ASI folder reorganisation

ASI folder reorganisation and 0.5 initial candidate entries

Author: virtualsteve-star

initiatives/agent_security_initiative/agentic-top-10/0.5-initial-candidates/ASI01_Memory Poisoning.md

@@ -0,0 +1,43 @@
+## Risk/Vuln Name
+**Memory Poisoning**
+
+**Author(s):**
+OWASP Agentic Security Initiative Team
+
+### Description
+Agents with memory can be manipulated by adversaries who add malicious or misleading data to the agent's short- or long-term memory stores. This includes poisoning of embeddings or external knowledge stores. Since memory entries may influence agent behavior in subsequent runs or when accessed by other agents, memory poisoning introduces systemic risk.
+
+### Common Examples of Risk
+1. Poisoning the vector store used by a RAG agent as its knowelege base across multiple sessions.
+2. Polluting shared memory in a multi-agent copilot system to alter downstream behaviors.
+3. Injecting subtle misinformation in a single agent memory to degrade agent reasoning over time.
+
+
+### Prevention and Mitigation Strategies
+1. Enforce memory content validation by scanning insertions for anomalies before committing them.
+2. Restrict memory persistence to trusted sources and apply cryptographic validation for long-term storage.
+3. Log all memory access and modifications for audit and forensic visibility.
+4. Segment memory access using session isolation to prevent knowledge bleed across users.
+5. Apply context-aware policies so agents only access memory relevant to their current task.
+6. Limit memory retention durations based on data sensitivity to reduce long-term risk exposure.
+7. Require source attribution for all memory updates to trace knowledge origins.
+8. Deploy anomaly detection to identify unexpected or suspicious memory updates.
+9. Require multi-agent or external validation before committing long-term memory changes.
+10. Use rollback and snapshot mechanisms to revert to previous memory states after anomalies.
+11. Apply probabilistic truth-checking to verify new knowledge against trusted references.
+12. Flag abnormal memory update frequencies to detect manipulation attempts.
+13. Validate knowledge across agents before allowing propagation to long-term memory.
+14. Track AI knowledge lineage to understand how memory evolved and support forensic analysis.
+15. Limit propagation from unverified sources to contain misinformation.
+16. Implement version control for memory updates to support audit, rollback, and tamper detection.
+
+### Example Attack Scenarios
+- **Scenario 1: Travel Booking Memory Poisoning** – An attacker repeatedly reinforces a false pricing rule in an AI travel agent’s memory, making it register chartered flights as free, allowing unauthorized bookings and bypassing payment validation.
+- **Scenario 2: Context Window Exploitation** – By fragmenting interactions over multiple sessions, an attacker exploits an AI’s memory limit, preventing it from recognizing privilege escalation attempts, ultimately gaining unauthorized admin access.
+- **Scenario 3: Memory Poisoning for System** – An attacker gradually alters an AI security system’s memory, training it to misclassify malicious activity as normal, allowing undetected cyberattacks.
+- **Scenario 4: Shared Memory Poisoning** – In a customer service application, an attacker corrupts shared memory structures with incorrect refund policies, affecting other agents referencing this corrupted memory for decision making, leading to incorrect policy reinforcement, financial loss, and customer disputes.
+
+### Reference Links
+1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
+2. [LLM04:2025 Data and Model Poisoning](https://genai.owasp.org/llmrisk/llm042025-data-and-model-poisoning/)
+3. [LLM08:2025 Vector Weaknesses](https://genai.owasp.org/llmrisk/llm082025-vector-and-embedding-weaknesses/)

initiatives/agent_security_initiative/agentic-top-10/0.5-initial-candidates/ASI02_Tool_Misuse.md

@@ -0,0 +1,44 @@
+## Risk/Vuln Name
+**Tool Misuse**
+
+**Author(s):**
+OWASP Agentic Security Initiative Team
+
+### Description
+Attackers exploit the dynamic integration and enhanced autonomy of agentic AI systems to misuse authorized tools. Unlike traditional LLM applications, agents maintain memory, dynamically decide which tools to invoke, and may delegate actions to other agents. This increases the risk of adversarial misuse through chaining, privilege escalation, or execution of unintended actions.
+
+The threat is partially covered by [LLM06:2025 Excessive Agency](https://genai.owasp.org/llmrisk/llm062025-excessive-agency/), but agent-based systems pose unique challenges due to memory persistence and multi-agent delegation. 
+
+### Common Examples of Risk
+1. Tool chaining allows indirect access to restricted functions or data exfiltration.
+2. Prompt injection modifies the input to tools, such as editing a payload sent to APIs.
+3. Autonomous agents trigger external actions using tools without proper human oversight.
+4. RAG agents misuse tools to retrieve poisoned or misleading content.
+
+### Prevention and Mitigation Strategies
+1. Implement strict tool access control policies and limit which tools agents can execute.
+2. Require function-level authentication before an AI can use a tool.
+3. Use execution sandboxes to prevent AI-driven tool misuse from affecting production systems.
+4. Use rate-limiting for API calls and computationally expensive tasks.
+5. Restrict AI tool execution based on real-time risk scoring.
+6. Implement just-in-time (JIT) access for AI tool usage, revoking permissions after use.
+7. Log all AI tool interactions with forensic traceability.
+8. Detect command chaining that circumvents security policies.
+9. Enforce explicit user approval for AI tool executions involving financial, medical, or administrative functions.
+10. Maintain detailed execution logs for auditing and anomaly detection.
+11. Require human verification before executing AI-generated code with elevated privileges.
+12. Detect abnormal tool execution frequency and flag repetitive misuse.
+13. Monitor AI tool interactions for unintended side effects that may impact security posture.
+
+### Example Attack Scenarios
+- **Scenario 1: Parameter Pollution Exploitation** – An attacker discovers and manipulates an AI booking system’s function call, tricking it into reserving 500 seats instead of one, causing financial loss.
+- **Scenario 2: Tool Chain Manipulation** – An attacker exploits an AI customer service agent by chaining tool actions, extracting high-value customer records, and sending them via an automated email system.
+- **Scenario 3: Automated Tool Abuse** – An AI document processing system is tricked into generating and mass-distributing malicious documents, unknowingly executing a large-scale phishing attack.
+- **Scenario 4: Tool Poisoning** – A RAG agent is tricked into retrieving tool-generated context from a malicious source. The poisoned tool output influences subsequent tool use, causing unsafe actions such as overwriting databases.
+- **Scenario 5: Agent Hijacking via Tools** – As described by NIST, a malicious prompt triggers the agent to misuse a file upload tool and data extraction utility, enabling unintended file access and exfiltration without crossing policy boundaries.
+
+### Reference Links
+1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
+2. [LLM06:2025 Excessive Agency](https://genai.owasp.org/llm-top-10/LLM06-excessive-agency)
+3. [LLM03:2025 Supply Chain Vulnerabilities](https://genai.owasp.org/llm-top-10/LLM03-training-data-supply-chain)
+4. [NIST Blog on Agent Hijacking](https://www.nist.gov/news-events/news/2025/01/technical-blog-strengthening-ai-agent-hijacking-evaluations)

initiatives/agent_security_initiative/agentic-top-10/0.5-initial-candidates/ASI03_Privilege_Compromise.md

@@ -0,0 +1,36 @@
+## Risk/Vuln Name
+**Privilege Compromise**
+
+**Author(s):**
+OWASP Agentic Security Initiative Team
+
+### Description
+Agentic systems can escalate privileges internally or via delegation. Attackers exploit implicit trust relationships between agents, tools, memory contexts, or task transitions to execute actions beyond intended permissions. This includes hijacking cross-agent permissions or exploiting reflection mechanisms to bypass intended constraints.
+
+While partially covered by [LLM06:2025 Excessive Agency](https://genai.owasp.org/llmrisk/llm062025-excessive-agency/), this risk is amplified in agentic ecosystems where memory, delegation, and tool orchestration span multiple identities and steps—opening attack surfaces for privilege escalation, impersonation, or authority confusion.
+
+### Common Examples of Risk
+1. Reflection or planning loops that elevate permissions across agent sessions.
+2. Delegation without scope reduction, causing privilege inheritance.
+3. Chained tool access bypassing layered access control.
+4. Memory-based elevation (e.g., cached admin instructions reused out of context).
+
+### Prevention and Mitigation Strategies
+1. Use scoped delegation with context-aware permissions (e.g., task-scoped tokens).
+2. Prevent privilege inheritance across agent handoffs unless explicitly authorized.
+3. Enforce runtime privilege checks on each tool invocation or system action.
+4. Segment identity contexts for user, agent, and system-level operations.
+5. Use consent verification and signed task transfers during delegation.
+6. Monitor privilege transitions in memory and logs to flag silent escalation.
+7. Apply least privilege to toolchains and restrict composite agent capabilities.
+8. Require explicit approvals for elevation attempts or meta-agent changes.
+
+### Example Attack Scenarios
+- **Scenario 1: Memory Escalation via Delegation** – A subordinate AI assistant memorizes privileged admin actions from a previous session. When delegated a low-trust task, it reuses the cached admin commands, executing unintended system modifications.
+- **Scenario 2: Reflection Loop Elevation** – An agent self-reflects on a past privileged action and falsely infers it has ongoing admin authority, then uses that assumption to overwrite controls in a cloud environment.
+- **Scenario 3: Cross-Agent Credential Injection** – One agent is manipulated into injecting privileged credentials into a shared memory structure. A second, less trusted agent accesses them and initiates an unauthorized database export.
+- **Scenario 4: Delegated Task Scope Abuse** – A billing agent is delegated a read-only reporting task but uses retained access to change invoice records after the task ends, exploiting lax revocation.
+
+### Reference Links
+1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
+2. [LLM06:2025 Excessive Agency](https://genai.owasp.org/llmrisk/llm062025-excessive-agency/)

initiatives/agent_security_initiative/agentic-top-10/0.5-initial-candidates/ASI04_Resource_Overload.md

@@ -0,0 +1,37 @@
+## Risk/Vuln Name
+**Resource Overload**
+
+**Author(s):**
+OWASP Agentic Security Initiative Team
+
+### Description
+Agentic AI systems may be overloaded—intentionally or accidentally—by excessive or recursive actions, leading to denial-of-service (DoS), degraded performance, quota exhaustion, or unpredictable side effects in shared environments. Attackers may exploit open-ended goals, long planning chains, or looping delegation to consume compute, memory, storage, or API credits.
+
+This risk is related to [LLM10:2025 Unbounded Consumption](https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/), but agentic autonomy increases the likelihood of recursive or chain-triggered overload across tools, memory, or systems. Agent loops or misaligned incentives can drive agents into endless activity storms, even in non-malicious contexts.
+
+### Common Examples of Risk
+1. Recursive or infinite planning loops.
+2. API quota exhaustion due to ungoverned tool calls.
+3. Agents self-replicating or spawning subagents unintentionally.
+4. Excessive memory or CPU use triggered by broad or vague prompts.
+
+### Prevention and Mitigation Strategies
+1. Impose hard limits on recursion depth, planning steps, and agent spawns.
+2. Use guardrails to prevent infinite loops or redundant task reentry.
+3. Apply rate-limiting on tool invocations and external service calls.
+4. Track and audit resource usage per agent identity.
+5. Alert or auto-terminate runaway agents or memory loops.
+6. Use planning critics or supervisors to halt degenerate planning strategies.
+7. Enforce compute budgets per session or task lineage.
+8. Sandbox expensive operations or run them in separate trust boundaries.
+
+### Example Attack Scenarios
+- **Scenario 1: Recursive Planning DoS** – An agent asked to optimize operations recursively spawns planning tasks without end, consuming compute resources until the system halts.
+- **Scenario 2: Subagent Explosion** – A prompt causes an agent to delegate to subagents repeatedly with overlapping roles, leading to hundreds of concurrent processes and a denial of service on the orchestration layer.
+- **Scenario 3: Quota Exhaustion via Tool Abuse** – A user prompts an agent to generate charts from high-frequency trading data, triggering thousands of calls to an external analytics tool until the API quota is exceeded and shared services are affected.
+- **Scenario 4: Latent Loop via Memory** – A memory-enabled agent re-triggers its own decision every cycle due to unfiltered past context, creating a loop that rapidly consumes system memory.
+
+### Reference Links
+
+1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
+2. [LLM10:2025 Unbounded Consumption](https://genai.owasp.org/llmrisk/llm102025-unbounded-consumption/)

initiatives/agent_security_initiative/agentic-top-10/0.5-initial-candidates/ASI05_Cascading_Hallucination_Attacks.md

@@ -0,0 +1,34 @@
+## Risk/Vuln Name
+**Cascading Hallucination Attacks**
+
+**Author(s):**
+OWASP Agentic Security Initiative Team
+
+### Description
+Agentic systems are prone to hallucinations—confidently presenting false information—as they generate, recall, or reuse unverified outputs. These hallucinations can become self-reinforcing, especially when persisted in memory or reflected across agents. When used in planning, reasoning, or as inputs to other tools, hallucinations may cascade into widespread misinformation, faulty decisions, or unsafe actions.
+
+This risk aligns with [LLM09:2025 Misinformation](https://genai.owasp.org/llmrisk/llm092025-misinformation/), but agent-based systems introduce higher persistence and propagation risk due to memory and delegation. In multi-agent contexts, false knowledge may circulate and amplify, creating system-wide instability.
+
+### Common Examples of Risk
+1. Self-reflection or summarisation loops reinforcing hallucinated facts.
+2. RAG agents incorporating incorrect content and treating it as ground truth.
+3. Multi-agent teams exchanging hallucinated knowledge as if validated.
+
+### Prevention and Mitigation Strategies
+1. Implement grounding mechanisms to validate claims against trusted sources.
+2. Use ensemble verification or external judgment models for fact-checking.
+3. Constrain agents with domain-specific refusal rules and precision filters.
+4. Isolate memory entries from unverified sources and mark for review.
+5. Limit propagation of knowledge across agents unless confirmed.
+6. Annotate all generated facts with confidence scores and source lineage.
+7. Track hallucination patterns using hallucination fingerprinting or detection.
+
+### Example Attack Scenarios
+- **Scenario 1: Memory Echo Loop** – An agent hallucinates a policy exception during summarisation. This is persisted to memory, recalled in future tasks, and eventually presented as a compliance justification to users.
+- **Scenario 2: RAG Feedback Loop** – A hallucinated output is published to a shared document. Later, a RAG agent retrieves and reuses this output as context, reinforcing the false information.
+- **Scenario 3: Multi-Agent Contagion** – One agent generates a plausible but fake API endpoint. This endpoint is propagated to other agents for integration, causing repeated failed actions or potential security issues.
+- **Scenario 4: Delegated Misinformation** – A planning agent generates a hallucinated summary of a document and delegates action to another agent, which follows the false instructions and incorrectly alters critical records.
+
+### Reference Links
+1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
+2. [LLM09:2025 Misinformation](https://genai.owasp.org/llmrisk/llm092025-misinformation/)

initiatives/agent_security_initiative/agentic-top-10/0.5-initial-candidates/ASI06_Intent_Breaking_Goal_Manipulation.md

@@ -0,0 +1,36 @@
+## Risk/Vuln Name
+**Intent Breaking & Goal Manipulation**
+
+**Author(s):**
+OWASP Agentic Security Initiative Team
+
+### Description
+Agentic AI systems operate based on inferred or explicit goals. Adversaries can manipulate goal inference, alter intermediate representations, or interfere with agent objectives to cause undesired or harmful actions. This includes prompt injection, manipulation of user intent, or interference in planning or delegation logic.
+
+While related to [LLM02:2023 Insecure Plugin Design](https://genai.owasp.org/llmrisk2023-24/llm07-insecure-plugin-design/) and [LLM06:2025 Excessive Agency](https://genai.owasp.org/llmrisk/llm062025-excessive-agency/), agentic AI systems introduce new risks where goals can be hijacked mid-flight, or inferred intent can be weaponized against the user.
+
+### Common Examples of Risk
+1. Manipulating prompts to redefine agent goals via indirect instructions.
+2. Injecting fake constraints or desired outcomes into memory or shared tools.
+3. Altering user intent during multi-step goal refinement or conversation.
+4. Hijacking intermediate reasoning steps during agent planning.
+
+### Prevention and Mitigation Strategies
+1. Explicitly separate intent parsing from task execution and validate goals.
+2. Use planning critics or supervisor agents to audit and approve goals.
+3. Enforce multi-turn user confirmation for critical or high-risk goal changes.
+4. Annotate original user instructions throughout the execution chain.
+5. Monitor goal drift or semantic divergence during reasoning chains.
+6. Restrict agent autonomy over certain types of intent (e.g., financial, legal).
+7. Use guardrails to block unsafe interpretations of inferred goals.
+
+### Example Attack Scenarios
+- **Scenario 1: Prompt Injection Goal Switch** – A malicious prompt embedded in a document causes an AI assistant to alter its objective from summarizing the document to sending it externally.
+- **Scenario 2: Planning Path Corruption** – An attacker crafts context that causes the agent to prioritize misleading metrics, shifting its goal from accuracy to speed, reducing quality and safety.
+- **Scenario 3: Goal Inference Drift** – Through multi-turn ambiguity, a user is misinterpreted by the agent, which infers a dangerous or privacy-violating action.
+- **Scenario 4: Delegated Planning Hijack** – A downstream agent is given an intermediate task from a master planner, but the task description has been altered in transit, leading to off-target actions.
+
+### Reference Links
+1. [Agentic AI - Threats and Mitigations](https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/)
+2. [LLM02:2023 Insecure Plugin Design](https://genai.owasp.org/llmrisk2023-24/llm07-insecure-plugin-design/)
+3. [LLM06:2025 Excessive Agency](https://genai.owasp.org/llm-top-10/LLM06-excessive-agency)