In 2026, OWASP has split into three major pillars to address the different layers of the modern tech stack: Web Applications, Large Language Models (LLMs), and Agentic AI.
Released in late 2025/early 2026, this is the most critical framework for systems where AI "Agents" can autonomously call tools, browse the web, or access databases.
Risk ID Vulnerability
ASI-01 Agent Goal Hijack
ASI-02 Tool Misuse
ASI-03 Identity Abuse
ASI-09 Human-Agent Trust
This framework focuses on the security of the model interface itself. In 2026, Prompt Injection remains the #1 risk, but the focus has shifted to Indirect Injection (where the AI reads a poisoned website or PDF).
LLM01: Prompt Injection: Direct "jailbreaking" or indirect attacks via external data.
LLM02: Sensitive Information Disclosure: The model accidentally reveals its system prompt, internal API keys, or another user's private data.
LLM06: Excessive Agency: Giving an LLM the power to delete files or move money without a human "click-to-approve" step.
LLM10: Unbounded Consumption: Attackers forcing the model to run loops that spike your API costs (a "Denial of Wallet" attack).
In 2026, OWASP mandates the use of an AI Bill of Materials (AIBOM). This is a digital ingredient list for your AI tools.
Transparency: It lists which base model is used (e.g., Gemini 1.5, GPT-5).
Provenance: It tracks where the training data came from and whether it was "poisoned."
Security: It identifies which "Model Context Protocol" (MCP) servers the agent is connecting to, allowing you to block unverified tools.
For Security consultants, use this 3-Step OWASP Review:
Input Validation: Treat every document or email the AI reads as "untrusted." Use a "Prompt Firewall" to strip out hidden commands.
Least Privilege: Does the AI really need "Edit" access to the database, or just "Read" access? Never give an agent administrative powers.
Human Gatekeeper: For any action that is irreversible (sending a mass email, deleting a file, spending money), the system must require a human to press "Approve."
For General Web Security: Use the OWASP Top 10 (2025/2026).
For Building an AI Chatbot: Use the OWASP Top 10 for LLM Applications.
For Deploying Autonomous Assistants: Use the OWASP Top 10 for Agentic Applications.
Pro-Tip for 2026: Organizations are now using Agent-Led Red Teaming—deploying "good" AI agents to attack their own systems to find these OWASP vulnerabilities before hackers do.