OWASP Top 10 for Agentic Applications 2026 – AS102: Tool Misuse and Exploitation focuses on what happens when an AI agent uses legitimate tools in unintended or unsafe ways. Unlike traditional cyberattacks, where an attacker exploits software vulnerabilities, ASI02 assumes the agent already has authorized access.
Agents can misuse legitimate tools due to prompt injection, misalignment, unsafe delegation, or ambiguous instructions, leading to data exfiltration, tool output manipulation, or workflow hijacking. Risks arise from how the agent chooses and applies tools; agent memory, dynamic tool selection, and delegation can contribute to misuse via chaining, privilege escalation, and unintended actions.
An attacker may manipulate the agent through prompt injection, poisoned content, ambiguous instructions, or compromised tool metadata, causing it to delete data, expose sensitive information, trigger expensive API calls, or perform destructive actions – all while operating within its legitimate permissions
Tool Misuse and Exploitation Vulnerability Examples
- Over-privileged tool access (directly to the tools API or via AI or agentic communication protocol): Email summarizer can delete or send mail without confirmation.
- Over-scoped tool access: The Salesforce tool can get any record, even though only the Opportunity object is required by the agent
- Unvalidated input forwarding: Agent passes untrusted model output to a shell (e.g., rm -rf /) or misuses a database management tool to delete a database or specific entries
- Unsafe browsing or federated calls: Research agent follows malicious links, downloads malware, or executes hidden prompts.
- Loop amplification: Planner repeatedly calls costly APIs, causing DoS or bill spikes.
- External data tool poisoning: Malicious third-party content steers unsafe actions in the tool.
Real-World Attack Scenarios
1. Microsoft EchoLeak (2025)
Microsoft disclosed EchoLeak (CVE-2025-32711), demonstrating how an AI assistant could be manipulated to access and expose sensitive Microsoft 365 information via indirect prompt injection. Rather than exploiting operating system vulnerabilities, the attack influenced how the AI agent interacted with its available tools and enterprise data. It highlighted how trusted AI assistants can become data exfiltration pathways when tool usage is insufficiently constrained.
Lesson: Authorized access does not guarantee safe behaviour.
2. Malicious MCP Servers
As the Model Context Protocol (MCP) ecosystem grows, agents increasingly discover and dynamically invoke external tools. Researchers have demonstrated that malicious or compromised MCP servers can masquerade as legitimate services, convincing AI agents to invoke dangerous functions or expose confidential information.
These attacks exploit trust in tool discovery rather than vulnerabilities in the tools themselves.
3. Browser-Based Prompt Injection
Research has shown that AI web agents can be manipulated simply by browsing malicious websites.
Attackers embed hidden instructions inside: HTML comments, Invisible text, CSS elements, metadata, and Advertisements.
While a human user never sees the hidden content, an AI browsing agent may interpret it as instructions to: Download malware, upload confidential files, leak passwords, ignore previous instructions or visit attacker-controlled websites.
This transforms ordinary web browsing into an attack surface for AI agents.
4. Over-Privileged Enterprise Tools
OWASP highlights a common enterprise scenario in which an AI assistant responsible for summarizing emails also has permissions to delete emails, send emails, modify calendars, or create documents.
If the agent is manipulated, it can misuse those capabilities without ever violating access controls. Similarly, an AI assistant connected to Salesforce may have access to every object in the CRM when it only requires access to opportunities or customer records. Excessive permissions dramatically increase the blast radius of a successful attack.
5. Runaway API Calls and Cost Explosions
Autonomous planning agents may repeatedly OWASP LLM inference endpoints, or external services due to flawed reasoning or malicious instructions. The result may include unexpected cloud bills, API quota exhaustion, denial-of-service attacks against internal services, or business disruption.
Because every API call is technically authorized, traditional security monitoring may not immediately detect the abuse.
Prevention and Mitigation Guidelines
Organizations deploying AI agents should treat every connected tool as part of their security perimeter.
1. Apply Least Privilege
Grant agents access only to the specific tools and actions required for their tasks.
Instead of granting:
- Full mailbox access
Provide:
- Read-only email access
Instead of:
- Full database administrator privileges
Provide:
- Read-only access to approved tables
2. Require Human Approval for High-Risk Actions
Require explicit authentication for each tool invocation and human confirmation for high-impact or destructive actions (delete, transfer, publish). Human-in-the-loop workflows reduce the impact of manipulated agent behaviour.
3. Execution Sandboxes and Egress Controls.
Run tool or code execution in isolated sandboxes. Enforce outbound allowlists and deny all non-approved network destinations.
4. Implement Policy Enforcement Outside the LLM
Business rules should be enforced independently of the AI model. Treat LLM or planner outputs as untrusted. A pre-execution Policy Enforcement Point (PEP/PDP) validates intent and arguments, enforces schemas and rate limits, issues short-lived credentials, and revokes or audits on drift.
5. Adaptive Tool Budgeting.
Apply usage ceilings (cost, rate, or token budgets) with automatic revocation or throttling when exceeded.
6. Just-in-Time and Ephemeral Access.
Grant temporary credentials or API tokens that expire immediately after use. Bind keys to specific user sessions to prevent lateral abuse.
7. Logging, Monitoring, and Drift Detection.
Maintain immutable logs of all tool invocations and parameter changes. Continuously monitor for anomalous execution rates, unusual tool-chaining patterns (e.g., DB read followed by external transfer), and policy violations.
AI Agents Are Only as Safe as the Tools They Can Control
Traditional cybersecurity focuses on protecting systems from unauthorized access. Agentic AI introduces a different challenge.
The AI agent may already have legitimate access but still perform harmful actions because it misinterprets instructions, follows malicious content, or chains together trusted tools in unintended ways.
Organizations should move beyond securing AI models alone. They must also secure the permissions, workflows, APIs, identities, and external tools that AI agents interact with on a daily basis.
As AI agents become integral to business operations, tool governance will become just as important as identity management.
Secure Your AI Agents Before They Reach Production
Deploying AI agents without governance over tool access creates unnecessary business risk.
Reputiva helps organizations assess their AI readiness by evaluating:
- AI agent security posture
- Identity and access controls
- MCP and third-party tool governance
- Cloud security architecture
- AI risk management
- Responsible AI implementation
Book a consultation with Reputiva to assess your AI environment and build secure, responsible, and scalable AI agent deployments.
References
- OWASP Top 10 for Agentic Applications 2026 – ASI02: Tool Misuse and Exploitation
- Microsoft Security Blog – Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio
- OWASP Agentic Security Initiative
- Snyk Learn – Agent Tool Misuse and Exploitation
- Mind the Web: The Security of Web Use Agents (arXiv, 2025)
- OWASP AIVSS: Agentic AI Tool Misuse Risk Examples
Reputiva
Reputiva is a cloud, cybersecurity, and FinOps advisory firm helping SMEs reduce cyber risk, strengthen cloud environments, and manage technology costs with confidence. We publish practical insights on cloud security, identity, AI risk, compliance, and digital transformation.


