Signal Coding Team
Published May 2026
OWASP – the Open Worldwide Application Security Project, the organisation behind the widely-used Web Application Security Top 10 – published the Agentic AI Security Top 10 (ASI01–ASI10) in 2025. It defines the ten most critical security risks for AI agents: software systems that use AI models to take autonomous actions, interact with external tools via the Model Context Protocol (MCP), and execute multi-step tasks with real-world consequences. This article explains what each risk means in practice for UK Government, Defence, and National Security organisations, and what to do about it.
What Is an AI Agent?
An AI agent is an AI system that does more than answer questions. It takes actions: reading files, calling APIs, writing code, executing commands, browsing the web, sending messages. It can chain multiple actions together to complete a task autonomously, using tools provided by MCP servers and guided by Agent Skills (SKILL.md files). The same properties that make agents powerful – autonomy, tool access, persistence – make their security properties fundamentally different from chatbots or recommendation systems. A compromised AI agent does not just give bad advice; it takes harmful actions.
ASI01 – Prompt Injection
What it is: An attacker embeds instructions in data that the AI agent processes as trusted content, overriding the agent's intended behaviour. These instructions can appear in web pages the agent reads, documents it processes, tool responses it receives, or Agent Skills it loads.
Why it matters for Government and Defence: An AI procurement assistant that reads supplier documents could have its behaviour manipulated by a document containing hidden instructions. An AI coding assistant that loads a community skill could be instructed to exfiltrate repository contents to an external server. The AI is not "hacked" – it is following instructions from content it was told to trust.
What to do: Scan Agent Skills with Signal Sentinel Scanner (SS-011, SS-018). Treat all external data as untrusted. Implement human review gates for high-stakes agent actions. Never allow agents to follow instructions from document content that override their system prompt.
ASI02 – Excessive Agency
What it is: The AI agent has been granted more permissions, capabilities, or autonomy than needed for its intended task. When the agent is manipulated or makes an error, the blast radius is proportional to the privileges it holds.
Why it matters: An AI coding assistant with file system write access across an entire repository can do far more damage than one restricted to a specific working directory. An AI agent with administrative API access can take actions an attacker exploiting it would never be able to take directly.
What to do: Apply least-privilege principles to AI agents. Scan MCP server configurations with Signal Sentinel Scanner (SS-002, SS-017) to identify overbroad permission grants. Review tool capability declarations against actual use cases.
ASI03 – Insecure Credential Handling
What it is: API keys, tokens, and credentials used by AI agents or stored in Agent Skills are exposed, hardcoded, or insufficiently protected. An attacker gaining access to these credentials can use them independently of the AI agent.
Why it matters for Defence: AI agents in Defence environments may hold credentials to classified systems, internal APIs, or sensitive databases. Credential exposure through an Agent Skill or MCP server configuration file could provide direct access to these systems without requiring compromise of the AI model itself.
What to do: Scan Agent Skills for credential patterns (SS-013) and MCP configurations for credential hygiene issues (SS-019, SS-020). Never store credentials in Agent Skill files. Use environment variables or secure credential managers. Rotate credentials if they appear in any scanned skill or config file.
ASI04 – Supply Chain Vulnerabilities
What it is: AI agents consume MCP servers, Agent Skills, and their dependencies from external sources. Malicious or compromised packages in these supply chains can introduce vulnerabilities, backdoors, or malicious payloads.
Why it matters: The MCP and Agent Skill ecosystems are nascent. Community registries are growing rapidly without the maturity of established package managers. Typosquatting, namespace squatting, and post-installation updates introducing malicious code (rug pulls) are documented risks. Signal Sentinel Scanner's SS-022 detects schema mutations between scans that may indicate a rug pull.
What to do: Scan all MCP server packages (SS-004, SS-021) and Agent Skills (SS-024) for supply chain indicators. Maintain baselines and compare scans over time. Use sentinel-scan --baseline to detect schema mutations between versions. Treat community MCP servers and skills as untrusted third-party code requiring security review before installation.
ASI05 – Insecure Code Execution
What it is: AI agents or Agent Skills trigger code execution – shell commands, script runners, code interpreters – in ways that can be exploited to run arbitrary code on the host system.
Why it matters: Many Agent Skills bundle executable scripts (.py, .sh, .ps1, .js, .ts) that run as part of the skill's operation. A malicious bundled script has access to the same system resources as the AI agent process. Signal Sentinel Scanner's SS-016 detects script payload patterns in skills.
What to do: Scan Agent Skills for bundled scripts (SS-016) and MCP servers for code execution capabilities (SS-005). Restrict agent execution environments using containers or sandboxes. Apply principle of least privilege to any process run by an AI agent.
ASI06 – Memory and State Manipulation
What it is: AI agents with persistent memory or context storage can be manipulated through that memory. An attacker who can write to an agent's memory can influence its future behaviour across sessions, even after the original attack vector has been closed.
Why it matters for Government: An AI agent used in a government workflow that maintains memory of past interactions could be compromised once and continue to behave maliciously across future sessions. Memory manipulation is particularly insidious because the agent may appear to function normally while executing attacker-directed behaviour.
What to do: Scan MCP configurations for memory and context write access (SS-006). Treat agent memory stores as sensitive data requiring access controls and audit logging. Implement session boundaries that clear agent context appropriately.
ASI07 – Multi-Agent Trust Failures
What it is: In multi-agent architectures, agents communicate with each other and delegate tasks. If one agent is compromised, it can manipulate other agents it communicates with. Trust relationships between agents are often implicit and unverified.
Why it matters: Defence AI deployments are increasingly using multi-agent architectures for complex workflows. If a subordinate agent is compromised through prompt injection or tool poisoning, it can communicate malicious instructions to orchestrating agents that trust its outputs.
What to do: Scan MCP configurations for inter-agent communication capabilities (SS-007). Apply zero-trust principles to agent-to-agent communication. Verify agent identity before accepting task delegations. Log all inter-agent communications for audit.
ASI08 – Insecure Output Handling
What it is: AI agent outputs are consumed by downstream systems without adequate validation. This includes code injection, command injection, and data injection through agent-generated content that is executed or stored without sanitisation.
Why it matters: An AI coding agent that generates database queries could produce SQL injection payloads if its output is used directly. An AI agent that generates content displayed to users could produce cross-site scripting payloads. The AI model is not "hacked" – the downstream system is simply not treating AI output as untrusted data.
What to do: Treat all AI agent output as untrusted input to downstream systems. Apply standard injection prevention controls (parameterised queries, output encoding) to all AI-generated content that interacts with systems or users. Validate AI output against expected schemas before use.
ASI09 – Sensitive Information Disclosure
What it is: AI agents access, process, or transmit sensitive data through channels that are insufficiently protected or monitored. This includes data exfiltration through agent tool calls, logging of sensitive data processed by agents, and inadvertent inclusion of sensitive information in agent outputs.
Why it matters for Defence and Government: AI agents processing OFFICIAL-SENSITIVE or SECRET data may inadvertently include that data in requests to external MCP servers, log files, or outputs visible to unauthorised parties. Data classification controls applied to human workflows must be extended to cover AI agent workflows handling the same data.
What to do: Scan Agent Skills for data exfiltration patterns (SS-014). Classify AI agent workflows under the same data handling controls as equivalent human workflows. Log all AI agent data access for audit. Apply MCP server geographic restrictions for data subject to UK data residency requirements.
ASI10 – Inadequate Logging and Monitoring
What it is: AI agent actions are not adequately logged, making it impossible to detect attacks, investigate incidents, or audit agent behaviour for compliance purposes. Many AI agent deployments have no structured logging of tool calls, data access, or decision rationale.
Why it matters: For Government and Defence, audit trails are not optional. JSP 440, the Technology Code of Practice, and the Algorithmic Transparency Recording Standard all require evidence of how AI systems make decisions and what actions they take. An AI agent with inadequate logging cannot satisfy these requirements, and cannot support incident investigation when things go wrong.
What to do: Implement structured logging of all MCP tool calls, inputs, and outputs. Log agent decision points with rationale where the model provides it. Integrate agent logs with existing SIEM infrastructure. Define retention periods appropriate to the classification of data processed. Signal Sentinel Scanner's SS-INFO-001 detects non-MCP endpoints where logging coverage may be incomplete.
The Complementary Frameworks: AST and MCP Top 10
The OWASP Agentic AI Top 10 (ASI01–ASI10) focuses on AI agent behaviour. Two complementary frameworks address the ecosystem around it:
OWASP Agentic Skills Top 10 (AST01–AST10) addresses the specific risks of Agent Skills (SKILL.md files) – the reusable instruction packages that guide agent behaviour. It covers skill prompt injection, scope violation, credential handling in skills, data exfiltration through skill instructions, and skill supply chain integrity.
OWASP MCP Top 10 (MCP01–MCP10) addresses the specific risks of MCP server implementations – the tool servers that AI agents connect to. It covers tool poisoning, overbroad tool permissions, authentication failures, supply chain attacks through MCP packages, and cross-server attack paths.
Signal Sentinel Scanner v2.3.0 maps all 25 detection rules across all three frameworks, providing a single scan that produces findings with ASI, AST, and MCP references simultaneously. This triple mapping allows security and compliance teams to report against whichever framework their organisation requires.
How Signal Sentinel Scanner Addresses the Top 10
| OWASP Risk | Signal Sentinel Rules |
|---|---|
| ASI01 Prompt Injection | SS-001, SS-009, SS-011, SS-018, SS-022, SS-023 |
| ASI02 Excessive Agency | SS-002, SS-010, SS-017 |
| ASI03 Credential Handling | SS-003, SS-013, SS-019, SS-020 |
| ASI04 Supply Chain | SS-004, SS-021, SS-024 |
| ASI05 Code Execution | SS-005, SS-016 |
| ASI06 Memory Manipulation | SS-006, SS-025 |
| ASI07 Multi-Agent Trust | SS-007 |
| ASI08 Output Handling | SS-009, SS-015 |
| ASI09 Data Disclosure | SS-008, SS-014 |
| ASI10 Logging & Monitoring | SS-INFO-001 |
A Practical Compliance Starting Point
For UK Government and Defence organisations seeking to address OWASP Agentic AI Top 10 compliance, the practical starting point is three steps:
Step 1 – Inventory. Run sentinel-scan --discover --skills to enumerate all MCP server configurations and Agent Skills across your AI tool estate. Most organisations discover MCP servers and skills they did not know were installed.
Step 2 – Baseline. Run sentinel-scan --discover --skills --update-baseline to establish a baseline. Future scans can compare against this baseline to detect changes (rug-pull detection via SS-022). Export results as SARIF for integration with GitHub Code Scanning or Azure DevOps Advanced Security.
Step 3 – Remediate and monitor. Address findings in priority order (Critical → High → Medium → Low). For findings you accept with documented justification, use --suppressions to record the acceptance decision. The counter-factual grade feature shows what your grade would be without suppressions, ensuring accepted risks remain visible to leadership.
Signal Sentinel Scanner is free, open-source (Apache 2.0), and runs offline (--offline flag) for air-gapped environments. It is a deterministic first-pass tool – a starting point, not a complete security programme. Pair it with runtime monitoring (Signal Sentinel Gateway, in development), penetration testing, and NCSC guidance on AI security for a complete defence-in-depth approach.
Signal Sentinel Scanner is available now: dotnet tool install -g SignalSentinel.Scanner or docker pull ghcr.io/signalcoding/signal-sentinel-scanner:2.3.0. Full documentation at signalcoding.co.uk/products/sentinel-scanner. For Defence and Government enquiries about AI security assessments aligned to OWASP Agentic AI Top 10, contact our security-cleared team.
Related Reading
What is MCP Security? A Guide for Government and Defence Organisations
The Model Context Protocol is the new standard for connecting AI agents to external tools. Here is why its security matters for UK Government and Defence, and what to do about it.
The Black Box Problem: Why Government AI Needs Human Oversight
When AI systems make decisions nobody can explain, who is accountable? Examining the accountability gap in government AI deployment.
Secure by Design and AI: Building Assured Software at Pace
How AI-assisted development integrates with JSP 440 and Secure by Design. Embedding security controls throughout the development lifecycle.
Discuss your project
Contact us to explore how AI-accelerated development can support your organisation.
Get in Touch