Earlier this year OWASP released guidance for Agentic AI security called Agentic AI – Threats and Mitigations. The document highlights the unique challenges involved in securely deploying this emerging technology and suggests mitigations and architectural patterns for defense.
Agents promise to revolutionize system workflows with their ability to interact with computing tools and services but these interactions also open a unique attack surface, OWASP says.
The document presents a reference architecture for agentic systems that shows four components: the memory system, tools the agent calls, the planning system, and the orchestration layer. While fifteen threats are identified in the document, most of these are present in other LLM based systems, such as chat bots, and are not specific to agentic systems. These threats are documented in other OWASP documentation – see, for example, OWASP Top 10 for Large Language Model Applications.
Tool misuse is identified as the major new threat, and the use of tools means that if the agent can be tricked into sending arbitrary content to the tools, all of the vulnerabilities that exist in the tools can be exploited by an attacker. OWASP defines it:
Tool misuse occurs when attackers manipulate AI agents into abusing their authorized tools through deceptive prompts and operational misdirection, leading to unauthorized data access, system manipulation, or resource exploitation while staying within granted permissions.
An example could be that an agent is tricked into calling a tool with the wrong user credentials, or making calls with elevated privilege. Prompt injection can be used to craft API calls that exploit weaknesses in the underlying APIs, such as script injection or broken object level authorization.
To combat tool misuse, the guidelines describe two primary architectural defense patterns. The first is to add an AI firewall between the agent and the tools. This is a specialized component that inspects the inputs and outputs of an agentic system and blocks compromised requests. These components are similar to how web-application firewalls are deployed to inspect website and API traffic. The second pattern is to monitor the telemetry stream from the agent, looking for anomalous inputs or outputs and respond by blocking tool use in real time.
The most important conclusion that can be drawn is that agents cannot be trusted, and requests from an agent should be treated in much the same way as a request from the internet.
In addition to defending against tool misuse, the OWASP document defines requirements for effective mitigation for all agentic AI threats. This requires strict access verification, behavioral monitoring, clear operational boundaries, and robust execution logs. Access verification enforces just-in-time verification for every tool the agent attempts to use, behavioral monitoring analyzes tool usage patterns to detect anomalies, operational boundaries define and enforce strict, explicit limits on what actions an agent is permitted to take, and execution logs maintain tamper-proof logs of all AI tool calls to enable anomaly detection and support post-incident forensic reviews.
