03 · PLAYBOOKS

Playbooks proactive · reactive · detective

Six playbooks structured from OWASP Agentic AI v1.1: 121 Helmwart action entries across 6 playbooks, mapped onto 66 Helmwart mitigations. Each playbook follows an OWASP Decision Path step and the source's Proactive, Reactive, and Detective organization; Helmwart adds implementation-specific actions and mappings.

P1 Step 1: Does the AI agent independently determine the steps needed to achieve its goals?

Preventing AI Agent Reasoning Manipulation

Stop attackers from rewriting an agent’s plan or hiding its tracks.

Goal: Prevent attackers from manipulating AI intent, security bypasses through deceptive AI behaviours, and enhance AI actions traceability.

Mitigates

T6 T7 T8

Templates

Customer Support Automation Personal RAG assistant Consumer Fintech

P2 Step 2: Does the AI agent rely on stored memory for decision-making?

Preventing Memory Poisoning & AI Knowledge Corruption

Keep short- and long-term memory clean of adversarial writes and retrievals.

Goal: Prevent AI from storing, retrieving, or propagating manipulated data that could corrupt decision-making or spread misinformation.

Mitigates

T1 T5

Templates

Personal RAG assistant Customer Support Automation

P3 Step 3: Does the AI agent execute actions using tools, system commands, or external integrations?

Securing AI Tool Execution & Preventing Unauthorised Actions Across Supply Chains

Keep tool invocations on-policy and the upstream components trustworthy.

Goal: Prevent AI from executing unauthorised commands, misusing tools, or escalating privileges due to malicious manipulation, including across the agent’s supply chains.

Mitigates

T2 T3 T4 T11 T16 T17

Templates

MCP-based tool server Consumer Fintech

P4 Step 4: Does the AI system rely on authentication to verify users, tools, or services?

Strengthening Authentication, Identity & Privilege Controls

Make every agent and tool prove what it is before doing anything privileged.

Goal: Prevent unauthorised AI privilege escalation, identity spoofing, and access control violations.

Mitigates

T3 T9 T16

Templates

MCP-based tool server Consumer Fintech

P5 Step 5: Does AI require human engagement to achieve its goals or function effectively?

Protecting HITL & Preventing Decision Fatigue Exploits

Keep human oversight effective when the agent fan-out tries to swamp it.

Goal: Prevent attackers from overloading human decision-makers, manipulating AI intent, or bypassing security through deceptive AI behaviours.

Mitigates

T10 T15

Templates

Customer Support Automation Consumer Fintech

P6 Step 6: Does the AI system rely on multiple interacting agents?

Securing Multi-Agent Communication & Trust Mechanisms

Make every inter-agent message authenticated, integrity-checked, and bounded.

Goal: Prevent attackers from corrupting multi-agent communication, exploiting trust mechanisms, or manipulating decision-making in distributed AI environments.

Mitigates

T12 T13 T14

Templates

Consumer Fintech MCP-based tool server

Source basis: OWASP Agentic AI: Threats and Mitigations v1.1 (Dec 2025), §Mitigation Strategies. OWASP supplies the six playbooks, threat coverage, and step structure. Helmwart expands them with implementation-oriented actions and per-action mappings onto deployable controls.