AGS-1 and the OWASP Top 10
How the five AGS-1 gates map to the OWASP Top 10 for Agentic Applications (2026) and the OWASP Top 10 for LLM Applications (2025). An informative crosswalk.
Informative companion
This page maps AGS-1 to the OWASP risk taxonomy. It is informative, not normative: AGS-1's requirements live in the specification, and the OWASP lists are the source of record for their own categories. Consult the official OWASP documents for canonical wording. This is a contribution toward shared language, not a claim of OWASP endorsement. The portable version lives in the public repo as OWASP-CROSSWALK.md.
AGS-1 governs everything an agent does, not what it thinks. It maps to the mitigation side of each OWASP risk, and it is explicit about where the action boundary ends. Because AGS-1 governs agent actions, the closest fit is the OWASP Top 10 for Agentic Applications; the mapping to the LLM Top 10 follows below.
The five gates
| Gate | Title | What it requires |
|---|---|---|
| AGS-1.1 | Identity | Short-lived, attributable identity per action, with the full delegation chain. No ambient or shared credentials. |
| AGS-1.2 | Policy | Every action evaluated against an explicit, default-deny policy. Allow, deny, or hold. |
| AGS-1.3 | Inspection | Content inspected for secrets, sensitive data, destructive operations, and injection, scored 0 to 100, on the hot path. |
| AGS-1.4 | Audit | Tamper-evident, append-only log, independently verifiable even against the operator. |
| AGS-1.5 | Proof | Offline-verifiable proof that an action was governed, checkable against a pinned key with no trust in the operator. |
Conformance levels: Core satisfies AGS-1.1 through AGS-1.4. Provable adds AGS-1.5.
How to read coverage
- Strong: the gate is a primary mitigation for this risk.
- Strong (containment): AGS-1 does not prevent the root cause, but it bounds the blast radius and makes the event attributable and auditable.
- Partial: AGS-1 helps, but the risk lives mostly outside the action boundary.
- Out of scope: AGS-1 does not address this risk; another control should.
OWASP Top 10 for Agentic Applications (2026)
| OWASP risk | AGS-1 gate(s) | Coverage | How AGS-1 addresses it |
|---|---|---|---|
| ASI01 Agent Goal Hijack | 1.3, 1.2 | Strong (consequence-side) | AGS-1 does not stop the hijack of reasoning, but it inspects content for injection and forces every action a hijacked agent attempts through default-deny policy, so a hijacked objective cannot silently become a harmful action. |
| ASI02 Tool Misuse and Exploitation | 1.2, 1.3, 1.1 | Strong (flagship) | Every tool call is an in-scope action: evaluated against default-deny policy, inspected for destructive operations, and tied to a scoped identity. The core purpose of the gateway. |
| ASI03 Identity and Privilege Abuse | 1.1 | Strong (flagship) | Short-lived, attributable, per-action identity with a resolved delegation chain, and no ambient or shared credentials. The direct mitigation for inherited or escalated privilege. |
| ASI04 Agentic Supply Chain Vulnerabilities | 1.2, 1.1, 1.4 | Strong (containment) | AGS-1 does not vet third-party components, but it allowlists which tools and MCP servers an agent may reach, denies the rest by default, and records every call, containing a compromised component. |
| ASI05 Unexpected Code Execution | 1.2, 1.3 | Strong (governed actions) | When execution is mediated as an action, policy gates it and inspection flags destructive operations on the hot path. Bounded to execution paths that pass through the gateway. |
| ASI06 Memory and Context Poisoning | 1.3, 1.2 | Partial | Store integrity sits largely outside the action boundary. Where reads and writes are governed actions, inspection flags injected content and policy gates writes, but AGS-1 does not guarantee store integrity. |
| ASI07 Insecure Inter-Agent Communication | 1.1, 1.4 | Strong | Direction-agnostic. Inbound, the gateway resolves a visiting agent's identity (for example Web Bot Auth, RFC 9421) before accepting a message and records the decision. |
| ASI08 Cascading Failures | 1.2, 1.4 | Strong (containment) | Per-action rate and budget policy with default-deny acts as a circuit breaker on runaway loops, and the log traces a cascade to its origin. It does not fix the upstream logic error. |
| ASI09 Human-Agent Trust Exploitation | 1.2, 1.5 | Partial | A policy hold inserts a real approval gate, and offline-verifiable proof gives the human something to check rather than a confident explanation to trust. It does not address human judgment directly. |
| ASI10 Rogue Agents | 1.2, 1.4, 1.1, 1.5 | Strong (containment) | A rogue agent cannot take an ungoverned action, cannot act unattributed, and cannot conceal what it did. |
OWASP Top 10 for LLM Applications (2025)
| OWASP risk | AGS-1 gate(s) | Coverage | How AGS-1 addresses it |
|---|---|---|---|
| LLM06 Excessive Agency | 1.1, 1.2, 1.4 | Strong (flagship) | Every side-effecting action carries scoped, short-lived identity and passes default-deny policy with allow, deny, or hold. The textbook mitigation for excessive agency. |
| LLM01 Prompt Injection | 1.3, 1.2 | Strong (consequence-side) | Injection and exfiltration patterns scored on the hot path; even if the prompt is compromised, the resulting action meets default-deny policy before it lands. |
| LLM02 Sensitive Information Disclosure | 1.3, 1.2 | Strong | Outbound content scanned for secrets and sensitive data; exfiltration-shaped actions denied or held. |
| LLM05 Improper Output Handling | 1.3, 1.2 | Strong | Destructive or unsafe downstream actions inspected and gated before execution. |
| LLM10 Unbounded Consumption | 1.2 | Strong | Per-action spend ceilings and rate or budget policy enforced inline; over-budget actions denied. |
| LLM07 System Prompt Leakage | 1.3 | Partial | Inspection catches secrets and sensitive strings in outbound actions; it does not address prompt design. |
| LLM03 Supply Chain | 1.1, 1.4 | Partial | Delegation-chain identity and tamper-evident audit give action provenance; AGS-1 does not vet model or dependency supply chain. |
| LLM09 Misinformation | 1.4, 1.5 | Partial (accountability) | AGS-1 does not judge content truth, but every action is attributable and offline-provable after the fact. |
| LLM04 Data and Model Poisoning | none | Out of scope | AGS-1 governs actions, not training data or model pipelines. |
| LLM08 Vector and Embedding Weaknesses | none | Out of scope | A retrieval-layer weakness, outside the action-governance boundary. |
Cross-cutting: Audit and Proof
Gates AGS-1.4 and AGS-1.5 are not tied to a single risk. They provide non-repudiation and traceability across the whole taxonomy, which the agentic list treats as first-class. Any AGS-1 Provable gateway gives every governed action an offline-verifiable Agent Action Seal, and you can verify our own log against a pinned key with no trust in us.
What AGS-1 deliberately does not cover
AGS-1 is narrow on purpose. It does not address model training, prompt design, memory or RAG store integrity beyond governed reads and writes, data and model poisoning, or human judgment. Those need controls at other layers. A complete agentic posture combines an action-governance gateway with model-layer, data-layer, and process controls. The value of AGS-1 is that the action layer, where intent becomes a real-world effect, has a single verifiable choke point.