📌 Description
Hi OWASP GenAI Security Project team,
While reviewing the OWASP Top 10 for Agentic Applications 2026 (Agentic Security Initiative, Version 2026, December 2025), I noticed that:
T9: Identity Spoofing & Impersonation / Agent Identity Compromise
does not appear to have an explicitly defined mapping to an ASI category (see page 39).
I wanted to check whether this is intentional, or if clarification might be helpful.
⚠️ Why this matters
T9 represents a foundational security threat in agentic systems, especially in multi-agent and enterprise environments.
This category includes:
- Agent identity spoofing
- User impersonation
- Credential/token theft (e.g., persistent agent identities such as Entra Agent ID)
- Unauthorized API access
- Cross-platform identity abuse
- Persistent identity hijacking
These attack vectors may result in:
- Long-term unauthorized access
- Privilege escalation
- Lateral movement across systems
- Reduced auditability and accountability
With the growing adoption of non-human identities (NHIs) in agentic architectures, this threat plays a central role in the overall security model.
🧠 Reference Definition
From Agentic AI – Threats and Mitigations (Version 1.1, December 2025):
Identity impersonation is a major threat where attackers exploit authentication weaknesses to impersonate agents, users, or external services, enabling unauthorized actions and long-term privileged access.
🔗 Possible Mapping (for discussion)
Based on its characteristics, T9 seems closely aligned with:
👉 ASI03 – Identity & Privilege Abuse
As it involves:
- Authentication failures
- Identity compromise
- Credential misuse
- Privilege escalation
- Non-human identity abuse
⚖️ Clarification Opportunity
Adding or clarifying the mapping for T9 could help:
- Improve taxonomy completeness
- Reduce ambiguity for practitioners
- Strengthen alignment between Threat categories (T#) and ASI categories
It may also be useful to explicitly distinguish between:
- Identity-level impersonation (ASI03)
- Trust / behavioral exploitation (ASI09)
💡 Suggestion
- Clarify whether T9 is intentionally unmapped
- If not, consider adding an explicit ASI mapping
- ASI03 may be a natural fit based on current definitions
🙏 Closing
This may be a misunderstanding on my side, so happy to be corrected.
Given the importance of identity security in agentic systems, I thought it might be worth raising for discussion.
Happy to help propose a concrete mapping table update or contribute a PR if useful.
Thank you for your work on advancing Agentic AI security!
📌 Description
Hi OWASP GenAI Security Project team,
While reviewing the OWASP Top 10 for Agentic Applications 2026 (Agentic Security Initiative, Version 2026, December 2025), I noticed that:
does not appear to have an explicitly defined mapping to an ASI category (see page 39).
I wanted to check whether this is intentional, or if clarification might be helpful.
T9 represents a foundational security threat in agentic systems, especially in multi-agent and enterprise environments.
This category includes:
These attack vectors may result in:
With the growing adoption of non-human identities (NHIs) in agentic architectures, this threat plays a central role in the overall security model.
🧠 Reference Definition
From Agentic AI – Threats and Mitigations (Version 1.1, December 2025):
🔗 Possible Mapping (for discussion)
Based on its characteristics, T9 seems closely aligned with:
👉 ASI03 – Identity & Privilege Abuse
As it involves:
⚖️ Clarification Opportunity
Adding or clarifying the mapping for T9 could help:
It may also be useful to explicitly distinguish between:
💡 Suggestion
🙏 Closing
This may be a misunderstanding on my side, so happy to be corrected.
Given the importance of identity security in agentic systems, I thought it might be worth raising for discussion.
Happy to help propose a concrete mapping table update or contribute a PR if useful.
Thank you for your work on advancing Agentic AI security!