OWASP Top 10 for Agentic Applications 2026 – AS102: Tool Misuse and Exploitation focuses on what happens when an AI agent uses legitimate tools in unintended or unsafe ways. Unlike traditional cyberattacks, where an attacker exploits software vulnerabilities, ASI02 assumes the agent already has authorized access.

Agents can misuse legitimate tools due to prompt injection, misalignment, unsafe delegation, or ambiguous instructions, leading to data exfiltration, tool output manipulation, or workflow hijacking. Risks arise from how the agent chooses and applies tools; agent memory, dynamic tool selection, and delegation can contribute to misuse via chaining, privilege escalation, and unintended actions.

An attacker may manipulate the agent through prompt injection, poisoned content, ambiguous instructions, or compromised tool metadata, causing it to delete data, expose sensitive information, trigger expensive API calls, or perform destructive actions – all while operating within its legitimate permissions

Tool Misuse and Exploitation Vulnerability Examples

  • Over-privileged tool access (directly to the tools API or via AI or agentic communication protocol): Email summarizer can delete or send mail without confirmation.
  • Over-scoped tool access: The Salesforce tool can get any record, even though only the Opportunity object is required by the agent
  • Unvalidated input forwarding: Agent passes untrusted model output to a shell (e.g., rm -rf /) or misuses a database management tool to delete a database or specific entries
  • Unsafe browsing or federated calls: Research agent follows malicious links, downloads malware, or executes hidden prompts.
  • Loop amplification: Planner repeatedly calls costly APIs, causing DoS or bill spikes.
  • External data tool poisoning: Malicious third-party content steers unsafe actions in the tool.

Real-World Attack Scenarios

1. Microsoft EchoLeak (2025)

Microsoft disclosed EchoLeak (CVE-2025-32711), demonstrating how an AI assistant could be manipulated to access and expose sensitive Microsoft 365 information via indirect prompt injection. Rather than exploiting operating system vulnerabilities, the attack influenced how the AI agent interacted with its available tools and enterprise data. It highlighted how trusted AI assistants can become data exfiltration pathways when tool usage is insufficiently constrained.

Lesson: Authorized access does not guarantee safe behaviour.

2. Malicious MCP Servers

As the Model Context Protocol (MCP) ecosystem grows, agents increasingly discover and dynamically invoke external tools. Researchers have demonstrated that malicious or compromised MCP servers can masquerade as legitimate services, convincing AI agents to invoke dangerous functions or expose confidential information.

These attacks exploit trust in tool discovery rather than vulnerabilities in the tools themselves.

3. Browser-Based Prompt Injection

Research has shown that AI web agents can be manipulated simply by browsing malicious websites.

Attackers embed hidden instructions inside: HTML comments, Invisible text, CSS elements, metadata, and Advertisements.

While a human user never sees the hidden content, an AI browsing agent may interpret it as instructions to: Download malware, upload confidential files, leak passwords, ignore previous instructions or visit attacker-controlled websites.

This transforms ordinary web browsing into an attack surface for AI agents.

4. Over-Privileged Enterprise Tools

OWASP highlights a common enterprise scenario in which an AI assistant responsible for summarizing emails also has permissions to delete emails, send emails, modify calendars, or create documents.

If the agent is manipulated, it can misuse those capabilities without ever violating access controls. Similarly, an AI assistant connected to Salesforce may have access to every object in the CRM when it only requires access to opportunities or customer records. Excessive permissions dramatically increase the blast radius of a successful attack.

5. Runaway API Calls and Cost Explosions

Autonomous planning agents may repeatedly OWASP LLM inference endpoints, or external services due to flawed reasoning or malicious instructions. The result may include unexpected cloud bills, API quota exhaustion, denial-of-service attacks against internal services, or business disruption.

Because every API call is technically authorized, traditional security monitoring may not immediately detect the abuse.

Prevention and Mitigation Guidelines

Organizations deploying AI agents should treat every connected tool as part of their security perimeter.

1. Apply Least Privilege

Grant agents access only to the specific tools and actions required for their tasks.

Instead of granting:

  • Full mailbox access

Provide:

  • Read-only email access

Instead of:

  • Full database administrator privileges

Provide:

  • Read-only access to approved tables

2. Require Human Approval for High-Risk Actions

Require explicit authentication for each tool invocation and human confirmation for high-impact or destructive actions (delete, transfer, publish).  Human-in-the-loop workflows reduce the impact of manipulated agent behaviour.

3. Execution Sandboxes and Egress Controls.

Run tool or code execution in isolated sandboxes. Enforce outbound allowlists and deny all non-approved network destinations.

4. Implement Policy Enforcement Outside the LLM

Business rules should be enforced independently of the AI model.  Treat LLM or planner outputs as untrusted. A pre-execution Policy Enforcement Point (PEP/PDP) validates intent and arguments, enforces schemas and rate limits, issues short-lived credentials, and revokes or audits on drift.

5. Adaptive Tool Budgeting.
Apply usage ceilings (cost, rate, or token budgets) with automatic revocation or throttling when exceeded.

6. Just-in-Time and Ephemeral Access.
Grant temporary credentials or API tokens that expire immediately after use. Bind keys to specific user sessions to prevent lateral abuse.

7. Logging, Monitoring, and Drift Detection.
Maintain immutable logs of all tool invocations and parameter changes. Continuously monitor for anomalous execution rates, unusual tool-chaining patterns (e.g., DB read followed by external transfer), and policy violations.

AI Agents Are Only as Safe as the Tools They Can Control

Traditional cybersecurity focuses on protecting systems from unauthorized access. Agentic AI introduces a different challenge.

The AI agent may already have legitimate access but still perform harmful actions because it misinterprets instructions, follows malicious content, or chains together trusted tools in unintended ways.

Organizations should move beyond securing AI models alone. They must also secure the permissions, workflows, APIs, identities, and external tools that AI agents interact with on a daily basis.

As AI agents become integral to business operations, tool governance will become just as important as identity management.

Secure Your AI Agents Before They Reach Production

Deploying AI agents without governance over tool access creates unnecessary business risk.

Reputiva helps organizations assess their AI readiness by evaluating:

  • AI agent security posture
  • Identity and access controls
  • MCP and third-party tool governance
  • Cloud security architecture
  • AI risk management
  • Responsible AI implementation

Book a consultation with Reputiva to assess your AI environment and build secure, responsible, and scalable AI agent deployments.

References


Reputiva

Reputiva is a cloud, cybersecurity, and FinOps advisory firm helping SMEs reduce cyber risk, strengthen cloud environments, and manage technology costs with confidence. We publish practical insights on cloud security, identity, AI risk, compliance, and digital transformation.

Author posts

Navigate

Let's talk

Networks

Privacy Preference Center