home experience thoughts
← thoughts

OWASP's agentic AI list is really an identity warning

Mar 1, 2026 · 2 min read

In December 2025, the OWASP GenAI Security Project published the Top 10 for Agentic Applications 2026. The useful signal is not just “prompt injection is bad.” The deeper point is that agents combine natural language inputs with real permissions, tools, and system state.

That changes the control model. A malicious instruction in an email, document, ticket, or web page is no longer just content. If an agent can act on it, that content can become an execution path.

This is why I think agentic AI security belongs close to IAM, not only AppSec. The question is not “can the model be tricked?” The question is: if it is tricked, what identity does it run as, what can it access, and how quickly can a human interrupt the action?

Three controls matter immediately:

Agent-specific identities. Every agent should operate under a named identity with a defined owner, purpose, and permission boundary. Shared user tokens are convenient, but they make audit and revocation harder.

Tool allowlists. The agent should not discover or use every connector available in the environment. High-risk actions such as sending mail, changing tickets, updating cloud resources, or modifying vendor records need explicit scope.

Blast-radius reviews. Before deployment, answer one practical question: if this agent behaved adversarially for four hours, what could it read, change, or send?

The identity perimeter used to mean users and service accounts. Agents make that perimeter more dynamic. Security teams that already have mature access reviews, logging, and exception workflows have a head start, but only if they extend those controls to agent identities before production usage spreads.