Security Attestation

OWASP Agentic AI Top 10

The OWASP Top 10 for Agentic Applications (2026) defines the most critical security risks for AI agent systems. Here’s how VeriSwarm maps to each one.

10/10

Risks Covered

Partial

On Roadmap

ASI01

Prompt Injection & Goal Hijacking

CoveredGuard

Attackers manipulate agent behavior through crafted prompts that override system instructions.

DeBERTa ML classifier for semantic injection detection
Structural analysis (delimiter collisions, encoding smuggling)
Guard Proxy runtime interception on all MCP tool calls
SOUL security scanning on agent templates

ASI02

Tool Misuse & Poisoning

CoveredGuard + Guard Proxy

Agents invoke tools in unintended ways or use tools with hidden malicious instructions.

Guard Proxy transparent MCP interception
Tool permission allowlists and denylists
PII tokenization on every tool call (Presidio NER)
Schema validation on tool inputs/outputs

ASI03

Excessive Agency & Privilege

CoveredGate + Passport

Agents operate with more authority than required, enabling privilege escalation.

4-axis trust scoring (identity, risk, reliability, autonomy)
Policy tier enforcement (tier_x through tier_3)
Passport delegations with scoped permissions
Kill switch for immediate agent disable

ASI04

Supply Chain & Plugin Risks

CoveredGuard + Marketplace

Compromised or malicious third-party components are introduced into agent workflows.

SOUL security scanning (injection, bypass, content moderation)
Agent template marketplace with tenant isolation
Guard Proxy schema validation on tool definitions

ASI05

Prompt & Data Leakage

CoveredGuard

Sensitive data (PII, credentials, system prompts) leaks through agent inputs or outputs.

PII tokenization via Presidio NER (Guard)
Field masking in transformation pipeline
Credential pattern detection (API keys, bearer tokens)
Prompt compression strips sensitive context

ASI06

Memory Poisoning

CoveredGuard

Adversaries corrupt agent memory or context to influence future decisions.

Cross-model verification (route through multiple LLMs)
Majority consensus voting with configurable threshold
Vault-logged verification results for audit trail
Per-request or per-tenant verification model configuration

ASI07

Insecure Inter-Agent Communication

CoveredA2A + Passport

Agent-to-agent messages are intercepted, spoofed, or tampered with.

A2A trust-ranked agent catalog
Agent cards with x-veriswarm-trust extension
Portable ES256 JWT credentials with 1-hour TTL
JWKS endpoint for public key verification

ASI08

Cascading Hallucination Failures

CoveredCortex + Guard

Errors in one agent propagate through multi-agent systems causing widespread failures.

Kill switch for immediate agent disable
LLM fallback chains with provider health tracking
Cortex Workflows DAG execution with budget enforcement
Circuit-based workflow error handling

ASI09

Insufficient Human Oversight

CoveredWorkflows

Agents make high-stakes decisions without human review or escalation paths.

human_review workflow step type
Human escalation service with configurable triggers
Approval gates in workflow DAGs
Audit trail of all human decisions in Vault

ASI10

Insufficient Logging & Monitoring

CoveredVault

Agent actions are not recorded, making incident response and forensics impossible.

Hash-chained immutable audit ledger (Vault)
Chain verification for tamper detection
Audit exports (JSON, CSV)
Guard scan finding records with severity tracking

Get your tenant attestation report

The /v1/compliance/owasp-attestation endpoint returns a per-tenant report with your specific coverage status, evidence counts, and upgrade recommendations.

Read the Docs Start Free

Security Attestation

OWASP Agentic AI Top 10

The OWASP Top 10 for Agentic Applications (2026) defines the most critical security risks for AI agent systems. Here’s how VeriSwarm maps to each one.

10/10

Risks Covered

Partial

On Roadmap

ASI01

Prompt Injection & Goal Hijacking

CoveredGuard

Attackers manipulate agent behavior through crafted prompts that override system instructions.

DeBERTa ML classifier for semantic injection detection
Structural analysis (delimiter collisions, encoding smuggling)
Guard Proxy runtime interception on all MCP tool calls
SOUL security scanning on agent templates

ASI02

Tool Misuse & Poisoning

CoveredGuard + Guard Proxy

Agents invoke tools in unintended ways or use tools with hidden malicious instructions.

Guard Proxy transparent MCP interception
Tool permission allowlists and denylists
PII tokenization on every tool call (Presidio NER)
Schema validation on tool inputs/outputs

ASI03

Excessive Agency & Privilege

CoveredGate + Passport

Agents operate with more authority than required, enabling privilege escalation.

4-axis trust scoring (identity, risk, reliability, autonomy)
Policy tier enforcement (tier_x through tier_3)
Passport delegations with scoped permissions
Kill switch for immediate agent disable

ASI04

Supply Chain & Plugin Risks

CoveredGuard + Marketplace

Compromised or malicious third-party components are introduced into agent workflows.

SOUL security scanning (injection, bypass, content moderation)
Agent template marketplace with tenant isolation
Guard Proxy schema validation on tool definitions

ASI05

Prompt & Data Leakage

CoveredGuard

Sensitive data (PII, credentials, system prompts) leaks through agent inputs or outputs.

PII tokenization via Presidio NER (Guard)
Field masking in transformation pipeline
Credential pattern detection (API keys, bearer tokens)
Prompt compression strips sensitive context

ASI06

Memory Poisoning

CoveredGuard

Adversaries corrupt agent memory or context to influence future decisions.

Cross-model verification (route through multiple LLMs)
Majority consensus voting with configurable threshold
Vault-logged verification results for audit trail
Per-request or per-tenant verification model configuration

ASI07

Insecure Inter-Agent Communication

CoveredA2A + Passport

Agent-to-agent messages are intercepted, spoofed, or tampered with.

A2A trust-ranked agent catalog
Agent cards with x-veriswarm-trust extension
Portable ES256 JWT credentials with 1-hour TTL
JWKS endpoint for public key verification

ASI08

Cascading Hallucination Failures

CoveredCortex + Guard

Errors in one agent propagate through multi-agent systems causing widespread failures.

Kill switch for immediate agent disable
LLM fallback chains with provider health tracking
Cortex Workflows DAG execution with budget enforcement
Circuit-based workflow error handling

ASI09

Insufficient Human Oversight

CoveredWorkflows

Agents make high-stakes decisions without human review or escalation paths.

human_review workflow step type
Human escalation service with configurable triggers
Approval gates in workflow DAGs
Audit trail of all human decisions in Vault

ASI10

Insufficient Logging & Monitoring

CoveredVault

Agent actions are not recorded, making incident response and forensics impossible.

Hash-chained immutable audit ledger (Vault)
Chain verification for tamper detection
Audit exports (JSON, CSV)
Guard scan finding records with severity tracking

Get your tenant attestation report

The /v1/compliance/owasp-attestation endpoint returns a per-tenant report with your specific coverage status, evidence counts, and upgrade recommendations.

Read the Docs Start Free