OWASP Agentic Top 10 — Control Map
The OWASP Agentic Top 10 names the threats. This spreadsheet maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it. 44 rows. Ready to paste into your AI Committee review template.
Free spreadsheet
Excel · .xlsx · 2 sheets
Download free
Enter your work email. Includes a how-to guide tab and working columns for status, owner, and gap tracking. Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.
Who it's for
Security architects, AppSec leads, and AI governance teams preparing an agentic AI system for pilot or production review.
Use it per system — one copy per agentic deployment under review. It feeds directly into the control plan and evidence gap sections of a Drel clearance review.
How to use it
- 1Identify the agentic system: orchestrator, tools, memory, identity model.
- 2Filter by Lifecycle Gate — focus on Before pilot controls first.
- 3Mark each row: Covered / Partial / Missing / Not applicable / Unknown.
- 4Assign an owner and add an evidence link where evidence exists.
- 5Treat Missing rows at the relevant gate as review blockers.
- 6Use the completed map as input to a security review or AI Committee submission.
What's in the file
Seven columns per row. Each control is specific enough to assign to an owner and verify — not a category label.
| Column | Contents |
|---|---|
| Threat ID | A1–A10 per OWASP Agentic Top 10 2025 |
| Threat name | Memory Poisoning, Prompt Injection, Tool Misuse… |
| Attack surface layer | Orchestrator / Memory & RAG / Tool surface / Identity / Output |
| Required control | Specific, actionable — not a category |
| Lifecycle gate | Before pilot / Before production / Ongoing |
| Evidence required | What you show an auditor to prove the control is working |
| Framework tags | OWASP Agentic, NIST AI RMF, ISO 42001, EU AI Act article |
Sample row — A2 Prompt Injection
Threat ID
A2
Threat name
Prompt Injection
Attack surface layer
Orchestrator
Required control
System prompt and user input separated at the model gateway
Lifecycle gate
Before pilot
Evidence required
Architecture review showing gateway separation
Framework tags
OWASP, MITRE ATLAS
From control map to review pack
Spreadsheets are the starting point.
This control map helps identify which agentic AI controls are in place and which are missing. Drel turns that gap analysis into a guided AI security review — mapping controls to findings, generating a risk disposition, and producing a review-ready dossier your AI Committee can actually approve or reject.
Frequently asked
Frequently asked questions
- Is the OWASP Agentic Top 10 a compliance framework?
- No. It is a community risk taxonomy maintained by OWASP. Mapping a system against it produces design-time evidence that you considered agentic-specific risk categories. It does not by itself satisfy any regulatory or certification requirement.
- How does this differ from the OWASP LLM Top 10?
- The LLM Top 10 covers risks in LLM applications generally (prompt injection, insecure output, training data poisoning). The Agentic Top 10 covers additional risks specific to agentic behavior (tool use, delegation, lateral movement, persistent memory). An agentic AI system should be assessed against both.
- What is a lifecycle gate?
- A lifecycle gate is the point in an AI system's lifecycle at which a control should be in place. The control map uses three gates: before pilot, before production, and ongoing. Each control row names the gate at which it applies.
- How do I use the status columns?
- Each control row has a status column (covered / partial / missing / N/A / unknown) and an owner column. Use the spreadsheet as a working tracker: fill in current status, identify gaps, assign owners, and re-review when the system changes.
- Does this map controls to other frameworks?
- Yes. Each control row includes cross-framework tags (NIST AI RMF, ISO 42001 clauses, MITRE ATLAS, EU AI Act articles where applicable). Use the tags to demonstrate cross-framework coverage in a single artefact.
- Can I share this with my AI Committee?
- Yes. The spreadsheet is designed to be a committee-readable artefact: the threat surfaces are named, the controls are explicit, and the evidence columns make gaps visible. Many teams use it as the substrate for the disposition discussion.