Products
Traefik ProxyTraefik Hub API GatewayTraefik Hub API ManagementAI GatewayAPI Mocking
Solutions
Kubernetes Gateway APIKnative Serving

New!

AI Gateway

New!

MCP Gateway

New!

Modern API GatewayAPI Mocking

New!

GitOps-Driven API ManagementAir-Gapped API Management

New!

Web Application FirewallRuntime API GovernanceKubernetes IngressDocker Swarm IngressOSS SupportReplace Ingress-NGINX

New!

Traefik & HashiCorpTraefik & MicrosoftTraefik & Nutanix

New!

Traefik & Oracle OCI
Learn
BlogResource LibrarySuccess StoriesGlossaryEventsDocsPlugin CatalogForumCommunity
Compare
vs Apigeevs AWS API Gatewayvs Azure APIMvs Graviteevs Kong Konnectvs TykSee more comparisons
Pricing
Docs
Blog
March 25, 2026

OWASP Agentic Top 10: Where Should These Controls Be Enforced?

Zaid AlbirawiImmánuel Fodor
Zaid Albirawi, Immánuel Fodor
API Gateway
AI Gateway
MCP Gateway
protecting against the owasp ai top 10

The OWASP Top 10 for Agentic Applications, published in December 2025, defines the ten most critical security risks for autonomous AI agents. It is quickly becoming the standard framework enterprise security teams use to evaluate agent governance solutions, and multiple vendors are publishing their coverage maps.

This is useful. The agentic AI space needed a shared vocabulary for risk, and OWASP provided one.

But the framework raises an architectural question that most coverage announcements skip over: where should these controls actually be enforced?

Key Takeaways

  • 8 of 10 OWASP Agentic risks describe scenarios where the agent itself is the compromised component. Governance running inside that same process is operating in a compromised environment.
  • Infrastructure-layer enforcement (at the gateway) works even when the application layer is compromised, because it sits outside the blast radius.
  • Traefik Hub's Triple Gate covers 6 of 10 risks with strong gateway-layer enforcement, 2 with moderate coverage, and 2 with partial coverage. We'd rather publish an honest map than claim 10/10 coverage that doesn't survive architectural scrutiny.

The Enforcement Boundary Problem

Eight of the ten OWASP Agentic risks describe scenarios where the agent itself is the compromised or malfunctioning component. The agent's goals get hijacked (ASI-01). The agent misuses its tools (ASI-02). The agent escalates its own privileges (ASI-03). The agent's memory gets poisoned (ASI-06). The agent goes rogue (ASI-10).

This creates a problem for governance solutions that run inside the agent process. If the agent is hijacked, the governance middleware running in that same process is operating in a compromised environment. If the agent is rogue, application-layer kill switches depend on the rogue process honoring them. A policy engine that runs as an SDK import in the agent's code can be bypassed by the same exploit that compromised the agent.

The pattern is familiar. It's the same reason network firewalls exist alongside host-based security. It's also the same reason API gateways enforce authentication rather than trusting every microservice to check its own tokens. Enforcement at the infrastructure layer works even when the application layer is compromised, because it sits outside the blast radius.

Traefik Hub's Triple Gate Architecture (API Gateway, AI Gateway, MCP Gateway with TBAC) operates at the gateway layer. Every agent request, model interaction, and tool invocation passes through these gates regardless of the agent framework, language, or deployment model. The agent cannot modify, disable, or bypass gateway enforcement because the gateway runs in a separate process, in a separate trust boundary, with separate credentials.

This post maps Traefik Hub's capabilities against each of the ten OWASP Agentic risks, with an honest assessment of where gateway-layer enforcement is strong, where it contributes but doesn't fully own the risk, and where other layers need to fill the gap.

7cs-ai-governance-ebook-promo-square

ASI-01: Agent Goal Hijack

Risk: Adversary manipulates agent objectives through prompt injection, context manipulation, or goal drift.

This is where the composable safety pipeline earns its keep. The AI Gateway inspects every prompt on the wire, both inbound (user requests) and outbound (model responses), through four guard tiers running in parallel.

Tier 1 (Regex Guard) catches known prompt injection signatures deterministically:

request:
  - jsonQueries:
      - ".messages[].content"
      - ".prompt"
    block: true
    reason: "prompt_injection_detected"
    entities:
      - "(?i)ignore.*(previous|above|prior).*(instructions|prompt)"
      - "(?i)you are now.*(new|different|unrestricted)"
      - "(?i)disregard.*(all|any).*(rules|guidelines|policies)"

Sub-millisecond, zero external dependencies, deterministic. This catches the common patterns.

Tier 3 (NVIDIA Safety NIMs) catches the uncommon ones. Jailbreak Detection NIM identifies prompt manipulation attempts that don't use obvious keywords. Topic Control NIM enforces conversation boundaries based on guideline prompts. These run on GPU and take 30-200ms per NIM, but with parallel execution, the total time equals the slowest guard, not the sum. For the full four-tier pipeline architecture, see From Regex to GPU: Building a Multi-Vendor AI Safety Pipeline.

Why gateway-layer matters here: A compromised agent cannot disable the gateway's prompt inspection. Application-layer policy checks run inside the same process the attacker is trying to hijack. The gateway inspects the actual payload on the wire, not a representation the agent chooses to expose.

Gap: No behavioral drift detection over time (detecting gradual goal shift across a multi-turn conversation). Each request is inspected independently.

ASI-02: Tool Misuse & Exploitation

Risk: Agent invokes tools beyond intended scope, with unauthorized parameters, or for unintended purposes.

This is where TBAC (Tools/Tasks/Transactions-Based Access Control) operates. The MCP Gateway enforces tool authorization before the request reaches the tool server.

TBAC provides three dimensions of control:

  1. Tools: Which specific MCP tools each agent can invoke based on their identity.
  2. Tasks: Which workflows or sequence of tool calls are allowed.
  3. Transactions: Parameter-level constraints and validation per tool call.

Rate limiting per tool prevents abuse through rapid repeated invocations. Human-in-the-loop approval flows gate high-risk tool calls on explicit human confirmation before execution. Every tool invocation is logged with full identity, parameters, outcome, and timestamp.

Why gateway-layer matters here: TBAC enforces tool authorization at the infrastructure layer, not inside the agent's application code. A capability model defined in application code can be bypassed if the agent is compromised or if a developer misconfigures the SDK. TBAC cannot be bypassed because the MCP Gateway terminates the connection before the tool server receives it. The agent never talks directly to the tool; it talks to the gateway, which decides whether to forward the request.

This is the control we think matters most in the agentic era, and it only works at the infrastructure layer.

ASI-03: Identity & Privilege Abuse

Risk: Agents operate with excessive permissions, impersonate users, or escalate privileges.

JWT identity propagation flows through all three gates. The same identity context that governs API authentication (Gate 1) also governs token budgets (Gate 2) and tool permissions (Gate 3). There are no identity gaps between layers.

Identity can be managed per-user, per-team, and per-API-key enforcement via JWT claims. For fine-grained per-user rate/token/tool limiting, a JWT middleware extracts claims into headers via forwardHeaders, and Traefik middlewares will enforce limiting based on those headers.

TBAC restricts each agent identity to only the tools required for its task. No ambient authority. An agent authorized for read_database cannot invoke write_database even if the MCP server exposes both tools.

Why gateway-layer matters here: Identity verification at the gateway happens before the agent processes the request. Application-layer identity checks depend on the agent framework correctly extracting and honoring identity, which means the agent must be trusted to enforce its own permissions. The gateway enforces identity regardless of whether the agent is trustworthy.

ASI-04: Supply Chain Vulnerabilities

Risk: Compromised agent components, untrusted plugins, tampered models or tool definitions.

Honest assessment: partial coverage.

What the gateway provides today:

  • Air-gapped deployment. The full Traefik Hub stack runs without external dependencies, eliminating runtime supply chain exposure.
  • FIPS 140-2 validated, FIPS 140-3 ready. Cryptographic supply chain validated via native Go BoringCrypto module. No external crypto libraries.
  • Multi-vendor safety pipeline. Each guard tier comes from an independent vendor (custom regex, Microsoft Presidio, NVIDIA, IBM). Compromising one vendor's component doesn't compromise the pipeline.

What the gateway does not provide today: MCP server integrity verification (hash validation of tool definitions), plugin signing, or tamper detection at the gateway layer.

Architectural note: Supply chain integrity for agent internals (application modules, model weights) is inherently a build-pipeline concern, not a gateway concern. The gateway can verify what passes through it, but it cannot verify the internal integrity of components it doesn't serve. MCP server manifest verification (SHA-256 hashing of tool definitions at the gateway) is on our roadmap for Q2 2026. Build-pipeline integrity (Sigstore, SBOM generation, container image scanning) is complementary and should be addressed at the CI/CD layer.

ASI-05: Unexpected Code Execution

Risk: Agents generate and execute code without proper sandboxing or validation.

Assessment: partial coverage.

The gateway provides prevention, not containment. TBAC can prevent an agent from accessing code execution tools entirely. If an agent identity isn't authorized to invoke a run_code tool, the MCP Gateway blocks the request before it reaches the tool server. Parameter validation can constrain what the agent passes to tools that do execute code.

The gateway cannot sandbox execution that happens inside a tool's runtime. If an agent has authorized access to a code execution tool, the gateway doesn't inspect or contain what happens inside that tool after the request is forwarded.

Prevention is the stronger control for most deployments: a tool that cannot be invoked cannot produce unexpected execution. But containment matters too, and it's better addressed by container security contexts, language-level sandboxes (like LangChain's sandboxed code execution), or Kubernetes security policies.

ASI-06: Memory & Context Poisoning

Risk: Adversary corrupts agent memory, conversation history, or RAG context to influence behavior.

Tier 4 (IBM Granite Guardian) provides two capabilities that no other guard tier offers: hallucination detection and RAG quality assessment. The hallucination detection configuration inspects responses using the request history as context:

response:
  systemPrompt: "hallucination"
  useRequestHistory: true
  blockConditions:
    - reason: hallucination_detected
      condition: Contains("yes")

When useRequestHistory is set, the guard evaluates whether the model's response is grounded in the context that was provided. If the model generates claims not supported by the retrieved documents, the guard blocks the response before it enters the agent's memory.

Regex Guard (Tier 1: deterministic pattern matching against known injection signatures) catches known poisoning patterns in both requests and responses. NVIDIA NIMs (Tier 3: GPU-based semantic analysis) catch semantically poisoned content that doesn't match pattern rules. For a full walkthrough of all four tiers and how they compose, see From Regex to GPU: Building a Multi-Vendor AI Safety Pipeline.

Why gateway-layer matters here: The gateway inspects the model's actual response before the agent processes it. Application-layer memory integrity checks run after the potentially poisoned content has already entered the agent's context window. The gateway catches poisoning at the wire, not after ingestion.

ASI-07: Insecure Inter-Agent Communication

Risk: Agent-to-agent messages lack authentication, encryption, or trust verification.

The MCP Gateway is the communication channel. Every agent-to-tool call passes through it. The gateway terminates the inbound connection, verifies the agent's identity via JWT, applies TBAC policies, and opens a new authenticated connection to the tool server. TLS secures both legs.

You cannot have insecure inter-agent communication when every message passes through an authenticated, encrypted, audited gateway. Application-layer encrypted channels between agents require each agent to correctly implement and maintain encryption, which is a much larger attack surface.

The complete audit trail captures every inter-agent interaction with full identity, tool, parameter, and outcome detail. Traefik also supports request mirroring, which forwards live traffic to an external tool or analysis service in parallel with the primary flow. This enables real-time threat detection and behavioral monitoring alongside the forensic record. Together, these address both prevention (authentication, encryption) and detection (live analysis and forensic audit).

ASI-08: Cascading Failures

Risk: One agent's failure propagates through multi-agent systems causing systemic breakdown.

The gateway is the natural circuit breaker between systems. Three capabilities address this:

Failover Router builds circuit breaker chains across LLM providers; When a primary backend responds with a configured error (429, 500-504), the request replays to a fallback with independent model selection, API keys, and metrics. All safety policies continue to apply on every fallback. Governance doesn't degrade when the model does.

Graceful error handling via onDenyResponse returns structured HTTP 200 refusals instead of HTTP 403 errors. Agents parse refusals as valid conversation turns and continue operating. Without this, a single guardrail block crashes an entire multi-step workflow.

Token rate limiting with proactive estimation blocks over-budget requests before they reach the LLM. This prevents resource exhaustion cascades where one agent's runaway consumption starves others of capacity.

Why gateway-layer matters here: Application-layer circuit breakers fail when the application itself is failing. An agent that is crashing cannot reliably execute its own failure handling logic. The gateway operates outside the failing system.

ASI-09: Human-Agent Trust Exploitation

Risk: Agent manipulates human operators through social engineering or trust exploitation.

Content safety filtering through NVIDIA NIMs (22+ safety categories) filters manipulative, deceptive, or harmful content in model responses before they reach users. IBM Granite Guardian catches factually incorrect claims (hallucinations) the agent might use to mislead operators. Human-in-the-loop approval flows via TBAC require explicit human confirmation for sensitive operations.

Assessment: moderate coverage. The gateway filters manipulative content and gates sensitive actions, but it cannot fully prevent subtle social engineering within otherwise legitimate conversation. This risk also requires organizational controls (training, escalation procedures) and application-layer UX design (clear agent identity disclosure, confidence indicators).

ASI-10: Rogue Agents

Risk: Agents behave in unintended, uncontrollable, or malicious ways outside governance.

Token rate limiting and quota enforcement set hard ceilings on agent resource consumption. Proactive estimation blocks over-budget requests before GPU cost is incurred. TBAC restricts the blast radius to authorized tools only, so even a rogue agent can only reach the tools it was explicitly granted access to. Per-agent rate limiting prevents runaway request loops.

Assessment: moderate coverage. The gateway provides containment ceilings but not real-time behavioral detection. There is no behavioral anomaly detection today: no baseline modeling of normal invocation patterns, no deviation alerting, no agent kill switch. The data for anomaly detection is already being collected in the audit trail; the analysis layer is the gap. Whether that analysis belongs at the gateway layer or in a dedicated observability platform is an open architectural question. What the gateway provides today is the data collection infrastructure that either approach would require.

Coverage Breadth vs. Enforcement Depth

The OWASP Agentic Top 10 is a useful framework. But evaluating governance solutions purely on how many of the ten risks they "cover" misses the more important question: how deeply and reliably is that coverage enforced?

A governance system that checks all ten boxes from inside the agent process provides broad coverage in a narrow trust boundary. A governance system that enforces eight of ten risks from outside the agent's trust boundary provides deep, bypass-resistant coverage on the risks that matter most.

The right architecture uses both layers:

Layer What It Governs Examples
Infrastructure (Gateway) Identity, tool authorization, content safety, traffic resilience, audit Traefik Hub (API + AI + MCP Gateway)
Application (Agent Framework) Agent logic, memory management, code sandboxing, behavioral policies LangChain, CrewAI, Semantic Kernel
Platform (Kubernetes/OS) Container isolation, network policies, resource limits Security contexts, gVisor, network policies
Pipeline (CI/CD) Supply chain integrity, model provenance, image scanning Sigstore, SBOM, container scanning

No single layer covers all ten risks alone. But the infrastructure layer is the one that works even when the application layer is compromised. For organizations also adopting Forrester's AEGIS framework, we published a companion post mapping AEGIS's six domains to infrastructure-layer enforcement.

Our Coverage Map

OWASP Risk Gateway Coverage What Gateway Provides What Other Layers Add
ASI-01: Goal Hijack Strong 4-tier safety pipeline, parallel execution Behavioral drift detection (app-layer)
ASI-02: Tool Misuse Best-in-class TBAC: tool auth, parameters, rate limits, human-in-loop Framework-level tool selection (app-layer)
ASI-03: Identity Abuse Strong JWT propagation, per-user/team enforcement, least-privilege IAM integration (platform-layer)
ASI-04: Supply Chain Partial Air-gapped deployment, FIPS crypto, multi-vendor guards SBOM, image scanning, model provenance (pipeline-layer)
ASI-05: Code Execution Partial Tool access prevention via TBAC Execution sandboxing (platform-layer)
ASI-06: Memory Poisoning Strong Hallucination detection, RAG quality, bidirectional inspection Memory management policies (app-layer)
ASI-07: Inter-Agent Comms Strong MCP Gateway, mTLS, authenticated channels, audit N/A (gateway is the channel)
ASI-08: Cascading Failures Strong Failover Router, circuit breakers, graceful errors, token limits Application-layer retry policies
ASI-09: Trust Exploitation Moderate Content safety filtering, human-in-loop, audit UX design, organizational controls
ASI-10: Rogue Agents Moderate Token ceilings, tool blast radius limits, rate limiting Behavioral anomaly detection (roadmap)

Six strong, two moderate, two partial. We'd rather publish an honest map than claim ten out of ten coverage that doesn't survive architectural scrutiny.

What's Next

The OWASP Agentic Top 10 mapping detailed in this post reflects Traefik Hub v3.20 capabilities as of March 2026. The composable safety pipeline, TBAC, Failover Router, token rate limiting, and graceful error handling are all available in Early Access today, with general availability planned for late April 2026.

We encourage organizations evaluating agent governance to ask every vendor not just which risks they cover, but where their controls are enforced and what happens when the agent itself is the thing that's compromised.

For a complementary framework-level perspective, see our mapping of Forrester's AEGIS framework to infrastructure-layer enforcement. And for a deep technical walkthrough of the composable safety pipeline referenced throughout this post, see From Regex to GPU: Building a Multi-Vendor AI Safety Pipeline.

Traefik Hub v3.20 is available as an Early Access release. To try the composable safety pipeline and the other features covered in this post, sign up for Early Access.

Frequently Asked Questions

What is the OWASP Top 10 for Agentic Applications?

The OWASP Top 10 for Agentic Applications is a risk taxonomy published in December 2025 that identifies the ten most critical security risks for autonomous AI agents. The risks range from agent goal hijacking (ASI-01) and tool misuse (ASI-02) to cascading failures (ASI-08) and rogue agents (ASI-10). It is maintained by the OWASP GenAI Security Project and is becoming the standard framework for evaluating AI agent governance solutions.

What is the difference between application-layer and infrastructure-layer AI agent governance?

Application-layer governance runs inside the agent process (as an SDK, middleware library, or framework plugin) and governs the agent's logic. Infrastructure-layer governance runs at the network gateway, outside the agent's trust boundary, and governs the traffic. The key distinction: if the agent is compromised through prompt injection, jailbreak, or privilege escalation, application-layer governance is compromised with it. Infrastructure-layer governance continues to enforce because it runs in a separate process with separate credentials.

What is TBAC (Tools/Tasks/Transactions-Based Access Control)?

TBAC is Traefik Hub's access control model for AI agents, enforced at the MCP Gateway. It provides three dimensions of control: which tools an agent can invoke, which tasks (workflows) it can perform, and what transaction parameters are permitted. TBAC operates at the infrastructure layer, meaning the agent runtime cannot modify, bypass, or disable these controls.

How does the OWASP Agentic Top 10 relate to Forrester's AEGIS framework?

The OWASP Agentic Top 10 is a risk taxonomy (what can go wrong). Forrester's AEGIS framework is a governance framework (what controls to implement). They are complementary: OWASP identifies the risks, AEGIS defines the organizational and technical controls to mitigate them. Both map to infrastructure-layer enforcement. See our AEGIS framework mapping for the governance-framework perspective.

Can any single product cover all 10 OWASP Agentic risks?

No. The ten risks span multiple enforcement layers: infrastructure (gateway), application (agent framework), platform (Kubernetes/OS), and pipeline (CI/CD). A governance system that claims 10/10 coverage from a single layer is either defining "coverage" loosely or operating within a narrow trust boundary. The right architecture uses defense-in-depth, with the infrastructure layer providing the controls that work even when the application layer is compromised.

7cs-ai-governance-ebook-promo-square

About the Authors

Zaid Albirawi

Zaid Albirawi

Zaid Albirawi is a Principal Solutions Architect at Traefik Labs. He spent 7 years as a software developer before moving into API-focused solutions architecture, a role he’s held for the last 5 years. He loves to code and enjoys tackling problems.

Immánuel Fodor

Immánuel Fodor

Principal Product Manager with 14+ years of tech industry experience, excelling at connecting business needs with technology, driving innovation and strategy. CKA, CPM, CSM, AWS CP, homelabber, former CTO.

Latest from Traefik Labs

When Every File is an Attack Vector: Why Agent Governance Must Live Outside the Runtime
Blog

When Every File is an Attack Vector: Why Agent Governance Must Live Outside the Runtime

Read more
The Agent Framework Wars Are Over. Everyone Won. That's the Problem.
Blog

The Agent Framework Wars Are Over. Everyone Won. That's the Problem.

Read more
AI Run Amok: Your MCP Blind Spot and How to Secure It
Webinar

AI Run Amok: Your MCP Blind Spot and How to Secure It

Watch now