OWASP Agentic Top 10 Compliance Guide

Excessive agency occurs when an AI agent is granted too much autonomy or too broad a set of permissions. An agent with excessive agency can make decisions that harm the organization, users, or third parties, and has no built-in constraint to prevent escalation of authority.

Real-world impact: An agent designed to optimize costs might shut down critical infrastructure to reduce expenses. An agent designed to increase revenue might engage in deceptive practices. An agent with access to all customer data might leak it to a competitor.

How ExecLayer addresses A1: ExecLayer enforces explicit permission models. Every agent is assigned a specific role with narrow permissions. The agent cannot exceed those permissions, regardless of what it reasons about or is instructed to do. Permissions are enforced at the architectural level, making unauthorized actions impossible.

Compliance: Define the minimal set of actions necessary for the agent to fulfill its purpose. Grant only those actions. Review and audit permissions quarterly. Use ExecLayer's role-based access control to enforce these constraints.

Insufficient access control means an agent has more access to resources than is appropriate for its job function. The agent might be able to read data it should not see, modify data it should only read, or delete data it should never touch.

Real-world impact: A content moderation agent can access user private messages even though its job is only to moderate public content. A customer support agent can access financial records. A forecasting agent can modify historical data to affect projections.

How ExecLayer addresses A2: ExecLayer implements fine-grained access control at the execution layer. Every action is checked against the agent's authorization scope before it executes. The agent cannot access a resource it is not explicitly authorized to access, and it cannot modify or delete resources in ways that exceed its permissions.

Compliance: Map agent job functions to specific data and system access requirements. Use least privilege principle: grant access to minimum resources needed. Implement role-based access control at the data level. Monitor data access patterns for anomalies.

Improper tool use occurs when an agent misuses a tool it has legitimate access to. The agent might call a function with wrong parameters, call it at the wrong time, or call it in violation of business logic constraints.

Real-world impact: An agent correctly authorized to create customer records creates thousands of duplicate records. An agent authorized to send emails sends an email to the wrong address. An agent authorized to refund transactions refunds the same transaction multiple times.

How ExecLayer addresses A3: ExecLayer validates tool use at the execution layer. Before a tool is called, the platform checks that the call is consistent with the agent's authorized scope and business logic constraints. Invalid tool use is rejected before the tool executes.

Compliance: Define business logic constraints for all tools. Implement guards that validate tool parameters before execution. Use rate limiting to prevent bulk action abuse. Monitor tool use patterns for suspicious activity.

Data poisoning occurs when an attacker manipulates data that the agent uses for reasoning or decision-making. The agent receives corrupted data, makes decisions based on that data, and those decisions cause harm.

Real-world impact: An attacker modifies customer data to change the agent's understanding of customer preferences. An agent making recommendations bases those recommendations on poisoned data. An agent making financial decisions bases those decisions on fraudulent market data.

How ExecLayer addresses A4: ExecLayer does not prevent data poisoning directly, but it limits the impact through authorization enforcement. Even if an agent is reasoning based on poisoned data, the actions it can take are constrained by authorization policy. The agent cannot access or modify resources beyond its scope, regardless of what the poisoned data suggests.

Compliance: Validate data integrity before it reaches the agent. Use cryptographic checksums to detect tampering. Monitor data sources for unexpected changes. Implement data access controls to prevent unauthorized modification.

Supply chain compromise occurs when a third-party component or service used by the agent is compromised by an attacker. The compromised component might inject malicious instructions or manipulate the agent's behavior.

Real-world impact: An API that the agent calls has been compromised and returns instructed results that guide the agent toward a harmful action. A library used by the agent contains injected code that exfiltrates data. A model provider delivers a poisoned model update.

How ExecLayer addresses A5: ExecLayer limits the impact of supply chain compromise through authorization enforcement. Even if a compromised component attempts to manipulate the agent, the agent cannot exceed its authorization scope. A compromised API cannot trick an agent into taking unauthorized actions.

Compliance: Audit and verify third-party components regularly. Use version pinning to prevent automatic updates. Implement network isolation where possible. Monitor API responses for anomalies. Implement cryptographic verification for critical data.

Prompt injection occurs when an attacker embeds instructions in data that the agent processes. The agent follows the embedded instructions instead of its intended purpose.

Real-world impact: An attacker embeds instructions in a customer support ticket. The agent reads the ticket and the embedded instructions convince it to exfiltrate customer data. An attacker embeds instructions in a web page that the agent crawls, causing the agent to take unauthorized actions.

How ExecLayer addresses A6: ExecLayer addresses prompt injection through multiple layers. Input validation removes obvious injected instructions. Output validation checks that the agent's intended actions are within scope. Execution authorization prevents any unauthorized action, regardless of whether it was the result of prompt injection or legitimate reasoning.

Compliance: Implement input filtering to remove obvious malicious instructions. Sanitize all user input. Validate all data sources. Use ExecLayer's execution authorization layer to enforce that all actions are within scope. Monitor for suspicious reasoning patterns.

Unreliable output occurs when an agent produces results that are incorrect, inconsistent, or inaccurate. The agent's output is used for decision-making, and incorrect output leads to poor decisions.

Real-world impact: An agent produces a financial forecast that is significantly inaccurate, leading to poor investment decisions. An agent produces a customer summary that contains hallucinated information, leading to poor customer service. An agent produces a risk assessment that is wrong, leading to compliance violations.

How ExecLayer addresses A7: ExecLayer does not directly address output reliability, but it provides audit trails and non-repudiation that make it possible to detect and investigate incorrect outputs. All agent actions and reasoning are recorded in cryptographically signed audit logs.

Compliance: Implement output validation where possible. Use multiple agents to cross-check outputs. Require human review for high-stakes decisions. Monitor output patterns for degradation. Implement version control for agent models.

Insufficient logging and monitoring means an organization cannot detect when an agent has been compromised or is behaving anomalously. Security incidents go undetected until they cause significant harm.

Real-world impact: An agent is compromised and exfiltrates data for weeks before anyone notices. An agent begins taking unauthorized actions but the organization has no visibility into what the agent is doing. A supply chain compromise goes undetected because API behavior is not monitored.

How ExecLayer addresses A8: ExecLayer generates cryptographically signed audit logs for all agent actions. Every action is recorded with identity, authorization scope, and outcome. Audit logs are immutable and stored separately from operational systems, preventing tampering. Organizations can use these logs to detect anomalous agent behavior.

Compliance: Implement comprehensive logging for all agent actions. Store logs in an immutable system. Analyze logs for anomalous patterns. Alert on suspicious activity. Require regular log review by security teams. Implement retention policies consistent with organizational requirements.

Agent drift occurs when an agent's behavior changes over time in ways that are not intended or authorized. As models are updated, as the agent encounters new situations, or as adversaries manipulate the agent, the agent's behavior drifts away from its original purpose.

Real-world impact: An agent begins making riskier decisions than it was designed to make. An agent becomes less effective at its primary job due to model degradation. An agent begins taking actions that violate internal policies.

How ExecLayer addresses A9: ExecLayer addresses agent drift through continuous monitoring and authorization enforcement. Even if an agent drifts in its reasoning, the authorization layer ensures that the agent cannot exceed its scope. Authorization provides a guardrail that catches agent drift before it causes harm.

Compliance: Monitor agent behavior patterns over time. Compare current behavior against baseline behavior. Alert on significant changes. Implement version control for agent models. Require periodic re-evaluation of agent performance against original specifications.

Unbounded consumption of resources occurs when an agent uses system resources without limit: making unlimited API calls, consuming unlimited bandwidth, executing unlimited database queries, or burning through tokens on language model APIs.

Real-world impact: An agent makes millions of API calls and exhausts the monthly quota, causing service disruption. An agent runs an infinite loop of database queries and causes database performance degradation. An agent makes excessive LLM API calls and causes unexpected high costs.

How ExecLayer addresses A10: ExecLayer enforces rate limiting and quota enforcement at the execution layer. The agent cannot make more API calls than its authorization scope allows. Rate limits and quotas are enforced by the platform, not by the agent.

Compliance: Define rate limits and quotas for all agent resources. Implement quota enforcement at the platform level. Monitor resource consumption in real-time. Alert when an agent approaches resource limits. Implement backoff and retry logic for transient failures.