Microsoft Failure Mode Taxonomy as Red Team Framework
B9 gave you the defense checklist. This is the offense playbook. The Microsoft Failure Mode Taxonomy v2.0 — seven new agentic failure modes plus the zero-click HITL bypass finding — is how systems actually fail in production, distilled from twelve months of deployed red teaming. Where OWASP tells you what to defend, this taxonomy tells you how attackers chain.
The Microsoft Taxonomy v2.0 and OWASP ASI are complementary by function, not redundant by content. OWASP (B9) is a defense checklist read as a builder — unit = the risk, one row/control/test. The Microsoft taxonomy (B10) is a red-team framework read as an attacker — unit = the chain, multi-step/compound intent. The same named risk (Goal Hijacking, Supply Chain) appears in both as DIFFERENT artifacts: one is a control, the other is the procedure that finds the gap between the control on paper and the control in production. The synthesis error is concluding 'we covered goal hijacking in B9, so B10 adds nothing.'
The seven new failure modes are not a re-labeling of OWASP rows — three of them (inter-agent trust escalation, computer-use visual attacks, session context contamination) have no clean OWASP row at all. They live BETWEEN the rows: orchestrators treat sub-agent messages as role-scoped authority (no ASI equivalent); vision-modality attacks are invisible to text-based taint gates (no text-only analogue); session context contamination is ephemeral-but-cross-turn, so ASI04's memory-write controls do not catch it. An engagement scoped to B9 alone misses all three.
The zero-click HITL bypass chain is the centerpiece finding: per-step approval is necessary and insufficient. A single external input triggers a multi-step chain where every step passes its approval gate (each is benign in isolation) but the compound exfiltrates data or reaches lateral movement. The malice lives in the compound, invisible to any gate that evaluates steps in isolation. The required control is session-level intent detection — intent tracking, compound-action pattern matching, and approval freshness windows — layered ABOVE per-step approval. This is the direct cross-turn extension of B8's observability layer.
A B10 engagement designs chains, not rows. The methodology: reconnaissance via capability disclosure (Mode 7), surface selection, chain construction (each step must pass its OWASP control INDIVIDUALLY — the chain slips between controls, not through a missing one), compound delivery via a single external input, and gap identification (the deliverable is the specific session-level gap the client patches). B9 produces the scored report; B10 produces the chain and the gap; B12 packages both as one engagement. Neither alone is sufficient.