limits, and monitoring for malicious code.
- Database Execution: Prepared statements, role-based access control, and data encryption.
- Web Use: Protection against common web vulnerabilities (XSS, CSRF) when agents interact with web interfaces.
- Controlling PC Operations & Critical Systems: This highlights the severe risks of agents with physical or critical system access, demanding extreme caution, stringent authorization, and human oversight.
Agentic AI and the Supply Chain
Recognizing that agentic applications often rely on third-party components and models, the guide addresses:
- Code Security: Ensuring the integrity of libraries and frameworks used.
- Environment and Development Security: Securing the development environment and CI/CD pipelines.
- Agent and Tool Discovery: Validating the trustworthiness of pre-built agents and tools incorporated into the system.
Assuring Agentic Applications
This section delves into testing and validation:
- Red Teaming: Proactive adversarial testing to uncover vulnerabilities.
- Behavioral Testing: Evaluating the agent’s behavior against desired norms and identifying unintended or malicious actions.
Secure Agentic Deployments
Practical advice for moving agents into production:
- Secure Pipelines: Automating security checks within CI/CD.
- Containerization: Using containers for isolation and consistency.
- API Access Control: Granular control over agent access to internal and external APIs.
- Anomaly Alerting: Detecting unusual agent behavior.
- Human Oversight: Maintaining human intervention points for critical actions.
- Managing Non-Human Identities: Securely managing credentials for agents.
Runtime Hardening
This focuses on securing the execution environment, often a virtual machine:
- Combines traditional VM security (patching, network segmentation) with agent-specific controls like resource isolation, process monitoring, and runtime integrity checks to ensure the agent operates within defined boundaries.
