cd /news/ai-safety/owasp-agentic-top-10-how-maref-cover… Β· home β€Ί topics β€Ί ai-safety β€Ί article
[ARTICLE Β· art-37498] src=maref.cc β†— pub= topic=ai-safety verified=true sentiment=↑ positive

OWASP Agentic Top 10: How MAREF Covers All 10 Critical Risks

MAREF, a multi-agent AI security framework, addresses all 10 risks in the OWASP Agentic Top 10 threat model for multi-agent systems, including goal hijacking, tool misuse, and identity abuse, through runtime validation, cryptographic identity, and sandboxing. The framework provides coverage for each risk with specific engineering controls such as per-tool permissions, signed skill packages, and circuit breakers.

read5 min views11 publishedJun 16, 2026
OWASP Agentic Top 10: How MAREF Covers All 10 Critical Risks
Image: Maref (auto-discovered)

By MAREF Engineering

In 2025, OWASP published the Agentic Top 10 β€” the first industry-standard threat model specifically for multi-agent AI systems. These aren't theoretical risks. Every one has been observed in production.

We built MAREF against this list from day one. Not as a compliance checkbox β€” as an engineering requirement. Here's the coverage map, risk by risk.

AGENTIC-01: Goal Hijacking #

MAREF: Runtime Goal Validation + Behavioral Bounds

An agent receives a prompt that subtly rewrites its objective. The classic example: "Clean up my inbox" β†’ an agent that deletes everything because "clean" was interpreted as "remove all."

MAREF's governance state machine evaluates every action against the agent's defined behavioral bounds β€” not just the current LLM context. If an action would violate the agent's constitutional red lines, it's blocked regardless of what the model "thinks" it should do. The 4-tier decision tree (Rule β†’ Mode β†’ SafetyGate β†’ User) catches goal drift before it becomes damage.

AGENTIC-02: Tool Misuse #

MAREF: Per-Tool Permission Policies + Least Privilege

An agent with filesystem access can read, write, or delete anything. MAREF assigns per-tool, per-scope permissions at agent registration time. A support agent gets read-only access to specific tables. A code review agent can read PRs but never push. If an agent tries to call a tool outside its permission envelope, MAREF blocks the call before it reaches the tool.

## AGENTIC-03: Identity Abuse

MAREF: Per-Agent Ed25519 Identity + Time-Scoped Credentials

Every agent in MAREF gets a unique Ed25519 key pair at registration. Every tool call is signed. Every decision has a cryptographic audit trail. If an agent goes rogue, its credential can be revoked instantly β€” and all actions it took are irrefutably attributable. No "which agent did this?" ambiguity.

AGENTIC-04: Supply Chain #

MAREF: Signed Skill Packages + Bootstrap Integrity

Agent skills and tools are code. Malicious packages can compromise agents at load time. MAREF requires all skill packages to be cryptographically signed. The bootstrap process verifies integrity before any agent loads a skill. The trust chain starts from a hardware root of trust and extends through every loaded module.

AGENTIC-05: Code Execution #

MAREF: Execution Sandboxing + Ring-Level Isolation

Agents that execute code can escape sandboxes. MAREF uses ring-level isolation: agent code runs in the least-privileged execution context, with filesystem, network, and process-level restrictions enforced at the OS level. Even if an agent's code is compromised, the blast radius is contained.

AGENTIC-06: Memory Poisoning #

MAREF: Write-Time Anomaly Detection + Cross-Model Verification

An agent's long-term memory can be poisoned by adversarial inputs. MAREF detects anomalous memory writes at write time, flagging content that deviates from expected patterns. For critical memory operations, cross-model verification confirms consistency before committing. This prevents the "inbox full of poisoned memories" attack pattern documented in recent research.

## AGENTIC-07: Insecure Communication

MAREF: End-to-End Signed Inter-Agent Channels

Agents talking to each other without encryption or signing can have their messages intercepted or tampered with. MAREF establishes end-to-end encrypted channels between agents, with every message signed by the sender's Ed25519 key. No man-in-the-middle. No replay attacks. No forged messages.

AGENTIC-08: Cascading Failures #

MAREF: Circuit Breakers + Bulkhead Isolation + Saga Orchestration

One misbehaving agent can bring down an entire system. MAREF implements circuit breakers per-agent (if error rate exceeds threshold, the agent is isolated), bulkhead isolation (failure in one domain doesn't propagate), and saga orchestration (distributed transactions across agents have rollback procedures). The 2025 Meta inbox deletion incident is a textbook cascading failure that MAREF's architecture prevents.

## AGENTIC-09: Human Trust Exploitation

MAREF: Human-in-the-Loop Escalation + Named Kill-Switch

Humans rubber-stamp agent requests because they trust the system. MAREF requires explicit human escalation for high-risk actions, with named authorization (not a shared "admin" account). The kill-switch is a single, well-known command that any authorized human can issue. It's tested regularly. It doesn't require searching for the right flag in a documentation page.

AGENTIC-10: Rogue Agents #

MAREF: Agent Registration + Behavioral Anomaly Detection

An agent that was never authorized β€” or was compromised and now acts outside its profile β€” is a rogue agent. MAREF maintains a registry of all authorized agents and monitors behavior against established baselines. Deviations trigger alerts, automatic restriction, or halt, depending on severity. No agent operates outside governance.

Not Just Coverage β€” Depth #

Covering all 10 risks isn't hard if you have a shallow check for each one. What makes MAREF different is depth:

  • Each risk is addressed by multiple defensive layers, not a single control - Controls are formally verified(TLA+) or** provably convergent**(Lyapunov) - Defenses evolve over timeβ€” the system learns from adversarial attacks and gets stronger Zero-trust identity per agent makes every action attributable and auditable

Why This Matters Now #

The CISA/Five Eyes joint guidance on agentic AI (May 2026) explicitly recommends addressing the OWASP Agentic Top 10. Regulators are watching. Legal liability for agent actions is an open question β€” but the answer will depend on whether you can demonstrate due diligence.

MAREF's coverage of all 10 risks, with formal verification and cryptographic audit trails, gives you that demonstration. Not as a marketing slide. As an engineering fact.

πŸ›‘οΈ Sources: OWASP Agentic Top 10 (2025). CISA/Five Eyes β€” "Securing Agentic AI Systems" joint guidance (May 2026). MAREF Technical Whitepaper β€” Section 4 (8-Layer Defense Architecture). MAREF Security Whitepaper β€” OWASP Coverage Matrix. Deploy MAREF in 5 minutes.

── more in #ai-safety 4 stories Β· sorted by recency
── more on @owasp 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain β€” perfect for shipping the agent you just read about.

$git push zahid main
β†’ Live at https://your-agent.zahid.host βœ“
Get free account β†’ Pricing
from €0/mo Β· no card required
LIVE [news/owasp-agentic-top-10…] indexed:0 read:5min 2026-06-16 Β· β€”