Last week, Microsoft published the Agent Governance Toolkit — an open-source, MIT-licensed project that claims full coverage of all 10 OWASP Agentic AI risks with sub-millisecond policy enforcement. The GitHub repo hit 2,000 stars in 48 hours.
The signal isn't the toolkit. It's that a company shipping production agents at Fortune 500 scale decided the problem was urgent enough to build an enforcement layer from scratch and open-source it.
That's the moment a framework stops being a reading list.
OWASP published the Top 10 for Agentic Applications 2026 in December 2025 after two years of peer review by 100+ researchers. It's the first formal taxonomy of risks specific to autonomous agents — the systems that plan, act, and make decisions across multi-step workflows without a human in the loop on every action. And until now, most organizations treated it the way they treat OWASP Web Top 10 in 2003: read it, nod, continue shipping.
That era is ending. The McKinsey State of AI Trust 2026 report this February noted that 97% of enterprises expect a major AI agent security incident this year. The NIST AI Agent Standards Initiative launched in February with explicit intent to translate the OWASP taxonomy into auditable controls. Insurance underwriters are starting to ask about it.
So let's go through each risk — not as a reading exercise, but as an enforcement map.
The 10 Risks, and What Enforcement Actually Looks Like
ASI01 — Agent Goal Hijack
The top risk. An attacker manipulates what the agent is trying to accomplish — not just a single response, but the agent's objective, decision logic, or task selection. The classic vector is a crafted document in a RAG store that overwrites the system prompt. Real examples include EchoLeak, a zero-click attack that turned Microsoft 365 Copilot into an exfiltration engine by embedding instructions in a calendar invite.
What enforcement looks like: Policy-layer interception before every action execution. If an agent's action deviates from its declared intent class — verified at registration, not at runtime assertion — the action stops. This is not an LLM guardrail. It's a deterministic gate.
VeriSwarm Gate establishes intent classes and policy tiers at agent registration. Every subsequent action is scored against declared behavior. Deviation triggers a moderation decision. Guard runs goal-pattern scanning on tool call payloads and Vault logs the deviation for forensic audit.
ASI02 — Unauthorized Capability Acquisition
Agents that can acquire new tools, integrations, or permissions beyond what they were provisioned. Often happens through indirect prompt injection that convinces the agent to install a new plugin or request elevated OAuth scopes.
What enforcement looks like: Signed, versioned capability manifests. An agent can only use the tools it declared in its manifest at provisioning time. New capabilities require re-attestation.
VeriSwarm Passport covers this directly — signed manifests, delegations, and portable credentials make capability acquisition auditable and revocable.
ASI03 — Identity Spoofing and Impersonation
One agent pretending to be another. Critical in multi-agent architectures where Agent A trusts Agent B's output because "it said it was the orchestrator." The attack collapses entirely if identity is verified, not asserted.
What enforcement looks like: Cryptographic identity at the transport layer. An agent's identity must be verifiable by a third party, not just self-declared in a prompt.
VeriSwarm Passport issues Ed25519-signed agent credentials. Gate carries a trust score — if Agent B claims to be the orchestrator but has a trust score inconsistent with an orchestrator's event history, decisions fail fast.
ASI04 — Tool and Resource Misuse
Using legitimate tools outside their intended scope. A customer support agent that has access to a CRM making API calls to modify billing records it was never supposed to touch.
What enforcement looks like: Tool-level policy rules, not just agent-level. Each tool call should be evaluated independently against scope policy.
VeriSwarm Guard scans every tool call, evaluates against policy rules, and can block or transform before execution. The Guard Proxy mode — transparent interception between agent and MCP tool server — does this without any SDK changes.
ASI05 — Supply Chain Compromise
Malicious or tampered agent templates, plugins, or dependencies. An agent deployed from the marketplace that behaves differently than its published specification.
What enforcement looks like: Ed25519 signing of template exports, signature verification on import, and behavioral drift detection after deployment.
VeriSwarm Passport covers template signing. Gate continuous scoring detects behavioral drift post-deploy — if an agent's event patterns diverge from its template baseline, the score drops and policy tier can escalate.
ASI06 — Memory and Context Poisoning
Corrupting an agent's long-term memory, RAG store, or conversation context with malicious data so that future decisions are made on poisoned "facts." Unlike a single bad response, poisoned memory persists across sessions and users. The Gemini Memory Attack demonstrated this in early 2026 — a single injected document reshaped the assistant's behavior across all subsequent conversations in an organization.
What enforcement looks like: Vault-anchored context integrity. Every knowledge ingestion event is logged with a hash. Retrieval queries that pull from unverified context sources fail policy. Behavioral scoring detects gradual drift before it compounds.
VeriSwarm Vault creates an immutable, hash-chained audit trail of every context write. Knowledge Base documents carry an explicit is_verified_source flag — operators verify each source deliberately, and search_knowledge_base() returns a retrieval policy summary with the verified-vs-unverified chunk count so downstream policy can fail or warn on unverified retrieval. Guard's cross-model verification routes high-stakes responses through multiple LLMs and flags consensus breaks. Gate scoring trends flag the gradual drift pattern that makes memory poisoning hard to catch.
ASI07 — Cascading and Recursive Agent Failures
Multi-agent systems where a compromised or malfunctioning agent propagates bad outputs downstream. One rogue agent producing hallucinated tool results that three other agents trust as ground truth.
What enforcement looks like: Trust scoring at every inter-agent handoff. The output of Agent A should carry a trust signal before Agent B acts on it.
VeriSwarm's shared reputation system in Gate means trust scores are cross-tenant and transferable. Agents sending outputs to other agents include a trust attestation. Low-trust outputs fail the receiving agent's policy gate before execution.
ASI08 — Inadequate Human Oversight
Agents that escalate decisions to humans but do so in ways that overwhelm reviewers or obscure the actual stakes. Also: agents that classify decisions as low-risk to bypass review thresholds.
What enforcement looks like: Policy-enforced escalation with tamper-evident audit records. The decision to skip human review must itself be auditable.
VeriSwarm Vault records every moderation decision with full context. Gate policy tiers establish which decision classes require human review — the agent can't reclassify its own decision risk.
ASI09 — Insecure Inter-Agent Communication
Agents communicating over unencrypted channels, without message integrity, or using protocols that don't authenticate the sender. Man-in-the-middle attacks between agents are trivially feasible if transport security is treated as optional.
What enforcement looks like: Ed25519-signed messages at the transport layer. Every inter-agent message should be verifiable.
VeriSwarm's A2A transport layer supports Ed25519 inter-agent message signing. Agent cards in the A2A catalog include the x-veriswarm-transport extension that advertises signing capability.
ASI10 — Sensitive Information Disclosure
Agents leaking PII, API keys, internal system context, or proprietary data through tool outputs, logs, or inter-agent messages. A support agent that surfaces a customer's full SSN in a ticket comment because the CRM API returned it and the agent just relayed it.
What enforcement looks like: PII detection and tokenization at the payload level, before any output leaves the system.
VeriSwarm Guard uses Presidio NER for PII detection and tokenization on every tool call input and output. The Guard Proxy intercepts transparently — the agent never sees the raw PII, only a token it can reference but not expose.
The Architecture Pattern That Emerges
Reading the full list, a pattern becomes obvious: most OWASP Agentic risks are observability failures before they're security failures. You can't enforce what you can't see.
The enforcement architecture that addresses the full Top 10 consistently has five layers:
- Identity at provisioning — cryptographic identity before the first action, not a name in a prompt
- Behavioral baseline — what does this agent normally do, scored continuously
- Policy gate at action time — deterministic evaluation before every tool call
- Context integrity — hash-anchored memory and audit trails
- Trust propagation — scores that follow agents across system boundaries
This isn't a checklist you can buy in one product. It's an architecture. The interesting question in 2026 is which piece of the stack you own versus which you delegate to infrastructure.
Why This Matters Right Now
Cisco's RSA 2026 announcements established trusted agent identities and Zero Trust enforcement as a product category. Microsoft's Agent Governance Toolkit is open-source enforcement for teams building on .NET and Python. NIST is translating the OWASP taxonomy into auditable controls. Insurance underwriters are asking about it.
The organizations that end up ahead aren't the ones that read the OWASP list first. They're the ones that operationalize it fastest — with observability wired in before the incident, not after.
VeriSwarm covers all 10 OWASP Agentic AI risks across Gate, Guard, Passport, and Vault. See the full compliance attestation at veriswarm.ai — or check the OWASP attestation endpoint at /v1/compliance/owasp-agentic-ai if you're already integrated.