Skip to content
Standards

OWASP Agentic Top 10, mapped.

The OWASP Top 10 for Agentic Applications (ASI01–ASI10) treats agents as principals with goals, tools, memory, and inter-agent protocols. Alyria maps the whole list to concrete controls, recorded in one signed audit chain. OWASP ASI for what attackers do; NIST AI RMF and ISO/IEC 42001 for how you govern it.

10 / 10
risks mapped to named controls
7 covered
concrete controls shipping today
3 maturing
roadmap-tagged, stated honestly
CoveredConcrete controls, shipping today

A named control exists across Beacon, Lyra, Umbra, Constellation, or Observatory and enforces the risk in v1. Coverage is strongest when the modules run as a suite: several risks lean on more than one plane.

MaturingReal approach, still hardening

The approach is designed and staged monitor-first, but some primitives are still hardening. These are the hardest risks in the standard, and we describe them confidently and we do not claim they are done.

Pillars: APG = Agent Policy Governance (prevention) · ADR = Agent Detection & Response (detection) · Mesh = Constellation, the shared-memory plane.

Coverage map

Every risk, mapped to a named control.

One row per OWASP ASI risk: the threat in plain language, the Alyria modules and planes that address it, and an honest coverage rating. No opaque engine: every control is authored from auditable source.

ASI01Covered
ADRMesh

Agent Goal Hijack

Injected instructions hidden in a web page, tool output, or retrieved document quietly redirect an agent away from the task its operator actually gave it.

How Alyria addresses it

Beacon Plane C runs a content-safety scan over every tool/MCP response and model input/output, reusing Constellation's shipping prompt-injection layer, so injected instructions are caught before they reach the agent. Tier-3 intent classification and Tier-2 trajectory analysis are the hardening path, staged monitor-first.

Beacon Plane CConstellation content-safetyTier-2 / Tier-3 detection
ASI02Covered
APG

Tool Misuse & Exploitation

A legitimate tool is invoked in a harmful way, or tools are chained, to reach data or actions the agent was never meant to touch.

How Alyria addresses it

The core wedge: Beacon Plane A mediates every tool call and gates it against Lyra capabilities and Tier-1 policy. Anything ambiguous is escalated to an Observatory JIT approval instead of silently running.

Beacon Plane ALyra capabilitiesObservatory JIT approvals
ASI03Covered
APG

Identity & Privilege Abuse

An agent runs with more privilege than its task requires, or reuses a standing credential to reach systems well beyond its remit.

How Alyria addresses it

Identity is resolved from your IdP through Constellation and enforced with relationship-based access control, and Lyra's capability-brokering makes least-privilege the default. Umbra's short-lived secret leases (roadmap) will retire standing credentials entirely.

Constellation identityLyra capabilitiesUmbra leases (roadmap)
ASI04Covered
APGADR

Agentic Supply-Chain

A poisoned, down-level, or malicious MCP server, tool, or package the agent pulls in becomes the way into your environment.

How Alyria addresses it

Beacon inventories installed AI tooling and MCP servers and flags down-level or malicious ones, and can refuse them at launch once you turn enforcement on; all MCP traffic flows through the Beacon gateway; Lyra ships signed, versioned policy bundles; and code-integrity allow-listing constrains what may run.

Beacon inventory + gatewayLyra signed bundlesCode-integrity allow-listing
ASI05Covered
ADRAPG

Unexpected Code Execution

The agent sidesteps the mediated tool path by spawning a shell, a detached job, or an out-of-band process to run code directly.

How Alyria addresses it

Beacon observes process launches and agent activity from user space (no kernel driver), flags out-of-band processes, and Lyra capability limits bound what any launched process may do.

Beacon runtime observation (user-space)Lyra capability limits
ASI06Covered
MeshADR

Memory & Context Poisoning

Malicious content is planted in an agent's long-term memory or a shared RAG corpus so it resurfaces later and quietly steers behavior.

How Alyria addresses it

Constellation scopes memory and documents behind one ACL and runs content-safety on every ingest, so poisoned context never enters shared memory in the first place; Beacon Plane C additionally scans retrieved content at recall time.

Constellation scoped memoryContent-safety on ingestBeacon Plane C
ASI07Maturing
APG

Insecure Inter-Agent Comms

Agents coordinate over channels an attacker can spoof, intercept, or read, turning agent-to-agent protocols into an exfiltration path.

How Alyria addresses it

Umbra performs A2A key exchange with signed agent identities over mTLS; the roadmap is sealing shared files and secrets under client-held keys with a published, externally audited protocol. Beacon Plane C inspects the flow at the endpoint today.

Beacon Plane CSigned identities / mTLSUmbra A2A (roadmap)

Honest status: Umbra's A2A brokering is on the roadmap; today Beacon inspects inter-agent flows at the endpoint.

ASI08Maturing
APGADR

Cascading Failures

A single compromised or malfunctioning agent triggers a runaway chain (retries, fan-out, or a rate spike) that cascades across the mesh.

How Alyria addresses it

Lyra enforces capability budgets with rate and circuit limits, Beacon's Tier-2 trajectory analysis catches the escalation early, and a disposition kill-switch can halt an agent outright, all staged monitor-first before anything enforces.

Lyra capability budgetsTier-2 trajectoryDisposition kill-switch

Honest status: the rate-limit and circuit-breaker primitives are an active design item, not yet fully shipped in v1.

ASI09Covered
APG

Human-Agent Trust Exploitation

An agent produces a polished, confident justification for a risky action, and a human approves on the strength of the wording rather than the evidence.

How Alyria addresses it

Observatory's policy-driven JIT approvals put independent risk evidence, a rationale, and a score in front of the human approver, not the agent's own self-justification, and every decision is written to the signed audit chain.

Observatory JIT approvalsHuman-approver workflowLyra policy

The strength here depends on the approval UX surfacing independent evidence: the principle the whole approver workflow is built around.

ASI10Maturing
ADR

Rogue Agents

An agent goes off-mission (self-directing, concealing what it's doing, or pursuing goals no one assigned) and works to avoid detection.

How Alyria addresses it

Beacon layers Tier-3 behavioral anomaly detection and Tier-2 trajectory analysis with Plane B user-space runtime correlation and a kill-switch; posture flags unknown agents, and can refuse them at launch once you turn enforcement on; and Umbra's zero standing privilege bounds the blast radius when something does slip through.

Tier-2 / Tier-3 detectionBeacon Plane BPostureUmbra zero standing privilege

Honest status: the hardest of the ten. Mature behavioral ML is an ongoing investment; zero standing privilege bounds the damage in the meantime.

Standards anchor

OWASP ASI for what attackers do. NIST and ISO for how you govern it.

The same signed audit chain that proves an ASI05 code-execution block to a red team is the evidence that satisfies a 42001 audit: one source of truth, so the adversarial story and the compliance story can never drift.

NIST AI RMF

Map / Measure / Manage / Govern: the risk-management spine US enterprises align to.

ISO/IEC 42001

The AI management-system standard your auditors and procurement teams ask for by number.

EU AI Act

Risk-tiered obligations for AI systems: the regulatory anchor for governance buyers.

One chain, both audiences. Alyria maps to the standards without a second system to reconcile: see how the crypto, audit chain, and enforcement fit together on the security model.

See the coverage map against your estate.

Walk ASI01 through ASI10 with our team on your own agents and tooling, or read how verifiable key custody and one tamper-evident audit chain hold it all together.

Free. Read-only. Remove it with one command.