Module B9 — OWASP Agentic Top 10 as Engineering Checklist

OWASP Agentic Top 10 as Engineering Checklist

The OWASP Agentic AI Top 10 (2026) becomes a concrete engineering checklist, not a reading list. Each ASI risk (ASI01–ASI10) maps to its defense module (B2–B8), an attack procedure, a defense architecture, and a defined test. Eight rows report PASS/FAIL (deterministic controls); two report MEASURED (probabilistic). The checklist never produces a 'secure' verdict — it produces a scored report with characterized residuals, the same artifact a B12 engagement delivers as scope-complete output.

90
minutes
8
artifacts
4
sub-sections
This module synthesizes B2–B8. Every ASI risk maps to a module where the defense is ALREADY BUILT in depth — B9 does not introduce a new defense; it proves the existing defenses are present, working, and measured by running the test for each. The canonical numbering (verified against the OWASP primary source at genai.owasp.org) is ASI01 Goal Hijacking through ASI10 Broken Access Control. The five attack-surface boundaries — input (ASI01/02→B2), permission (ASI03/10→B5), state (ASI04/06→B3+B8), tool (ASI05/08→B4), output/resource (ASI07/09→B7) — each map to a defense module with no orphans. The signature structural decision: eight rows are PASS/FAIL because their controls are structural and enumerable (the capability is minimal or it is not; the path is normalized or it is not; the principal is bound or it is not); two rows are MEASURED because their controls are semantic and open (ASI01's detector + model compliance have a bypass rate; ASI06's hallucination-detection has a miss rate). The Result-type column enforces the honesty B2.3 resolved: determinism where structural, measurement where semantic. 'B9 tests; B2–B8 build' is the load-bearing separation — an assessment that adds controls during the test conflates remediation with assessment and produces a report that reflects the fixes rather than the system's actual state.
Key Claims
Load-Bearing Claims

The OWASP Agentic AI Top 10 is an engineering checklist, not a reading list. Each ASI risk gets four things: a risk definition, an attack procedure, a defense architecture, and a defined test. The test is concrete and runnable — capability enumeration for ASI03, canary extraction for ASI02, path-traversal-with-normalization for ASI05, signed-vs-unsigned registration for ASI08. The checklist verifies defenses are present and working; it does not summarize them.

Every ASI risk maps to a module in B2–B8 where the defense is already built — B9 introduces no new defense. The five attack-surface boundaries each route to a defense module with no orphans: input (ASI01/02→B2), permission (ASI03/10→B5), state (ASI04/06→B3+B8), tool (ASI05/08→B4), output/resource (ASI07/09→B7). B9's job is to run the test for each risk against a configured agent and prove the defense is present. A failed row routes its remediation to the module that builds the control — B9 does not build.

Eight rows report PASS/FAIL (deterministic controls); two report MEASURED (probabilistic). The split follows B2.3's resolution applied across all ten risks: determinism on the structural boundary (capability enumeration, path normalization, principal binding, canary substring match, circuit-breaker trip — all enumerable, no bypass rate), measurement on the semantic boundary (ASI01's injection detector + model compliance have a bypass rate; ASI06's hallucination-detection has a miss rate). The Result-type column is fixed by the KIND of control, not the outcome — a client who demands '10/10 PASS' is asking the engineer to lie about the probabilistic layers.

The checklist never produces a 'secure' verdict — it produces a scored report with characterized residuals, and that report is the B12 engagement's scope-complete deliverable. The honest result is '8 PASS + 2 MEASURED at X% and Y%, characterized as the encoded-and-laundered class and the unverified-claim-propagation class.' The measured residuals are recurring value: each assessment re-runs the ten tests and tracks the residual trend over releases. Scope-completeness is enforced structurally — all 10 rows appear; absent surfaces are N/A with justification, never silently skipped.

After This Module
01
State the canonical OWASP Agentic AI Top 10 (2026) numbering — ASI01 Goal Hijacking through ASI10 Broken Access Control — verified against the OWASP primary source, and explain why two numbering schemes circulated and how to reconcile them.
02
Map each ASI risk to its defense module (B2–B8) and the five attack-surface boundaries — input, permission, state, tool, output/resource — with no orphaned risk, and explain why B9 is a synthesis module rather than a new surface.
03
For each of the ten ASI risks, give the four-part treatment: the risk defined, the attack procedure, the defense architecture (with the Course 1 layer that defends it), and a defined test that verifies the defense is present and working.
04
Classify each ASI row's result type as PASS/FAIL (deterministic, structural control) or MEASURED (probabilistic, semantic control) and justify the classification by naming the Course 1 layer and whether it is enumerable (no bypass rate) or open (has a miss rate) — yielding the 8/2 split.
05
Explain why ASI01 is MEASURED despite its load-bearing deterministic taint gate (the full defense is a conjunction of L1–L5, and the probabilistic layers — tagging, isolation, detector — give the conjunction a bypass rate), and why ASI06 is MEASURED (verification catches unverified claims but hallucination-detection has a miss rate).
06
Apply the checklist as the B12 assessment engagement's scope-complete output — all 10 rows reported, absent surfaces as N/A with justification, measured residuals characterized and tracked over releases — and refuse the '10/10 PASS' demand by invoking the Result-type column's structural honesty.
07
Distinguish B9's role ('tests; does not build') from B2–B8's role ('build the defense') and explain why an assessment that adds controls during the test conflates remediation with assessment and produces a report that reflects the fixes rather than the system's actual state.
Artifacts
01
Teaching Document
~7,976 words; 4 sub-sections — the checklist as thesis and attack-surface map (5 boundaries, risk-to-module mapping, no orphans), the ten risks each with full attack+defense+module+test treatment (ASI01–ASI10, the module's signature contribution), the unified checklist (8 PASS/FAIL + 2 MEASURED, the deterministic/probabilistic split from B2.3 applied to all 10), the checklist as B12 assessment scope (scored report, measured residuals as recurring value, scope-completeness, entanglement caveat); with 6 anti-patterns, 12 key terms, lab pointer, 14 references
READ
02
Diagrams
6 Mermaid diagrams — the ten risks as attack-surface map (5 boundary clusters), the risk-to-defense-module mapping (10 risks → 6 modules, no orphans), the per-risk treatment format flow (risk→attack→defense→module→test→checklist row), the 9-layer defense stack specialized to ASI risks, the unified checklist result types (8 deterministic vs 2 probabilistic), the checklist as assessment scope (B9→B12 engagement pipeline with recurring residual trend)
READ
03
Slide Deck
18 slides — reveal.js, dark theme, design-system teal; covers the thesis, the attack-surface map, the risk-to-module mapping, the ten risks grouped (ASI01-02, ASI03-04+10, ASI05-06+08, ASI07+09), the unified checklist table, the 8/2 split, the B12 engagement scope, the recurring value, anti-patterns, the lab, the load-bearing principle
READ
04
Teaching Script
~55 min spoken (~3,200 words at 140 wpm); verbatim transcript with [SLIDE N] cues for all 18 slides; matches B2's 90-min depth module format (90-min module includes lab and discussion)
READ
05
Flashcards
29 flashcards (TSV) — 16 recall + 13 analysis; covers the thesis, canonical numbering, 5 boundaries, synthesis, 4-part format, all 10 individual ASI risks (attack+defense+module+test+result type), the 8/2 split, no-secure-verdict, B2.3 relationship, why ASI01 is measured, ASI03 vs ASI10, ASI05 vs ASI08, scope-completeness, B12 engagement scope, recurring value
TEST
06
Exam
15 questions, 20/40/40 Bloom (3 recall / 6 application / 6 analysis); covers the canonical numbering, the synthesis thesis, the 8/2 split, ASI01 measured-residual reasoning, ASI03 enumeration vs payload, ASI02 canary PASS/FAIL, ASI04 taint-laundering, ASI05 path normalization, ASI08 three controls, the '10/10 PASS' refusal, entanglement, ASI03 vs ASI10 distinction, the N/A-with-justification scope-completeness rule, the tests-vs-builds separation
TEST
07
Lab Spec
Run the OWASP Checklist Against a Sample Harness — (a) stub agent with configurable defenses (20 toggles), (b) ten ASI test procedures (one per risk, each returning a CheckResult with the correct result_type), (c) a scored report renderer (JSON, one row per risk, 8 PASS/FAIL + 2 MEASURED), (d) run against naive + hardened configs and compare. Python, type hints, no GPU, two detector stubs (injection + hallucination) so it runs offline. Includes the compound-scenario stretch (entanglement) and the N/A-with-justification stretch (scope-completeness). ~90-120 min.
DO
08
Module Web Page
Single-file HTML hub
HERE