Published 12 May 2026 · AgenticRail
OWASP Agentic AI Top 10: How Sequence Enforcement Addresses ASI01–ASI10
The OWASP Top 10 for Agentic Applications 2026 is the first peer-reviewed security taxonomy for autonomous AI agents. Published December 2025, it defines ten risk categories — ASI01 through ASI10 — that are fast becoming the compliance baseline for agentic AI deployments, particularly under EU AI Act high-risk enforcement beginning December 2027. This post maps every risk to what sequence-order enforcement, pre-action authorization, and cryptographic receipts cover — and where additional controls are required. No overclaiming. If it's outside scope, we say so.
See the enforcement layer in action — every gate decision is ALLOW, DENY, or HALT, with a tamper-evident receipt written before the action executes.
Coverage at a glance
ASI01
Agent Goal Hijack
Direct
ASI02
Tool Misuse & Exploitation
Direct
ASI03
Agent Identity & Privilege Abuse
Direct
ASI04
Agentic Supply Chain Compromise
External controls
ASI05
Unexpected Code Execution
Partial
ASI06
Memory & Context Poisoning
Direct
ASI07
Insecure Inter-Agent Communication
External controls
ASI08
Cascading Agent Failures
Partial
ASI09
Human-Agent Trust Exploitation
Direct
ASI10
Rogue Agents
Partial
Direct — the enforcement gate addresses this risk structurally, before execution, with a tamper-evident record. Partial — the gate addresses the most common failure mode but does not cover all variants. External controls — the risk is outside the enforcement gate's scope and requires additional infrastructure.
Risk-by-risk breakdown
Risk
Attackers manipulate the agent's objectives through direct or indirect instruction injection — prompt injection, crafted tool responses, malicious RAG content — causing the agent to pursue goals its operators did not intend.
Gate response
The gate's decision is independent of what the agent believes its goal to be. Even if an agent's goal is successfully hijacked, every action it attempts must still pass through the pre-action gate. A hijacked goal that causes the agent to skip prerequisites and jump to a high-value step gets: DENY · SEQUENCE_VIOLATION — before the step executes. The attacker compromised the agent's reasoning. They did not compromise the gate.
Key mechanism
Sequence-order enforcement. The gate checks whether the submitted step is the next expected step in the declared workflow — regardless of what the agent's context window says about its goals.
Risk
Agents misuse tools through unsafe composition, recursion, or use of disallowed parameters — even when they have technical permission to call those tools. A tool the agent can call is not necessarily a tool it should call in the current step.
Gate response
The sequence contract explicitly declares, per step, which functions are permitted and which action types are allowed for each function. An agent calling a permitted function with a disallowed action type receives: DENY · ACTION_NOT_ALLOWED. A function not declared in policy receives: DENY · NO_POLICY_MATCH. Both fire before the tool executes.
Key mechanism
Per-step policy enforcement. The gate evaluates function and action_type against the declared policy map — not against a model's judgement of whether the tool use is appropriate.
Risk
Delegated authority and ambiguous agent identity enable agents to escalate privileges, impersonate other agents, or exceed the scope of what they were authorized to do — either through manipulation or emergent behaviour.
Gate response
The sequence contract is the privilege boundary. Actions outside the declared function set: DENY · NO_POLICY_MATCH. Attempts to extend a completed workflow: DENY · SEALED_SEQUENCE. Sequence sealing is permanent — there is no unsealing mechanism. A sealed sequence cannot be extended to claim capabilities that were not part of the original workflow, regardless of what identity is submitting the request.
Key mechanism
Sequence sealing + NO_POLICY_MATCH. The declared contract is the ceiling on what is permitted — not the agent's self-reported identity or delegated authority claims.
Risk
External agents, tool schemas, or plugins that an agent dynamically trusts are compromised or maliciously altered — poisoning the agent's tool-calling capabilities at the source.
Gate response
Outside the enforcement gate's scope. The gate validates that the action an agent attempts matches its declared policy — it does not verify the integrity of the tool schema that produced the action.
Required controls
Tool schema signing and verification before integration. Sandboxing for dynamically discovered tools and agents. Allowlisting of trusted external components. These are infrastructure-layer controls that sit upstream of the enforcement gate.
Risk
Agent-generated or agent-triggered code executes without sufficient validation or isolation — often through tool calls that invoke interpreters, shell commands, or dynamic eval paths.
Gate response
Partial. If code execution action types are not declared in the step policy, the gate fires DENY · ACTION_NOT_ALLOWED before the code runs. This covers the most common path: an agent attempting an undeclared EXECUTE_CODE action at a step that does not permit it.
Gap
Where code execution is legitimately permitted in the policy, the gate approves the step but does not sandbox the execution environment. Secure execution sandboxing — separate from the enforcement gate — is required for steps where code execution is declared.
Risk
An attacker corrupts the agent's stored memory or contextual state — through injected inputs, API responses, or peer-agent exchanges — causing the agent to reason incorrectly about its position in a workflow or the permissions it holds.
Gate response
The gate's sequence ledger and nonce store are maintained externally to the agent's context window. Poisoned context cannot alter what the gate has recorded as completed steps or accepted nonces. An agent that has been manipulated into believing it has completed step 3 when it has not will still receive DENY · SEQUENCE_VIOLATION when it attempts step 4 — because the gate's ledger reflects what actually executed, not what the agent believes.
Key mechanism
External sequence state. The authoritative record of workflow position lives in the gate's durable ledger — separate from and inaccessible to the agent's reasoning layer.
Risk
Messages exchanged between agents in a multi-agent system are intercepted, modified, or forged — enabling an attacker to manipulate agent coordination, inject false instructions, or impersonate legitimate agents.
Gate response
Outside scope. The enforcement gate governs what actions individual agents are permitted to execute. It does not encrypt or authenticate the communication channels between agents.
Required controls
Encrypted inter-agent channels (TLS minimum). Message authentication and integrity verification. Cryptographic signatures for agent identity in multi-agent protocols. These are transport and identity layer controls.
Risk
Small agent failures propagate through connected systems, causing large-scale impact across tool chains and dependent agents — especially in multi-agent architectures where one agent's output is another's input.
Gate response
Partial. The HALT decision terminates a sequence immediately on a policy-defined condition — stopping a failing agent from completing its workflow and reducing the scope of downstream impact. Sequence sealing prevents re-entry after completion. These contain the failure at the individual sequence level.
Gap
Cross-sequence cascade prevention — circuit breakers that detect failure patterns across multiple concurrent sequences and throttle or terminate related workflows — requires additional orchestration infrastructure beyond the per-sequence enforcement gate.
Risk
Humans over-rely on agents due to misleading explanations, false credentials, or the agent projecting unwarranted certainty about what it has done — leading to decisions made on the basis of an agent's self-report rather than independent evidence.
Gate response
Cryptographic receipts provide an independent, tamper-evident record of what actually executed — decoupled from the agent's self-report. Every ALLOW and DENY is HMAC-signed before storage. An auditor or human reviewer can verify any receipt offline without relying on the agent's account of events. The receipt proves what happened. The agent's explanation is irrelevant to the verification.
Key mechanism
Tamper-evident receipts. Independent verification of every gate decision — before execution, signed, immutable. The trust anchor is the receipt chain, not the agent's stated account.
Risk
Agents act beyond their intended objectives due to goal drift, collusion with other agents, or emergent unaligned behaviour that develops over time — particularly in long-running agents operating with minimal human oversight.
Gate response
Partial. Sequence sealing prevents scope extension after workflow completion — a rogue agent cannot append additional steps to a completed sequence to claim capabilities beyond its declared workflow. The HALT decision provides an immediate stop for policy-defined termination conditions. Every step deviation produces a DENY receipt, creating a record of rogue behaviour for review.
Gap
Continuous goal-alignment monitoring — detecting drift in an agent's objectives across multiple workflow runs over time — requires observability tooling that operates above the per-sequence enforcement layer. The gate produces the evidence; detecting rogue patterns across that evidence requires additional monitoring.
What this means for EU AI Act compliance
December 2027 — Full enforcement of high-risk AI obligations
The OWASP Agentic Top 10 is designed to map to EU AI Act obligations. Article 9 requires risk management measures — the OWASP ASI taxonomy is the first formal agentic AI risk framework and the natural reference for Article 9 documentation. Article 12 requires logs enabling reconstruction of the sequence of events — the gate's pre-execution receipts for every ALLOW and DENY are that evidence.
Covering ASI01, ASI02, ASI03, ASI06, and ASI09 with a deterministic enforcement gate addresses the five risks that most directly undermine Article 12 compliance: the risks that cause the sequence of events to diverge from the declared workflow, or that make the agent's account of what happened unreliable. The remaining risks (ASI04, ASI07) require additional infrastructure but are not the primary obstacles to Article 12 evidence.
The practical implication: an organization deploying a high-risk AI agent under the EU AI Act can use OWASP ASI coverage as a structured argument that systematic risk identification and mitigation was performed. ASI01–ASI03 and ASI06 covered by the enforcement gate; ASI04 and ASI07 documented with compensating infrastructure controls; ASI05, ASI08, ASI10 documented with partial coverage and residual risk acceptance.
This is the kind of structured, honest risk mapping that Article 9 requires. Not a claim that all risks are eliminated — a documented assessment of which controls address which risks and what residual risk remains.
Run a sequence in the demo. See ASI01–ASI03 and ASI06 enforced in real time — with signed receipts for every ALLOW and DENY.