# OWASP Agentic AI Top 10 — EU AI Act Controls Checklist A practical controls checklist organized by the OWASP Agentic Security Initiative (ASI) Top 10. Every control cites the EU AI Act article it satisfies and the evidence artifact it produces in the KLA Control Plane (Evidence Room). **Sources**: OWASP Top 10 for Agentic Applications 2026 (published 2025-12-09); Regulation (EU) 2024/1689 (EU AI Act). **High-risk deadline**: August 2, 2026 (Regulation (EU) 2024/1689, Art. 113). --- ## ASI01 — Agent Goal Hijack - [ ] Input/output filtering with prompt-injection detection deployed on all external content — satisfies Article 15 (cybersecurity); produces detection-engine test report for the Article 9 risk register. - [ ] Strict system-prompt isolation with instruction-hierarchy enforcement — satisfies Article 9 (design mitigation); produces hierarchy-enforcement unit test log. - [ ] Behavioral anomaly monitoring with automated alert routing to the Decision Desk — satisfies Article 14 (human oversight); produces Assurance Alert history. - [ ] External content tagged as untrusted by default in every tool-calling path — satisfies Article 9; produces Tool Catalog policy record. - [ ] Prompt-injection red-team exercise completed in the last 90 days — satisfies Article 9(6) (testing before market placement); produces red-team report in Evidence Room. ## ASI02 — Tool Misuse and Exploitation - [ ] Least-privilege tool scoping with explicit allowlists per agent role — satisfies Article 9 (design risk reduction); produces Tool Catalog scope record. - [ ] Tool argument validation and sanitization on every invocation — satisfies Article 15 (robustness); produces argument-validation test report. - [ ] Mandatory human approval for destructive operations (database writes, financial transactions, file deletes) — satisfies Article 14 (human oversight); produces Decision Desk approval log. - [ ] Complete tool-call logging with parameters, caller identity, and result — satisfies Article 12 (automatic logging); produces Lineage Records in Evidence Room. - [ ] Combined-application risk assessment covering every registered tool — satisfies Article 9(3); produces Risk Register entry. ## ASI03 — Identity and Privilege Abuse - [ ] Agent-specific identity management with short-lived, scoped credentials — satisfies Article 15 (cybersecurity); produces Secrets Vault rotation log. - [ ] Zero-trust architecture between agents (no implicit inheritance) — satisfies Article 9 (design mitigation); produces Agent Registry trust-boundary record. - [ ] Credential rotation on every session boundary plus audit trail — satisfies Article 12; produces credential-rotation audit trail. - [ ] Deployer assigns a named, competent human oversight role for credential management — satisfies Article 26(2); produces oversight-assignment record. - [ ] Detection of privilege-escalation patterns feeding Assurance Center alerts — satisfies Article 15(5); produces escalation-detection incident report. ## ASI04 — Agentic Supply Chain Vulnerabilities - [ ] MCP server verification before connection (signature, identity, pinned version) — satisfies Article 17(1)(l) (supply-chain management); produces Provider Hub verification record. - [ ] Software bill of materials (SBOM) for every agent, tool, and model artifact — satisfies Annex IV (documentation); produces SBOM in Evidence Room. - [ ] Dependency pinning to known-good versions with runtime integrity monitoring — satisfies Article 9 (lifecycle risk management); produces integrity-monitor log. - [ ] Signed AgentCards required for all remote agents — satisfies Article 17; produces signed AgentCard in Agent Registry. - [ ] Continuous monitoring for upstream definition changes post-approval — satisfies Article 9 (continuous risk management); produces upstream-change alert history. ## ASI05 — Unexpected Code Execution - [ ] Sandboxed execution environments with strict CPU, memory, filesystem, and network limits — satisfies Article 15 (fail-safe); produces sandbox execution log. - [ ] Human approval gate for code touching databases, APIs, or filesystems — satisfies Article 14 (intervention); produces Decision Desk approval record. - [ ] Auto-run and auto-approve features disabled by default in all IDE integrations — satisfies Article 9 (risk reduction); produces configuration audit record. - [ ] Execution logging with full code capture plus result provenance — satisfies Article 12; produces Lineage Records of code executions. - [ ] Pre-deployment testing against "prior-defined metrics and probabilistic thresholds" for code-execution boundaries — satisfies Article 9(6); produces code-execution test report. ## ASI06 — Memory and Context Poisoning - [ ] Data provenance (source, timestamp, trust score) recorded on every memory write — satisfies Article 10 (data governance); produces data-provenance log. - [ ] Feedback-loop prevention controls on post-deployment learning paths — satisfies Article 15 (feedback-loop clause); produces feedback-loop control evidence. - [ ] Memory integrity checks and anomaly detection on RAG stores — satisfies Article 9 (monitoring); produces integrity-check alerts. - [ ] Memory expiration policies for sensitive contexts — satisfies Article 10(3); produces memory-expiration policy record. - [ ] Quality criteria for RAG training, validation, and test datasets documented in Annex IV — satisfies Article 10(2); produces Annex IV data-governance section. ## ASI07 — Insecure Inter-Agent Communication - [ ] Authenticated, encrypted A2A channels with message integrity verification — satisfies Article 15 (cybersecurity); produces mTLS and signature audit record. - [ ] Cryptographically signed AgentCards for every remote agent — satisfies Article 17 (QMS); produces signed AgentCard in Agent Registry. - [ ] Complete inter-agent message logging with sender and receiver identity — satisfies Article 12; produces inter-agent Lineage Records. - [ ] Multi-agent interaction risk assessment for every federated workflow — satisfies Article 9(3) (combined application); produces federated-workflow risk entry. - [ ] Session-smuggling detection on multi-turn A2A conversations — satisfies Article 15(5); produces session-anomaly alert history. ## ASI08 — Cascading Failures - [ ] Circuit breakers between agent workflows with blast-radius caps — satisfies Article 15 (fail-safe); produces circuit-breaker test report. - [ ] Digital twin testing of cascading scenarios before rollout — satisfies Article 9(6) (pre-market testing); produces cascade test report. - [ ] Deep observability into inter-agent communication with correlation IDs — satisfies Article 12 and Article 26(5); produces Assurance Center trace index. - [ ] Incident response procedure covering multi-agent cascade containment — satisfies Article 17 and Article 73; produces incident response plan in Evidence Room. - [ ] Blast-radius budget per workflow documented and enforced at runtime — satisfies Article 9(3); produces blast-radius policy record. ## ASI09 — Human-Agent Trust Exploitation - [ ] Automation-bias awareness training program for all oversight personnel — satisfies Article 14(4)(b); produces training attestation record. - [ ] Independent verification requirement for high-impact decisions — satisfies Article 14 (oversight); produces verification log. - [ ] Uncertainty disclosure surfaced in every agent output — satisfies Article 50 (transparency); produces disclosure configuration audit. - [ ] Clear "you are interacting with AI" disclosure at session start — satisfies Article 50(1); produces disclosure audit record. - [ ] Fundamental Rights Impact Assessment completed before deployment — satisfies Article 27; produces FRIA artifact in Evidence Room. ## ASI10 — Rogue Agents - [ ] Physically isolated, non-negotiable kill switch for every deployed agent — satisfies Article 14(4)(e); produces kill-switch verification record. - [ ] Continuous behavioral monitoring with drift detection — satisfies Article 9 (post-market risk management); produces drift-detection report. - [ ] Immutable agent logic — agents cannot modify their own reward functions without republishing through Release Control — satisfies Article 15 (robustness); produces Release Control lineage. - [ ] Isolated test environments exercised before production rollout — satisfies Article 9(6); produces pre-production test report. - [ ] Post-market monitoring plan with Article 73 serious-incident reporting path wired to the AI Office — satisfies Article 26(5) and Article 73; produces post-market monitoring plan and serious-incident report template. --- **How to use this checklist** 1. Treat each ticked box as producing a named evidence artifact — the Evidence Room link shows where the artifact lives in the KLA Control Plane. 2. Map the cited article into your Article 9 risk register entry and your Annex IV technical documentation. 3. Review the checklist quarterly; the OWASP ASI Top 10 refreshes yearly and the Digital Omnibus trilogue is ongoing. Last updated: 2026-04-07.