{"id":60399,"date":"2026-03-30T16:00:00","date_gmt":"2026-03-30T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146120"},"modified":"2026-03-30T16:00:00","modified_gmt":"2026-03-30T16:00:00","slug":"addressing-the-owasp-top-10-risks-in-agentic-ai-with-microsoft-copilot-studio","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/addressing-the-owasp-top-10-risks-in-agentic-ai-with-microsoft-copilot-studio\/","title":{"rendered":"Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio"},"content":{"rendered":"
<\/div>\n

Agentic AI is moving fast from pilots to production. That shift changes the security conversation. These systems do not just generate content. They can retrieve sensitive data, invoke tools, and take action using real identities and permissions. When something goes wrong, the failure is not limited to a single response. It can become an automated sequence of access, execution, and downstream impact.<\/p>\n

Security teams are already familiar with application risk, identity risk, and data risk. Agentic systems collapse those domains into one operating model. Autonomy introduces a new problem: a system can be \u201cworking as designed\u201d while still taking steps that a human would be unlikely to approve, because the boundaries were unclear, permissions were too broad, or tool use was not tightly governed.<\/p>\n

The OWASP Top 10 for Agentic Applications (2026)<\/a> outlines the top ten risks associated with autonomous systems that can act across workflows using real identities, data access, and tools.<\/p>\n

This blog is designed to do two things: First, it explores the key findings of the OWASP Top 10 for Agentic Applications. Second, it highlights examples of practical mitigations for risks surfaced in the paper, grounded in Agent 365 and foundational capabilities in Microsoft Copilot Studio<\/a>.<\/p>\n

OWASP helps secure agentic AI around the world<\/h2>\n

OWASP (the Open Worldwide Application Security Project) is an online community led by a nonprofit foundation that publishes free and open security resources, including articles, tools, and documentation used across the application security industry. In the years since the organization\u2019s founding, OWASP Top 10 lists have become a common baseline in security programs.<\/p>\n

In 2023, OWASP identified a security gap that needed urgent attention: traditional application security guidance wasn\u2019t fully addressing the nascent risks stemming from the integration of LLMs and existing applications and workflows. The OWASP Top 10 for Agentic Applications was designed to offer concise, practical, and actionable guidance for builders, defenders, and decision-makers. It is the work of a global community spanning industry, academia, and government, built through an \u201cexpert-led, community-driven approach\u201d that includes open collaboration, peer review, and evidence drawn from research and real-world deployments.<\/p>\n

Microsoft has been a supporter of the project for quite some time, and members of the Microsoft AI Red Team<\/a> helped review the Agentic Top 10 before it was published. Pete Bryan, Principal AI Security Research Lead, on the Microsoft AI Red Team, and Daniel Jones, AI Security Researcher on the Microsoft AI Red Team, also served on the OWASP Agentic Systems and Interfaces Expert Review Board.<\/p>\n

\n

Agentic AI delivers a whole range of novel opportunities and benefits. However, unless it is designed and implemented with security in mind, it can also introduce risk. OWASP Top 10s have been the foundation of security best practice for years. When the Microsoft AI Red Team gained the opportunity to help shape a new OWASP list focused on agentic applications, we were excited to share our experiences and perspectives. Our goal was to help the industry as a whole create safe and secure agentic experiences<\/em>.<\/p>\n

Pete Bryan, Principal AI Security Research Lead<\/cite><\/p><\/blockquote>\n

The 10 failure modes OWASP sees in agentic systems<\/strong><\/h2>\n

Read as a set, the OWASP Top 10 for Agentic Applications makes one point again and again: agentic failures are rarely \u201cbad output.\u201d But they are bad outcomes. Many risks show up when an agent can interpret untrusted content as instruction, chain tools, act with delegated identity, and keep going across sessions and systems. Here is a quick breakdown of the types of risk called out in greater detail in the Top 10:<\/p>\n

    \n
  1. Agent goal hijack (ASI01): <\/strong>Redirecting an agent\u2019s goals or plans through injected instructions or poisoned content.<\/li>\n
  2. Tool misuse and exploitation (ASI02): <\/strong>Misusing legitimate tools through unsafe chaining, ambiguous instructions, or manipulated tool outputs.<\/li>\n
  3. Identity and privilege abuse (ASI03): <\/strong>Exploiting delegated trust, inherited credentials, or role chains to gain unauthorized access or actions.<\/li>\n
  4. Agentic supply chain vulnerabilities (ASI04): <\/strong>Compromised or tampered third-party agents, tools, plugins, registries, or update channels.<\/li>\n
  5. Unexpected code execution (ASI05): <\/strong>Turning agent-generated or agent-invoked code into unintended execution, compromise, or escape.<\/li>\n
  6. Memory and context poisoning (ASI06): <\/strong>Corrupting stored context (memory, embeddings, RAG stores) to bias future reasoning and actions.<\/li>\n
  7. Insecure inter-agent communication (ASI07): <\/strong>Spoofing, intercepting, or manipulating agent-to-agent messages due to weak authentication or integrity checks.<\/li>\n
  8. Cascading failures (ASI08): <\/strong>A single fault propagating across agents, tools, and workflows into system-wide impact.<\/li>\n
  9. Human\u2013agent trust exploitation (ASI09): <\/strong>Abusing user trust and authority bias to get unsafe approvals or extract sensitive information.<\/li>\n
  10. Rogue agents (ASI10): <\/strong>Agents drifting or being compromised in ways that cause harmful behavior beyond intended scope.<\/li>\n<\/ol>\n

    For security teams, knowing that these issues are top of mind across the global community of agentic AI users is only the first half of the equation. What comes next is addressing each of them through properly implemented controls and guardrails.<\/p>\n

    Build observable, governed, and secure agents with Microsoft Copilot Studio<\/strong><\/h2>\n

    In agentic AI, the risk isn\u2019t just what an agent is designed to do, but how it behaves once deployed. That\u2019s why governance and security must span both in development (where intent, permissions, and constraints are defined), and operation (where behavior must be continuously monitored and controlled). For organizations building and deploying agents, Copilot Studio<\/a> provides a secure foundation to create trustworthy agentic AI. From the earliest stages of the agent lifecycle, built in capabilities help ensure agents are safe and secure by design. Once deployed, IT and security teams can observe, govern, and secure agents across their lifecycle.<\/p>\n

    In development, Copilot Studio establishes clear behavioral boundaries. Agents are built using predefined actions, connectors, and capabilities<\/a>, limiting exposure to arbitrary code execution (ASI05)<\/strong>, unsafe tool invocation (ASI02)<\/strong>, or uncontrolled external dependencies (ASI04)<\/strong>. By constraining how agents interact with systems, the platform reduces the risk of unintended behavior, misuse, or redirection through indirect inputs. Copilot Studio also emphasizes containment and recoverability. Agents run in isolated environments<\/a>, cannot modify their own logic without republishing<\/a> (ASI10)<\/strong>, and can be disabled or restricted when necessary<\/a> (ASI07, ASI08)<\/strong>. For example, if a deployed support agent is coaxed (via an indirect input) to \u201cadd a new action that forwards logs to an external endpoint,\u201d it can\u2019t quietly rewrite its own logic or expand its toolset on the fly; changes require republishing, and the agent can be disabled or restricted immediately if concerns arise. These safeguards prevent localized agent failures from propagating across systems and reinforce a key principle: agents should be treated as managed, auditable applications, not unmanaged automation.<\/p>\n

    To support governance and security during operation, <\/strong>Microsoft Agent 365<\/a> will be generally available on May 1. Currently in preview, Agent 365 enables organizations to observe, govern, and secure agents across their lifecycle, providing IT and security teams with centralized visibility, policy enforcement, and protection capabilities for agentic AI.<\/p>\n

    Once agents are deployed, Security and IT teams can use Agent 365 to gain visibility into agent usage, manage how agents are used, and enforce organizational guardrails across their environment. This includes insights into agent usage, performance, risks, and connections to enterprise data and tools. Teams can also implement policies and controls to help ensure safe and compliant operations. For example, if an agent accesses a sensitive document, IT and security teams can detect the activity in Agent 365, investigate the associated risk, and quickly restrict access or disable the agent before any impact occurs. Key capabilities include:<\/p>\n