Read the OWASP Top 10 for Agentic Applications 2026 and one fact organizes everything below it: identity is three of the top four.
Agent goal hijack, identity and privilege abuse, inter-agent trust exploitation — the framework puts the agent’s credentials, its delegated authority, and the trust between agents at the center of the agentic attack surface. That is the right center. It is where the incidents are.
Hold that crosswalk against a different artifact and a gap opens. In June 2026, the MIT–Delphi study asked 272 AI-risk experts to rate the 24 risk domains of the MIT AI Risk Repository on severity, vulnerability, and responsibility. One finding frames this whole series: under a “pragmatic mitigations” scenario, expected severity fell across all 24 risks, but five stayed above a 10% probability of catastrophic outcome over five years — dangerous capabilities, weapons and cyberattacks, environmental harm, inequality and unemployment, and power centralization. (A note carried once, for the series: these are panel means of expert subjective-probability distributions against a defined rubric — belief, not measured frequency. The authors are explicit on this, and so are we.)
So map the MIT 24 onto OWASP’s agentic framework and ask a narrow question: what does the framework see, and where does its sight end?
What OWASP sees
It sees the agentic core with precision. AI security vulnerabilities map to tool misuse and privilege abuse. Multi-agent risks map to inter-agent trust exploitation and cascading failures — and OWASP is one of the few artifacts that reaches this at all. AI misalignment maps to rogue agents. Dangerous capabilities map to goal hijack on the actuation side. Overreliance maps almost word-for-word to human-agent trust exploitation.
The content-layer risks — false information, privacy loss, disinformation — find homes one level down, in the OWASP LLM Top 10. Between the agentic list and the LLM list, OWASP covers ten of the twenty-four cleanly. For a framework chartered around application security, that is strong coverage of exactly the surface it was built to defend.
Where the sight ends
Now the edge. Four MIT risks — power centralization, inequality and unemployment, competitive dynamics, governance failure — appear nowhere in the OWASP agentic framework. Not thinly. Not partially. They are absent.
Power centralization — No. Inequality & unemployment — No. Competitive dynamics — No. Governance failure — No. None of the four is a property of an agent’s attack surface — they are properties of markets, labor, and institutions — and the framework has no entry for any of them.
This is not a defect. OWASP’s charter is agentic application security — the attack surface of a deployed agent, the threats a builder can design against. It maps that surface as well as any artifact in the field, and it stops at the boundary of its charter. The framework publishes to its scope. The work of locating what lies past that scope, and translating it for a specific environment, belongs to the practitioner reading it.
What this dispatch establishes
OWASP’s coverage clusters tightly on the system-internal, agentic domains — the protocol-and-tool surface. That is the strongest map of the agentic attack surface available, and it is also the clearest statement of where that map ends. The four risks that fall past it are not security failures a builder can patch. They are properties of markets, labor, and institutions.
The next dispatch takes the same 24 risks to NIST — the framework that covers the most. It names twelve content-risk areas, including environmental harm, which OWASP never touches. It still drops the same four. That is the first sign the gap is not an accident of one charter.
OWASP maps the agentic attack surface with precision — and stops exactly where the risk stops being technical. The four risks that fall past its charter are not security failures a builder can patch; they are properties of markets, labor, and institutions, which no agent-security charter is built to hold. Two of the four — power centralization and inequality — are also among the five the MIT panel judged to stay above 10% catastrophic probability even under pragmatic mitigations.
The framework did not fail. It mapped what it was chartered to map. The gap is structural — and it is the same gap the next two frameworks will leave, for reasons of their own.
