OWASP's Agentic Top 10 Names Identity Abuse a Core Risk

On 9 December 2025, the OWASP GenAI Security Project published its Top 10 for Agentic Applications, positioning it as a "north star" benchmark for securing autonomous AI agents. The list sits alongside OWASP's earlier work on LLM and non-human identity risk, but its focus is agents that plan, act, and call tools on their own. Among the top categories is ASI03, Identity and Privilege Abuse: credential leakage that enables an agent to operate with expanded scope beyond what it was meant to have.

That an agentic security benchmark puts identity and privilege near the top, rather than treating it as an infrastructure footnote, confirms a pattern we keep seeing. The interesting failure mode for an autonomous agent is rarely the model saying something wrong. It is the agent acting with credentials it should not hold, or holding credentials that leak and let an attacker inherit the agent's reach. An agent is, functionally, a credential with initiative. Whatever it can authenticate as, it can act as, and at machine speed.

ASI03 connects directly to the rest of the identity story. The credential leakage it describes is the same long-lived-secret and over-privileged-NHI problem that OWASP's Non-Human Identities Top 10 already ranks, now amplified because an agent can chain that access into autonomous, multi-step action and even spawn sub-agents that inherit it. The taxonomy is new; the underlying weakness, leaked or excessive credentials, is the oldest identity problem there is.

Our perspective is that the agentic Top 10 should be read as a forcing function to design agent identity properly before agents are in production, not after an incident. Concretely: agents authenticate with short-lived, narrowly scoped, attributable credentials rather than embedded static keys; privilege is bounded per task and not carried across tasks; credential issuance for agents flows through the same governed broker as any other identity; and tool and API calls made by an agent are logged against the agent's identity for audit. OWASP naming Identity and Privilege Abuse a core agentic risk is the standards community confirming what identity architecture has to deliver. The agent is only as safe as the credential behind it, and the credential is an architecture decision.