OWASP Agentic Top 10 as Engineering Checklist
The OWASP Agentic AI Top 10 (2026) becomes a concrete engineering checklist, not a reading list. Each ASI risk (ASI01–ASI10) maps to its defense module (B2–B8), an attack procedure, a defense architecture, and a defined test. Eight rows report PASS/FAIL (deterministic controls); two report MEASURED (probabilistic). The checklist never produces a 'secure' verdict — it produces a scored report with characterized residuals, the same artifact a B12 engagement delivers as scope-complete output.
The OWASP Agentic AI Top 10 is an engineering checklist, not a reading list. Each ASI risk gets four things: a risk definition, an attack procedure, a defense architecture, and a defined test. The test is concrete and runnable — capability enumeration for ASI03, canary extraction for ASI02, path-traversal-with-normalization for ASI05, signed-vs-unsigned registration for ASI08. The checklist verifies defenses are present and working; it does not summarize them.
Every ASI risk maps to a module in B2–B8 where the defense is already built — B9 introduces no new defense. The five attack-surface boundaries each route to a defense module with no orphans: input (ASI01/02→B2), permission (ASI03/10→B5), state (ASI04/06→B3+B8), tool (ASI05/08→B4), output/resource (ASI07/09→B7). B9's job is to run the test for each risk against a configured agent and prove the defense is present. A failed row routes its remediation to the module that builds the control — B9 does not build.
Eight rows report PASS/FAIL (deterministic controls); two report MEASURED (probabilistic). The split follows B2.3's resolution applied across all ten risks: determinism on the structural boundary (capability enumeration, path normalization, principal binding, canary substring match, circuit-breaker trip — all enumerable, no bypass rate), measurement on the semantic boundary (ASI01's injection detector + model compliance have a bypass rate; ASI06's hallucination-detection has a miss rate). The Result-type column is fixed by the KIND of control, not the outcome — a client who demands '10/10 PASS' is asking the engineer to lie about the probabilistic layers.
The checklist never produces a 'secure' verdict — it produces a scored report with characterized residuals, and that report is the B12 engagement's scope-complete deliverable. The honest result is '8 PASS + 2 MEASURED at X% and Y%, characterized as the encoded-and-laundered class and the unverified-claim-propagation class.' The measured residuals are recurring value: each assessment re-runs the ten tests and tracks the residual trend over releases. Scope-completeness is enforced structurally — all 10 rows appear; absent surfaces are N/A with justification, never silently skipped.