
Prompt Injection, Memory Poisoning, and the New OWASP Top 10: Security for Agentic AI in 2026
The OWASP Top 10 for Agentic Applications dropped in late 2025, and the security landscape it describes looks nothing like the one most teams planned for. The framework catalogs ten risks specific to autonomous AI agents, built with input from more than 100 industry experts. Its 2026 companion report no longer lists hypothetical threats. It lists actual CVEs, vendor advisories, and breach reports. Prompt injection maps to six of the ten categories. Memory poisoning has its own dedicated slot. And the average enterprise is now managing around 37 deployed agents, most of them spun up without central review. If you build, deploy, or depend on AI agents, this is the document that tells you what is already going wrong.
Key Takeaways
- OWASP's 2026 Agentic Top 10 reframes AI risk around identity, tool use, and agent autonomy rather than network perimeters, with prompt injection touching six of ten risk categories.
- Memory poisoning is now a first-class threat: published techniques achieve over 80% attack success at sub-0.1% poison rates, and a separate method reaches 98.2% injection success using only normal query access.
- The "lethal trifecta" (private data access + untrusted input + external communication) remains an architectural problem, not a filtering problem. The strongest published defenses still miss roughly one in ten optimized attacks.
- Compliance windows are collapsing to hours, not quarters. DORA requires major-incident notification within four hours. Having immutable forensic trails of what an agent saw, decided, and did is now a regulatory requirement, not a nice-to-have.
- Identity has replaced the network as the primary attack surface. Non-human identities (service principals, secrets, autonomous agents) outnumber human users by roughly 100 to 1 in most organizations.
What Does the OWASP Top 10 for Agentic Applications Actually Cover?
It covers ten risk categories, designated ASI01 through ASI10, that are specific to autonomous AI agents: planning, tool use, identity, supply chain, code execution, memory, inter-agent communication, cascading failures, human-agent trust, and rogue agents. The full list is documented in detail by Modulos with mapping to controls and mitigations. What makes this framework distinct from OWASP's earlier LLM Top 10 is the unit of analysis. The older list focused on what could go wrong with a single model inference call. The agentic list focuses on what goes wrong when that model can plan, remember, call tools, and talk to other agents without waiting for a human to approve each step.
The shift matters because the failure modes are different. A chatbot that hallucinates is embarrassing. An agent that hallucinates a tool call, then executes it, then passes the result to a second agent that acts on it, is a cascade. The framework treats these cascades as first-order risks rather than edge cases.
Group-IB describes the Agentic Top 10 as one of the first peer-reviewed frameworks focused specifically on agentic AI risk, noting endorsement from organizations including NIST and Microsoft.
Why Does Prompt Injection Touch Six of Ten Categories?
Because prompt injection is not a single vulnerability. It is an input-validation failure that propagates wherever an agent consumes untrusted text. When an agent reads an email (tool use), retrieves a document from a vector store (memory), passes a summary to another agent (inter-agent communication), or generates code from a spec (code execution), each of those surfaces can carry an injected instruction. OWASP's mapping reflects this: prompt injection now maps to six of the ten agentic risk categories, making it less a single line item and more a cross-cutting concern that touches most of the attack surface.
The incident data backs this up. Documented injection attempts against enterprise AI rose roughly 340% year-over-year by late 2025, with indirect attacks (instructions hidden in emails, documents, or web pages) making up more than 55% of incidents and showing 20-30% higher success rates than direct attempts. These are not researchers probing sandboxes. These are production systems being exploited.
In March 2026, Palo Alto Networks' Unit 42 published the first large-scale evidence of attackers seeding injection payloads into open web content. They catalogued 22 techniques. The most common delivery method was plain visible text at 37.8%, ahead of HTML attribute cloaking and CSS concealment. The implication: attackers are not even bothering to hide the payloads from human readers, because the target is the agent, not the person.
What Is Memory Poisoning and Why Is It Worse Than Prompt Injection?
Memory poisoning plants instructions into an AI agent's persistent memory so they survive across sessions and can trigger days or weeks later. Prompt injection ends when a conversation closes. Memory poisoning does not. Researchers have started using the framing "Poison Once, Exploit Forever" to describe this durability, and OWASP gave it a dedicated category, ASI06: Memory and Context Poisoning.
The published attack research is sobering. The AgentPoison technique achieves over 80% attack success at less than 0.1% poison rate in RAG-based agents, with no model retraining required. A separate technique called MINJA reaches a 98.2% injection success rate and 76.8% end-to-end attack success using only normal query-level access, meaning the attacker does not need direct database manipulation. They just need to submit queries.
A February 2026 paper on implicit memory found that even agents without explicit memory modules are vulnerable. LLMs encode state in their own outputs, and when those outputs are fed back as input in subsequent turns, the encoded state is retrieved. The agent "remembers" things it was never explicitly asked to store. This means your agent has memory whether you designed it to or not, and that memory can be poisoned.
How Does This Change the Threat Model?
It changes the threat model from "defend each session" to "defend every piece of data that might persist." A single poisoned document in a RAG corpus can sit dormant until a user query activates it. A poisoned memory entry can wait for a specific trigger phrase. The attack surface is no longer the conversation; it is the entire data layer the agent can read from over its lifetime.
For anyone building agents with persistent memory, this means provenance tagging, time-boxing, and scoping of stored data are not features. They are survival requirements. We will come back to this when we talk about least agency.
What Is the "Lethal Trifecta" and Why Can't Filtering Fix It?
The lethal trifecta is a framing (attributed to Simon Willison) that describes the conditions under which any agent becomes an exfiltration tool: access to private data, exposure to untrusted content, and the ability to communicate externally. If a single agent instance holds all three properties, a single injected prompt can instruct it to read private data and send it somewhere the attacker controls. The trifecta is structural, not a tuning knob.
Most of the industry is investing in detection and filtering layers. These help, but they have hard ceilings. The strongest published defenses still miss roughly one in ten optimization-based attacks, and adaptive attacks bypass essentially every recommended defense. If your architecture allows one agent instance to hold all three trifecta properties simultaneously, you are relying on a filter to bat 1.000 against motivated adversaries. That filter will not bat 1.000. Nobody's will.
The more durable fix is architectural: never let one agent instance hold all three properties at the same time. Segment data access from action-taking. This is the direction OWASP's framework points toward, and it is the direction we think matters most. Detection layers are a supplement, not a substitute, for isolation.
What Is "Least Agency" and How Does It Differ from Least Privilege?
Least agency is OWASP's new concept, and it reframes autonomy as an earned privilege rather than a default setting. Auth0's analysis explains the distinction: traditional least-privilege thinking controls what resources an identity can access. Least agency controls how much freedom an agent has to act without checking back with a human. An agent might have the correct permissions to read a database and send an email, but under least agency, you would still ask whether it should be allowed to do both in sequence without human approval.
This matters for memory too. If memory poisoning research shows that sub-0.1% poison rates can achieve 80%+ attack success, then granting persistent memory by default is granting too much agency. Memory should be scoped (what can be stored), time-boxed (how long it persists), and provenance-tagged (where it came from and how it entered the store). "Privacy by design" and "security by forgetting" turn out to be the same argument when you look at it through the lens of least agency.
At Selina, we took this seriously from the start. Memory is encrypted at rest. We should be clear about what we don't claim: memory is NOT end-to-end encrypted. A slice of each request reaches a frontier provider at inference, and we are honest about that boundary. Files and transfers via SelinaSEND are zero-knowledge encrypted. Memory is not. Non-content operational metadata is kept for a short retention window. These are deliberate architectural choices, not marketing copy. We would rather tell you the honest boundary than let you assume something we cannot guarantee.
How Did a Backdoored Package Compromise Dozens of Agent Frameworks in Three Hours?
In March 2026, a backdoored version of LiteLLM (a widely used language-model gateway that underpins CrewAI, DSPy, Microsoft GraphRAG, and dozens of other agent frameworks) sat on PyPI for three hours. It accumulated nearly 47,000 downloads. Anyone who updated during that window received an autonomous attack bot called "hackerbot-claw."
This is OWASP's ASI04 (supply chain) in action. Agent frameworks have deep dependency trees, and a single compromised package can propagate across every agent built on that stack. The three-hour window matters because most CI/CD pipelines pull latest versions automatically. By the time a human noticed, the package had already been deployed into production environments.
The takeaway is unglamorous but important: pin your dependencies, verify checksums, and treat your agent's supply chain with the same paranoia you would apply to a kernel module. The OWASP framework's supply chain category now exists because this is not a theoretical risk. It happened.
Why Has Identity Replaced the Network as the Primary Attack Surface?
Because breaches are no longer about "getting in" through firewalls. They are about logging in. SecurityWeek's 2026 predictions state this flatly: identity has replaced network as the primary attack surface. The reason is straightforward. Cloud-native architectures have no perimeter to breach. Everything is an API call authenticated by a credential.
Cloud Security Alliance reporting from March 2026 frames organizations as now governing a non-human identity perimeter where service principals, secrets, and autonomous agents outnumber human users by a ratio of 100 to 1. Every agent you deploy is a non-human identity with credentials, permissions, and the ability to act. If those credentials are compromised, or if the agent is tricked into misusing them (hello, prompt injection), the result is indistinguishable from an insider threat.
One survey found 87% of CISOs cite AI agent security as a top concern, while only 11% report having safeguards actually in place. That gap between concern and implementation is where incidents happen.
How Are Compliance Windows Changing the Calculus?
They are collapsing from quarters to hours, which changes what you need to build. DORA requires major-incident notification within four hours. NIS2 sets a 24-hour early-warning window. New York's RAISE Act gives 72 hours for frontier-model incidents. California's SB 53 allows 15 days. OWASP's report now tracks 42 separate regulatory instruments across 10 jurisdictions.
If you cannot answer "what did the agent see, decide, and do" within four hours, you are not compliant. Full stop. The product implication is that immutable, queryable forensic trails are no longer a nice-to-have for mature organizations. They are a regulatory requirement. This means logging not just inputs and outputs but the agent's intermediate reasoning steps, tool calls, memory retrievals, and any data it accessed or modified.
Shadow AI makes this harder. OWASP's contributors found shadow AI present in almost every organization examined, and only 37% of organizations have a policy in place to detect it. You cannot produce forensic trails for agents you do not know exist.
What Should You Actually Do About This?
There is no single fix. The OWASP framework is useful precisely because it forces you to think across ten categories instead of fixating on one. But if you are a technical leader trying to prioritize, here is where the evidence points:
Segment the trifecta architecturally. Do not let one agent instance simultaneously hold access to private data, exposure to untrusted content, and external communication ability. This is the single highest-leverage design decision you can make. It does not eliminate prompt injection, but it limits what a successful injection can do.
Apply least agency to memory. Persistent memory should not be a default. Scope it to what the agent needs, time-box retention, tag provenance so you can trace where each stored entry originated. If you use RAG, treat your vector store as a security boundary, not a data lake.
Pin dependencies and audit your supply chain. The LiteLLM incident showed that a three-hour window is enough to compromise 47,000 installations. If your agent framework pulls latest from a public registry on every build, you are one compromised package away from deploying someone else's code into production.
Build forensic trails from day one. You will need them for compliance, and you will need them for incident response. Log the agent's inputs, outputs, tool calls, memory retrievals, and intermediate reasoning. Make the logs immutable and queryable. When (not if) something goes wrong, your ability to reconstruct what happened within a four-hour window will determine whether you are compliant or in violation.
Inventory your agents. You probably have more than you think. The average organization is managing around 37 deployed agents, and that number grows every quarter as teams spin up automation without central review. You cannot secure what you do not know about.
Where Does This Leave Us?
The OWASP Top 10 for Agentic Applications is the first serious attempt to catalog what is actually going wrong with deployed AI agents, grounded in real incidents rather than threat models. The picture it paints is not comforting. Prompt injection is pervasive and cross-cutting. Memory poisoning is durable and cheap. Supply chains are fragile. Identity is the new perimeter, and most organizations have not caught up.
At Selina, we build with these constraints in mind. Content is encrypted. The account is protected. Files and transfers are zero-knowledge encrypted via SelinaSEND. Memory is NOT zero-knowledge encrypted, because a slice of each request reaches a frontier provider at inference, and we think you should know that. We route inference across a stack of frontier models, routed per task, and we bound costs and actions automatically. We do not claim perfection. We claim honest architecture.
The agents are already inside the perimeter. The question is whether you designed for that, or whether you are about to find out the hard way.
If you want to see how we handle these tradeoffs in practice, start a free 7-day trial, no card required.
Frequently Asked Questions
What is the OWASP Top 10 for Agentic Applications?
It's a framework released in late 2025 that catalogs ten risk categories (ASI01-ASI10) specific to autonomous AI agents, covering areas like planning, tool use, identity, memory, and inter-agent communication. Unlike the earlier LLM Top 10, it focuses on risks that emerge when agents plan, remember, and act across multiple steps without human approval.
Why does prompt injection map to six of the ten OWASP risk categories?
Prompt injection is an input-validation failure that can appear anywhere an agent consumes untrusted text, such as reading emails, retrieving documents, or passing data to other agents. This makes it a cross-cutting concern rather than a single vulnerability, and documented injection attempts against enterprise AI rose roughly 340% year-over-year by late 2025.
What makes memory poisoning more dangerous than regular prompt injection?
Prompt injection ends when a session closes, but memory poisoning plants instructions in an agent's persistent memory so they can trigger days or weeks later, described by researchers as 'Poison Once, Exploit Forever.' Techniques like AgentPoison and MINJA achieve attack success rates over 80% and 98.2% respectively, sometimes using only normal query access.
What is the 'lethal trifecta' and why can't filters solve it?
The lethal trifecta refers to an agent having private data access, exposure to untrusted content, and the ability to communicate externally all at once, which lets a single injected prompt cause data exfiltration. Since even the strongest published defenses still miss about one in ten optimized attacks, the fix must be architectural, separating data access from action-taking, rather than relying solely on filtering.
How does 'least agency' differ from the traditional 'least privilege' security model?
Least privilege controls what resources an identity can access, while least agency controls how much freedom an agent has to act on its own without checking back with a human, even if it technically has permission. This concept also applies to memory, meaning persistent memory should be scoped, time-boxed, and provenance-tagged rather than granted by default.
Sources & References
- OWASP Top 10 for Agentic Applications (2026) — Modulos Governance Guide | Modulos Docs
- OWASP Top 10 for Agentic Applications for 2026 - OWASP Gen AI Security Project
- OWASP Top 10 for Agentic Applications 2026: Security Guide
- OWASP Top 10 for Agentic Applications for 2026 - Practical DevSecOps
- 2026 OWASP GenAI Top 10 for Agentic Applications
- OWASP Top 10 for Agents 2026 | DeepTeam - The LLM Red Teaming Framework
- OWASP Top 10 for Agentic Applications 2026 Is Here – Why It Matters and How to Prepare - Palo Alto Networks Blog
- Lessons from OWASP Top 10 for Agentic Applications
- Prompt injection still drives most agentic AI security failures in production - Help Net Security
- Prompt Injection Attacks: The Hidden Security Crisis Threatening Every AI Agent You Deploy | AI Magicx Blog | AI Magicx
- AI agent security in 2026: stop prompt injection before agents act
- AI Agent Security Practices 2026: Prompt Injection, MCP Risks & Data Leaks - TechStoriess.com
- Prompt Injection: The #1 AI Threat in 2026 | Techglock Blog
- The Comprehensive Guide to Prompt Injection Attacks in 2026 | Sysdig
- Prompt Injection Attacks: Examples, Techniques, and Defence
- AI Agent Security Risks 2026: MCP, OpenClaw & Supply Chain
- AI Security in 2026: Prompt Injection, the Lethal Trifecta, and How to Defend
- Prompt Injection Statistics 2026: Hidden Risks Now • SQ Magazine
- AI Agent Memory Poisoning: Defense Guide 2026 | BeyondScale
- Memory poisoning in AI agents: exploits that wait – Christian Schneider
- Forensic Trajectory Signatures for Agent Memory Poisoning Detection
- Taxonomy and Consistency Analysis of Safety Benchmarks for AI Agents
- memory-poisoning · GitHub Topics · GitHub
- From Secure Agentic AI to Secure Agentic Web: Challenges, Threats, and Future Directions
- MemAudit: Post-hoc Auditing of Poisoned Agent Memory via Causal Attribution and Structural Anomaly Detection
- Plant, Persist, Trigger: Sleeper Attack on Large Language Model Agents
- MEMSAD: Gradient-Coupled Anomaly Detection for Memory Poisoning in Retrieval-Augmented Agents
- A Survey on Agentic Security: Applications, Threats and Defenses
- Four priorities for AI-powered identity and network access security in 2026 | Microsoft Security Blog
- 2026 Cybersecurity Predictions - Palo Alto Networks
- Agentic AI Security in 2026: How AI Agents Reshape SecOps
- Five Cybersecurity Predictions for 2026: Identity, AI, and the Collapse of Perimeter Thinking - SecurityWeek
- Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?
- Identity becomes the 2026 battleground as AI erases trust signals | feature | SC Media
- The State of Cloud and AI Security in 2026 | CSA
- Identity Is the New Perimeter: Securing People, Machines, and AI Agents -
- The Non-Human Identity Governance Vacuum – Lab Space
