The security community is now grappling with the realities posed by increasingly autonomous, or “agentic”, AI systems. The Open Web Application Security Project (OWASP), widely recognised for its Application Security Top 10, has released its Agentic AI Top 10. Any notion that these threats are purely academic should be set aside; attacks on these advanced AI workloads are already occurring. Koi Security provides a particularly useful examination of real-world incidents that have informed these new risk categories.
Agentic AI stands apart from traditional machine learning by functioning as an automated decision-making entity. These systems pursue objectives, interact dynamically with APIs, and often develop their own plans in real time. While this offers substantial advances in automation, it introduces a significantly broader attack surface.
Koi Security’s research, alongside case studies referenced by OWASP, highlights developments such as goal hijacking, where adversaries manipulate an agent’s actions towards malicious objectives, and the rise of hostile MCP (master control programme) servers, which seize control of AI agent runtimes for illicit gain.
These issues are not theoretical. Documented cases have shown attackers exploiting agent tool integrations, manipulating agent behaviour at runtime, and disrupting the intended functioning of autonomous AI. This demands a swift response from defenders, who must now assess not just the algorithms, but also the orchestration layers and the external tools these agents rely on.
For organisations deploying or connecting agentic AI systems, this should prompt immediate action: audit agent permission boundaries and any external integrations; treat agent tools as critical dependencies, ensuring they are patched and continuously monitored; and operate on the assumption that these agents will be targeted, adjusting detection and response strategies accordingly.
Agentic AI is already widely deployed, delivering value but also facing active threats. Security teams and the organisations they protect cannot afford to delay a response.
Reference: Original coverage can be found at Bleeping Computer: https://www.bleepingcomputer.com/news/security/the-real-world-attacks-behind-owasp-agentic-ai-top-10/
