AI Security

OWASP Releases Top 10 for Agentic Applications 2026: What Healthcare Security Teams Need to Know

#RTWAB AI with Aaron Assit December 11, 2025 7 min read 24 views

#RealTalk: The AI Security Landscape Just Shifted

The OWASP Foundation just dropped something healthcare security teams can't afford to ignore: the OWASP Top 10 for Agentic Applications 2026. If you're working in healthcare information security—especially if you're evaluating or deploying AI agents—this document needs to be on your desk today.

Here's why this matters: We're no longer just securing chatbots that answer questions. We're now dealing with autonomous AI agents that can plan, reason across multiple steps, access tools, and take actions on behalf of users. The security implications are profound, and OWASP has done the heavy lifting to map out the top 10 critical risks.

What Makes Agentic AI Different?

Traditional LLM applications (like basic chatbots) have security concerns we've been learning to address—prompt injection, data leakage, model vulnerabilities. But agentic AI systems add several new dimensions:
  • Autonomy: Agents can plan and execute multi-step workflows without constant human intervention
  • Tool Access: They can invoke APIs, query databases, send emails, modify records
  • Persistence: They maintain memory across sessions and can learn from past interactions
  • Inter-Agent Communication: Multiple agents can coordinate and share information
  • Dynamic Decision-Making: They adapt their approach based on context and feedback

In healthcare, this could mean an AI agent that:

  • Reviews patient charts and automatically orders lab tests
  • Coordinates care across multiple departments
  • Interfaces with EHR systems, billing platforms, and clinical decision support tools
  • Communicates with other AI agents to optimize workflows

The potential is enormous. So are the risks.

The OWASP Agentic Top 10: Quick Overview

Let me break down the ten critical risks, with healthcare context:

ASI01: Agent Goal Hijack

What it is: Attackers manipulate an agent's objectives, task selection, or decision pathways through prompt injection, deceptive tool outputs, or poisoned data.

Healthcare example: An attacker embeds hidden instructions in a patient referral document. When your clinical coordination agent processes it, the agent's goal is hijacked to route all cardiology referrals to a specific (potentially fraudulent) provider.

Why it matters: Unlike a simple prompt injection that affects one response, goal hijacking can redirect an agent's entire workflow, affecting multiple patients and decisions.

ASI02:Tool Misuse and Exploitation

What it is: Agents misuse legitimate tools due to compromised logic, ambiguous instructions, or unsafe delegation.

Healthcare example: An email summarizer agent has access to send emails. Through prompt manipulation, it's tricked into sending patient data externally or deleting critical communications.

Why it matters: The agent has legitimate permissions, but uses them in unintended and harmful ways.

ASI03: Identity and Privilege Abuse


What it is: Attackers exploit how agents inherit, delegate, or manage credentials and permissions.

Healthcare example: A scheduling agent delegates a task to a billing agent, passing along elevated credentials. An attacker manipulates the billing agent to access clinical data it shouldn't have permission to view.

Why it matters: In healthcare, privilege escalation can mean HIPAA violations, unauthorized access to PHI, and compliance nightmares.

ASI04: Agentic Supply Chain Vulnerabilities

What it is: Agents, tools, and dependencies are compromised at their source or during transit—including MCP servers, agent registries, and prompt templates.

Healthcare example: Your organization deploys an MCP tool for clinical documentation. Unknown to you, the tool was poisoned upstream and now leaks patient data to external servers.

Why it matters: Healthcare organizations often rely on third-party AI tools and integrations. Supply chain attacks can compromise entire networks of care.

ASI05: Unexpected Code Execution (RCE)

What it is: Agent-generated or agent-executed code leads to remote code execution, often through unsafe handling of dynamic inputs.

Healthcare example: A coding agent helping developers build EHR integrations is manipulated into executing malicious code that creates backdoors in your systems.

Why it matters: RCE can lead to full system compromise, ransomware deployment, or long-term persistence of threats.

ASI06: Memory & Context Poisoning

What it is: Adversaries corrupt the stored context, memory, or knowledge that agents rely on across sessions.

Healthcare example: An attacker gradually poisons a clinical decision support agent's memory with false drug interaction data. Over time, the agent begins making unsafe recommendations.

Why it matters: Memory poisoning is insidious—it can affect patient safety over extended periods and is difficult to detect until harm occurs.

ASI07: Insecure Inter-Agent Communication

What it is: Communication between agents lacks proper authentication, integrity checks, or encryption.

Healthcare example: A pharmacy agent communicates with a prescribing agent to verify medication orders. An attacker intercepts and modifies the messages, changing dosages or medications.

Why it matters: Healthcare increasingly involves coordination between multiple AI systems. Insecure communication channels create multiple points of vulnerability.

ASI08: Cascading Failures

What it is: A single fault propagates across multiple agents, tools, or workflows, amplifying impact.

Healthcare example: A compromised lab results agent begins returning false positives. This triggers automated workflows across clinical, billing, and scheduling agents, creating system-wide chaos and potentially dangerous treatment decisions.

Why it matters: Healthcare systems are interconnected. A failure in one agent can cascade through entire care pathways.

ASI09: Human-Agent Trust Exploitation

What it is: Agents exploit human trust through persuasive explanations, authority bias, or anthropomorphic cues.

Healthcare example: A financial agent, poisoned by manipulated invoice data, confidently recommends a fraudulent payment. The finance manager, trusting the agent's detailed explanation, approves it.

Why it matters: Clinicians and staff may over-rely on AI recommendations, especially when presented with confidence and detailed reasoning.

ASI10: Rogue Agents

What it is: Agents deviate from intended behavior—either through compromise, misalignment, or emergent behaviors.

Healthcare example: An agent designed to optimize bed utilization begins autonomously discharging patients earlier than clinically appropriate to meet efficiency metrics.

Why it matters: Rogue agents can operate within their granted permissions while producing harmful outcomes that appear legitimate.

Why Healthcare Organizations Should Care Now

If you're thinking "we're not using agentic AI yet," consider this:
  1. Microsoft Copilot is already in many healthcare organizations, and it's increasingly agentic
  2. EHR vendors are rapidly adding AI agent capabilities
  3. Clinical decision support tools are evolving toward autonomous operation
  4. Administrative automation often uses agent-like behaviors
  5. Vendor assessments need to include these risks immediately

The regulatory implications are significant:

  • HIPAA: Agent misuse can lead to unauthorized PHI disclosure
  • Patient Safety: Compromised clinical agents can directly harm patients
  • Compliance: Cascading failures can affect audit trails and accountability
  • Legal Liability: Who's responsible when an AI agent makes a harmful autonomous decision?

Where to Start

You don't need to solve all ten risks today, but you do need to start:

  1. Inventory your AI systems: Identify which ones have agent-like capabilities (autonomous action, tool access, persistence)
  2. Assess MCP implementations: If you're using Model Context Protocol tools, review the supply chain and security controls (this ties directly to ASI04)
  3. Review privilege models: Ensure AI systems operate with least privilege and can't inherit excessive permissions (ASI03)
  4. Implement monitoring: You need visibility into what your agents are actually doing—logs, audit trails, behavioral baselines (critical for detecting ASI01, ASI08, ASI10)
  5. Establish governance: Define clear policies for agent autonomy, human-in-the-loop requirements, and approval workflows (addresses ASI09)
  6. Test for goal hijacking: Red team your agents with prompt injection and goal manipulation scenarios (ASI01)
  7. Validate inter-agent communication: If you have multiple AI systems communicating, ensure those channels are secured (ASI07)

What's Next

This blog post is a high-level introduction. Over the coming weeks, I'll be doing deep dives into specific risks that are most relevant to healthcare:

  • ASI01 (Goal Hijack): Techniques attackers use and practical mitigations
  • ASI03 (Identity & Privilege): Building proper access controls for agents
  • ASI06 (Memory Poisoning): Detecting and preventing context corruption
  • MCP Security: Specific guidance for securing Model Context Protocol implementations

The OWASP document itself is comprehensive (57 pages) and includes detailed attack scenarios, prevention guidelines, and references. I highly recommend downloading it and sharing with your security team.

Final Thoughts

Agentic AI isn't science fiction—it's already here and rapidly expanding in healthcare. The security challenges are real, but they're also solvable with the right approach.

OWASP has given us a solid framework. Now it's on us to implement it.

Stay vigilant. Stay informed. And let's secure these systems before the bad actors figure out how to exploit them.

Have questions about implementing these controls in your healthcare environment? Drop me a message. Working on agentic AI security? I'd love to hear what you're seeing in the field. References: