The question facing security teams is no longer whether AI agents introduce risk. It is what specifically to look for.
AI agents are shipping into production across cloud and SaaS environments. They assume IAM roles, access sensitive data stores, invoke tools through APIs, and interact with other agents. Each of those actions creates an identity-level exposure that most security tooling was not built to detect.
Two OWASP frameworks now define the most critical security risks in agentic AI deployments: the OWASP Top 10 for Agentic Applications 2026 and the OWASP Top 10 Agentic Risk. Together, they give security teams a common criteria for evaluating risk.
Permiso has mapped its detection capabilities against both. The result: 35+ distinct AI security exposures across 10 categories, covering 9 of 10 categories in each OWASP framework, severity-ranked and out-of-the-box ready.
These exposures are part of Permiso's broader AI agent security capabilities. The platform brings identity-grade discovery, access control, behavioral monitoring, agent-to-agent security, and compliance to AI agents, built on the same Universal Identity Graph and threat-informed detection engine that already secures human and non-human identities across cloud, SaaS, and data environments.
These exposures span every layer of the AI agent stack that touches identity and access: who the agent is, what it can do, what data it can reach, how it communicates with other agents, and whether anyone is watching. They are organized into 10 categories, ranging from identity misconfigurations and overprivileged execution roles to missing audit controls and governance gaps. The highest-severity exposures concentrate in the Identity, Data, Agent & Tools, and Composite categories, where misconfigured agents carry the most direct path to infrastructure compromise or data exfiltration.
| Category | Count | Severity | Examples |
|---|---|---|---|
| Identity | 4 | 2 Critical 2 High | Over-privileged AI execution roles, cross-account AI role access, standing privileges without JIT |
| Data | 6 | 2 Critical 4 High | Public or unencrypted AI data, sensitive data in training, data residency violations, PII access |
| Agent & Tools | 7 | 3 Critical 3 High 1 Medium | Unrestricted tool execution, agent tool overreach, agent self-modification, A2A control gaps |
| Composite | 4 | 4 Critical | Data + autonomy + egress, prompt-to-tool-to-infra paths, autonomous admin agents |
| Model | 4 | 1 High 3 Medium | Unapproved model usage, unpinned versions, missing ownership, model drift |
| Prompt | 3 | 1 Critical 1 High 1 Medium | Prompt injection exposure, missing prompt logging, shared prompt stores |
| Audit | 2 | 1 Critical 1 High | Agent can disable logs, incomplete AI audit trails |
| Network | 3 | 1 High 2 Medium | Unrestricted internet egress, public AI endpoints, cross-VPC access |
| Governance | 3 | 2 Medium 1 Low | No AI risk register, missing ownership and accountability, changes outside change management |
| Safety | 1 | 1 Medium | No AI output safety monitoring |
Eleven exposures are classified as Critical severity. These are the configurations and access patterns that, if exploited, give an attacker the ability to move laterally, exfiltrate data, or take destructive action through an AI agent's identity.
Every exposure is mapped to the relevant categories in both the OWASP Top 10 for Agentic Applications 2026 and the OWASP Top 10 Agentic Risk. The two frameworks approach AI agent risk from different angles, one focused on how agents are built and deployed, the other on broader operational and architectural patterns. The heaviest concentration of Critical-severity exposures maps to tool misuse (ASI02), identity and privilege abuse (ASI03), rogue agents (ASI10), and excessive agency (A6), the categories where agents carry the most destructive potential through direct access to infrastructure, data, and services.
For the full exposure-by-exposure OWASP mapping across both frameworks, including severity breakdowns and detection details for all exposures, download the complete Permiso AI Exposure Coverage reference.
What connects all exposures is that each one traces back to an identity. The agent's execution role. The credentials it uses to authenticate. The trust policies that govern what it can assume. The permissions that determine what data it can access and what tools it can invoke.
AI agent security is not a separate discipline from identity security. It is identity security extended to a new class of identity. The same principles apply: discover every identity, enforce least privilege, monitor behavior against baselines, secure communication between entities, and maintain audit trails that map to compliance controls. The difference is that AI agents operate at machine speed, chain actions across environments, and can be manipulated through their inputs in ways that human identities cannot.
Permiso built these detections on the Universal Identity Graph, which provides unified visibility across human, machine, and AI identities in cloud, SaaS, CI/CD, and data environments. The exposures are not standalone alerts. They are findings grounded in identity context: what the agent is, what it can do, how it connects to other identities, and whether its configuration and behavior fall within expected boundaries.
These exposures map directly to the five AI agent security use cases that enterprises are evaluating today. Each OWASP category connects to one or more of the core security controls organizations need in place. Security teams building an AI agent security program can use this mapping to validate that their detection coverage addresses every use case, and to identify gaps where exposures exist but controls do not.
| Enterprise Use Case | OWASP Agentic Apps | OWASP Agentic Risk | Exposures Detected |
|---|---|---|---|
| Agent Discovery, Inventory, and Lifecycle | ASI04, ASI08, ASI10 | A4, A5 | Unmanaged agents, missing ownership, no AI risk register, AI changes outside change management, unpinned model versions |
| Least-Privilege and Access Control | ASI02, ASI03 | A2, A6 | Over-privileged AI roles, cross-account access, standing privileges without JIT, unrestricted tool execution, agent tool overreach, excessive data access |
| Behavioral Monitoring and Anomaly Detection | ASI01, ASI10 | A1, A6, A8 | Prompt injection exposure, prompt-to-infra paths, autonomous admin agents, agent self-modification, no human-in-the-loop, no output safety monitoring |
| Agent-to-Agent Communication Security | ASI07, ASI09 | A2, A5 | Agent-to-agent control gaps, human access to AI runtime roles, cross-VPC and cross-account access, public AI endpoints |
| Compliance and Auditability | ASI08 | A3, A7, A10 | Agents that can disable logs, incomplete audit trails, missing prompt and decision logging, data residency violations, sensitive data in training |
What this mapping reveals is that no single OWASP category maps to a single use case. Agent discovery requires coverage across supply chain vulnerabilities, cascading failures, and rogue agent categories simultaneously. Least-privilege enforcement spans tool misuse, identity abuse, and excessive agency. Compliance and auditability touches everything from logging and data governance to training data integrity. The risks are interconnected, and the detection coverage has to be as well.
For security teams building or evaluating an AI agent security program, this cross-reference serves as a coverage checklist. If your current tooling addresses least-privilege but not behavioral monitoring, the OWASP categories in that row tell you exactly which classes of risk remain uncovered. If your compliance controls cover audit trails but not data residency or training data governance, the gaps are visible in the mapping. The goal is not to treat these as five independent workstreams but to recognize that comprehensive AI agent security requires detection depth across all five simultaneously.
35+ AI agent security exposures across 10 categories, mapped to both OWASP frameworks, severity-ranked, and detection-ready. Visit permiso.io to see what Permiso finds in your environment, or download the complete OWASP mapping reference for the full exposure-by-exposure breakdown.