By MAREF Engineering
In 2025, OWASP published the Agentic Top 10 β the first industry-standard threat model specifically for multi-agent AI systems. These aren't theoretical risks. Every one has been observed in production.
We built MAREF against this list from day one. Not as a compliance checkbox β as an engineering requirement. Here's the coverage map, risk by risk.
AGENTIC-01: Goal Hijacking #
MAREF: Runtime Goal Validation + Behavioral Bounds
An agent receives a prompt that subtly rewrites its objective. The classic example: "Clean up my inbox" β an agent that deletes everything because "clean" was interpreted as "remove all."
MAREF's governance state machine evaluates every action against the agent's defined behavioral bounds β not just the current LLM context. If an action would violate the agent's constitutional red lines, it's blocked regardless of what the model "thinks" it should do. The 4-tier decision tree (Rule β Mode β SafetyGate β User) catches goal drift before it becomes damage.
AGENTIC-02: Tool Misuse #
MAREF: Per-Tool Permission Policies + Least Privilege
An agent with filesystem access can read, write, or delete anything. MAREF assigns per-tool, per-scope permissions at agent registration time. A support agent gets read-only access to specific tables. A code review agent can read PRs but never push. If an agent tries to call a tool outside its permission envelope, MAREF blocks the call before it reaches the tool.
## AGENTIC-03: Identity Abuse
MAREF: Per-Agent Ed25519 Identity + Time-Scoped Credentials
Every agent in MAREF gets a unique Ed25519 key pair at registration. Every tool call is signed. Every decision has a cryptographic audit trail. If an agent goes rogue, its credential can be revoked instantly β and all actions it took are irrefutably attributable. No "which agent did this?" ambiguity.
AGENTIC-04: Supply Chain #
MAREF: Signed Skill Packages + Bootstrap Integrity
Agent skills and tools are code. Malicious packages can compromise agents at load time. MAREF requires all skill packages to be cryptographically signed. The bootstrap process verifies integrity before any agent loads a skill. The trust chain starts from a hardware root of trust and extends through every loaded module.
AGENTIC-05: Code Execution #
MAREF: Execution Sandboxing + Ring-Level Isolation
Agents that execute code can escape sandboxes. MAREF uses ring-level isolation: agent code runs in the least-privileged execution context, with filesystem, network, and process-level restrictions enforced at the OS level. Even if an agent's code is compromised, the blast radius is contained.
AGENTIC-06: Memory Poisoning #
MAREF: Write-Time Anomaly Detection + Cross-Model Verification
An agent's long-term memory can be poisoned by adversarial inputs. MAREF detects anomalous memory writes at write time, flagging content that deviates from expected patterns. For critical memory operations, cross-model verification confirms consistency before committing. This prevents the "inbox full of poisoned memories" attack pattern documented in recent research.
## AGENTIC-07: Insecure Communication
MAREF: End-to-End Signed Inter-Agent Channels
Agents talking to each other without encryption or signing can have their messages intercepted or tampered with. MAREF establishes end-to-end encrypted channels between agents, with every message signed by the sender's Ed25519 key. No man-in-the-middle. No replay attacks. No forged messages.
AGENTIC-08: Cascading Failures #
MAREF: Circuit Breakers + Bulkhead Isolation + Saga Orchestration
One misbehaving agent can bring down an entire system. MAREF implements circuit breakers per-agent (if error rate exceeds threshold, the agent is isolated), bulkhead isolation (failure in one domain doesn't propagate), and saga orchestration (distributed transactions across agents have rollback procedures). The 2025 Meta inbox deletion incident is a textbook cascading failure that MAREF's architecture prevents.
## AGENTIC-09: Human Trust Exploitation
MAREF: Human-in-the-Loop Escalation + Named Kill-Switch
Humans rubber-stamp agent requests because they trust the system. MAREF requires explicit human escalation for high-risk actions, with named authorization (not a shared "admin" account). The kill-switch is a single, well-known command that any authorized human can issue. It's tested regularly. It doesn't require searching for the right flag in a documentation page.
AGENTIC-10: Rogue Agents #
MAREF: Agent Registration + Behavioral Anomaly Detection
An agent that was never authorized β or was compromised and now acts outside its profile β is a rogue agent. MAREF maintains a registry of all authorized agents and monitors behavior against established baselines. Deviations trigger alerts, automatic restriction, or halt, depending on severity. No agent operates outside governance.
Not Just Coverage β Depth #
Covering all 10 risks isn't hard if you have a shallow check for each one. What makes MAREF different is depth:
- Each risk is addressed by multiple defensive layers, not a single control - Controls are formally verified(TLA+) or** provably convergent**(Lyapunov) - Defenses evolve over timeβ the system learns from adversarial attacks and gets stronger Zero-trust identity per agent makes every action attributable and auditable
Why This Matters Now #
The CISA/Five Eyes joint guidance on agentic AI (May 2026) explicitly recommends addressing the OWASP Agentic Top 10. Regulators are watching. Legal liability for agent actions is an open question β but the answer will depend on whether you can demonstrate due diligence.
MAREF's coverage of all 10 risks, with formal verification and cryptographic audit trails, gives you that demonstration. Not as a marketing slide. As an engineering fact.
π‘οΈ Sources: OWASP Agentic Top 10 (2025). CISA/Five Eyes β "Securing Agentic AI Systems" joint guidance (May 2026). MAREF Technical Whitepaper β Section 4 (8-Layer Defense Architecture). MAREF Security Whitepaper β OWASP Coverage Matrix. Deploy MAREF in 5 minutes.