The OWASP Top 10 for Agentic Applications (2026) names the ten ways autonomous agents fail. INTEGRITAS maps to every one — by construction, with proof, not policy.
ASI01–ASI10 titles per the OWASP GenAI Security Project. INTEGRITAS vectors & primitives are our published containment framework.
| OWASP | Agentic risk (2026) | INTEGRITAS vector | Primitive / control | How we close it |
|---|---|---|---|---|
| ASI01 | Agent Goal Hijack | Vector 04 — Intent | Intent Attestation (IA) | Live proof the agent's effective objective still matches its signed mandate. Drift = denial. This is the hijack-killer. |
| ASI02 | Tool Misuse & Exploitation | Vector 01 — Capability | Default-deny runtime + zero ambient authority | The agent can only ever name tools/actions explicitly granted in its mandate. An ungranted tool call is unsayable, not merely blocked. |
| ASI03 | Agent Identity & Privilege Abuse | Vector 02 — Identity | Quantum-Safe Identity (QID) | NIST hybrid post-quantum signatures bind every action to an unforgeable identity. No spoof, no clone, no silent privilege escalation. |
| ASI04 | Agentic Supply Chain Compromise | Vector 05 — Channel | Containment Fabric (CF) + SUPPLY-CHAIN-SENTINEL | Agents interoperate only through the fabric; our supply-chain agent watches npm/PyPI/Crates + .cursorrules/CLAUDE.md poisoning before it reaches the runtime. |
| ASI05 | Unexpected Code Execution | Vector 01 — Capability + blast-radius grading | Reversibility-graded action mediation | Destructive/irreversible operations are graded and quorum-gated; DROP DATABASE and SELECT 1 are not the same action. (We also ran the full CVE-2026-26030 sweep on ourselves: 0 findings.) |
| ASI06 | Memory & Context Poisoning | Vector 03 — State / Memory | Proof-of-Integrity (PoI) | Tamper-evident, cryptographically-attested state. An agent cannot rewrite its own history or smuggle a poisoned goal past the proof chain. |
| ASI07 | Insecure Inter-Agent Communication | Vector 05 — Channel | Containment Fabric (CF) + QID-authenticated messages | Every inter-agent message is authenticated and validated through the fabric. A spoofed instruction cannot mislead the swarm. |
| ASI08 | Cascading Agent Failures | Systemic lock — circuit breaker | Network-wide fail-safe halt | Correlated denials or a value-velocity spike trip a network-wide breaker until a human re-arms it. The flash-crash failure mode is contained by design. |
| ASI09 | Human-Agent Trust Exploitation | Vector 04 Intent + Vector 07 Accountability | Intent Attestation + Proof-of-Integrity | The agent cannot commit the org to actions outside its attested mandate, and every interaction is provable after the fact — no plausible-sounding rogue action slips through. |
| ASI10 | Rogue Agents | All 7 vectors — by construction | Economic Integrity (EI) + the full cage | Containment is structural, not advisory: staked collateral auto-slashed on violation, every vector locked, circuit breaker armed. A rogue agent is contained by mathematics, not trust. |
OWASP Top 10 for Agentic Applications 2026 (ASI01–ASI10), OWASP GenAI Security Project — genai.owasp.org ↗. This page maps an independent framework to our own controls; it is an INTEGRITAS capability claim, not an OWASP endorsement.
Don't take the mapping on faith — open the live red-team console and try to make an agent trip any of the ten. Watch each get blocked, with the proof chain intact.
Attack the cage →