
Key facts.
- The OWASP Top 10 for LLM Applications 2025 keeps Prompt Injection as LLM01 and lists Excessive Agency as LLM06. These are model-and-prompt level risks.source
- The OWASP Gen AI Security Project released its Top 10 for Agentic Applications in December 2025, built with more than 100 contributors.source
- Its entries include Agent Goal Hijack, Tool Misuse and Exploitation, Identity and Privilege Abuse, and Memory and Context Poisoning, all action-level risks a single chat turn never had.source
- The agentic list foregrounds two design principles: least agency and strong observability. Both are pattern-level controls, not model settings.source
What actually changes when an LLM becomes an agent?
Autonomy turns one bad output into a chain of actions, and a frontier agent clears tau-bench across eight tries a quarter of the time, so incidents recur. (source)
A chat model that gets prompt-injected says something wrong. An agent that gets prompt-injected does something wrong. that's the whole shift. Excessive Agency on the LLM list is a warning about giving the model too much reach. On the agentic list it becomes a family of concrete failures: the agent calls a tool it shouldn't, with parameters it shouldn't, in a sequence that produces a side effect nobody approved. Memory poisoning is worse still, because a single hostile write can steer every future session until someone audits the store.
Mapping one list onto the other is the useful exercise. Prompt Injection (LLM01) plus Excessive Agency (LLM06) become Agent Goal Hijack. Insecure tool handling becomes Tool Misuse. Over-broad credentials become Identity and Privilege Abuse. The risks aren't new in spirit. The blast radius is.

How should a team use both lists together?
Treat the LLM Top 10 as your input-and-output threat model and the Agentic Top 10 as your action threat model. Review prompts and outputs against the first. Review tool scopes, identity, memory, and inter-agent messages against the second. A control that only covers one list leaves the other half of the attack surface open.
| Risk | LLM Top 10 framing | Agentic Top 10 framing |
|---|---|---|
| Manipulated instructions | LLM01 Prompt Injection | Agent Goal Hijack (now a chain of actions) |
| Too much reach | LLM06 Excessive Agency | Tool Misuse, Identity & Privilege Abuse |
| Tainted state | Training/data poisoning | Memory & Context Poisoning across sessions |
The two OWASP principles, least agency and strong observability, are exactly what a Pattern Intelligence Layer enforces. Reliability at the pattern level means the agent's reach is scoped and its behavior is traced as properties of how it runs, not promises about how the model thinks. Map both lists, enforce them at the pattern, and the threat model holds even after your next model upgrade.
Frequently asked questions
Do I still need the LLM Top 10 if I use the agentic one?
Yes. The LLM list covers input and output risks like injection and leakage. The agentic list covers action risks. You need both halves of the surface.
Which agentic risk surprises teams most?
Memory and context poisoning. A single hostile write persists across sessions and steers future decisions until someone audits the memory store.
Where do most of these get enforced?
Around the agent, not inside the model. Least agency and observability are pattern-level controls that survive a model swap.

