The OWASP ASI Top 10 was published in December 2025. It’s the first major framework specifically designed for agentic AI systems — AI that can take actions, use tools, and make decisions, not just answer questions.
If your business uses AI that does anything beyond generating text, this framework applies to you. That includes AI phone receptionists, email automation, scheduling tools, and any AI with access to your files, calendar, or customer data.
Here’s what each of the ten risks means in language that doesn’t require a security background.
ASI-01: Agent Goal Hijack
What it means: Someone tricks your AI into doing something you didn’t intend — by crafting a clever input that overrides its instructions.
Real-world example: A customer sends your AI receptionist a message designed to make it reveal your pricing strategy, access your calendar, or send information to an unauthorized recipient.
What good looks like: Your AI has a clearly defined scope of what it will and won’t respond to. Inputs are filtered. Unusual requests are logged and flagged.
ASI-02: Tool Misuse
What it means: Your AI has access to tools — APIs, databases, calendars, email — and it uses them in ways you didn’t intend.
Real-world example: An AI assistant given access to your email can send messages on your behalf. Without controls, a poorly crafted prompt could cause it to send something inappropriate or leak information.
What good looks like: Every tool your AI can use has explicit permissions, rate limits, and audit logging. The AI can only do what it’s explicitly allowed to do.
ASI-03: Identity and Privilege
What it means: Your AI has more access than it actually needs to do its job.
Real-world example: An AI built to answer customer FAQs has been given admin access to your practice management system “for convenience.” Now a security issue in the AI becomes a security issue for your entire patient database.
What good looks like: Least-privilege principles applied to every AI deployment. The AI gets access to exactly what it needs — nothing more.
ASI-04: Supply Chain
What it means: The AI tools and vendors you depend on may themselves be insecure or compromised.
Real-world example: You use a third-party AI receptionist. You don’t know what model it’s built on, how your call data is stored, or whether their infrastructure meets any security standard. If they get breached, your patients’ or clients’ data may be exposed.
What good looks like: A documented inventory of every AI tool you use, with vendor security assessments and data handling agreements.
ASI-05: Code Execution
What it means: Some AI systems can write and run code. If that capability isn’t sandboxed, it can be exploited.
Real-world example: An AI data analysis tool is asked by a user to “run this calculation” — and the “calculation” is actually a script designed to exfiltrate data.
What good looks like: Code execution is sandboxed, time-limited, and logged. The AI cannot access the broader system from within an execution environment.
ASI-06: Memory Poisoning
What it means: Some AI systems have persistent memory — they remember things between sessions. That memory can be corrupted or manipulated over time.
Real-world example: An AI customer service agent that remembers customer preferences gets fed false information (“my name is now X, my account is Y”) and updates its memory accordingly — which then affects how it handles future interactions.
What good looks like: Memory inputs are validated. Memory contents are periodically audited. Critical decisions don’t rely solely on AI memory.
ASI-07: Inter-Agent Communication
What it means: If you have multiple AI agents working together, the messages they send each other can be manipulated.
Real-world example: A research agent passes information to a writing agent. If the research agent is compromised, it can pass malicious instructions to the writing agent — which then acts on them.
What good looks like: Agent-to-agent messages are treated as untrusted inputs. Trust boundaries between agents are explicit and enforced.
ASI-08: Cascading Failures
What it means: One AI mistake triggers a chain reaction of problems across connected systems.
Real-world example: An AI scheduling system double-books an appointment. That triggers an automated reminder. The reminder triggers an automated billing update. A $0 charge gets processed. An accountant spends three hours untangling it.
What good looks like: AI workflows have circuit breakers — points where a human is required before the next step proceeds. Failures are isolated, not propagated.
ASI-09: Human Trust
What it means: AI can be used to manipulate human decision-making — by crafting outputs that seem authoritative but are misleading.
Real-world example: An AI summarizes a long contract and presents a key clause inaccurately. The attorney reviews the summary rather than the contract and misses the problem.
What good looks like: AI outputs in high-stakes contexts are clearly labeled as AI-generated. Humans are trained to verify rather than simply trust.
ASI-10: Rogue Agents
What it means: Your AI starts behaving differently from how it was designed — due to model updates, prompt drift, or environmental changes — and you don’t notice.
Real-world example: An AI receptionist starts giving slightly different answers to questions about your hours, pricing, or policies. No one is monitoring the outputs, so it goes undetected for months.
What good looks like: Behavioral monitoring is in place. Key outputs are sampled and reviewed regularly. Significant behavioral changes trigger alerts.
What this means for your business
You don’t need to memorize this list. But you should know whether your AI deployments have been evaluated against it.
If you’re using AI tools in your business — even tools you didn’t build — these risks apply to you. The question is whether they’ve been addressed.
If you’d like to understand what your AI exposure actually looks like, we offer a structured security audit that walks through each of these areas and tells you where to focus.