Human Manipulation

OWASP Top 10 for Agentic Applications 2026

The Agentic Top 10 (ASI01 through ASI10) is a separate practitioner-facing publication that maps onto the master Threats & Mitigations threat numbering. T15 is covered by the following Top 10 entries:

• ASI10 Rogue Agents primary

  A rogue agent is one whose behavioural objective has drifted from its authorised purpose, yet its identity still checks out, its actions remain inside its permissions, and its logs look clean. Divergence may originate from prompt injection, supply-chain tampering, or goal hijack; ASI10 names what happens after divergence begins: sustained, covert operation toward an attacker's goal with no single action that trips an alarm.

  OWASP LLM Top 10: LLM02:2025LLM09:2025

Source: OWASP Top 10 for Agentic Applications 2026 (Dec 2025) · the Top 10 is a compass into the master Threats & Mitigations taxonomy, not a replacement for it.

Design principles at stake

When T15 is present, these security design principles are the ones being violated or tested. Each links to the full principle; the mitigations below are how you restore them.

• Defence-in-Depth The attack succeeds because the agent is trusted to compose output directed at a human, so one compromised upstream instruction (an indirect prompt injection) becomes a fluent, contextualised phishing message with no obvious attacker fingerprint. Depth means the model's output is never the last word: independent output moderation checks for attacker-controlled URLs and attachment instructions before anything reaches the user, and the agent's permission to act on the user's behalf requires re-attested intent rather than relying on the original session grant. Defeating the model alone, via a well-crafted injection, still leaves a deterministic content filter and an intent re-attestation gate standing.
• Assume Breach Conventional phishing assumes the attacker composes the bait externally; here the bait is composed by the trusted agent from injected instructions already inside its context, so by the time the human sees the message the model has already been successfully injected. The design must hold even after that injection: the agent's ability to display hyperlinks and send messages must be controlled independently of its reasoning, so that a poisoned context cannot on its own push a malicious link to the user without passing a deterministic output filter that operates regardless of what the model intended.
• Human Oversight (HITL / HOTL) The threat exploits the trust a user places in AI responses to bypass their own scepticism: the user evaluates the agent's trustworthiness, not the attacker's. Meaningful oversight at the human-facing surface means the agent cannot present payment instructions, hyperlinks, or requests to click external URLs without those outputs being pre-filtered by an independent moderation step, and consequential actions taken on the user's behalf (such as processing a wire transfer) require re-attested intent with a short-lived, action-bound confirmation rather than carrying forward the session's ambient authority.

Recommended mitigations

Auto-generated from the mitigation catalog: every mitigation whose coverage map includes T15, sorted by maturity tier (Tier 1 production-canonical first, then Tier 2, then Tier 3 research-stage).

• Tier 2 AI label (AI-source disclosure UI — visible AI labelling at the point of action)

  When an AI agent generates content or proposes an action, users need to know that the source is an AI before they decide to act. Without that signal, users routinely over-trust agent output. AI-source disclosure addresses this by attaching a visible label to every AI-generated item and by requiring explicit confirmation for consequential actions, restoring the critical gap between receipt and acceptance.

  why it helps T15 Human Manipulation describes attacks in which an agent is used as an instrument to social-engineer the user, gaining compliance precisely because agent-generated content carries implicit trust. Visible AI-source labelling removes that trust premium by restoring the user's awareness that the content originated from an AI system, not from a trusted human contact.

• Tier 2 Data classification (Data classification with tool-access allow-lists — a sensitivity label on every dataset, enforced at every access seam)

  Every dataset, document, and external system an agent can reach carries a classification label. The agent's permitted-class set and the tool's permitted-class set are intersected at the moment of every read or write. When the requested data's class falls outside that intersection, access is denied at the seam. This is the data-side complement to least-privilege: it adds a data-sensitivity constraint that role scoping alone does not provide.

  why it helps Social engineering and manipulation payloads typically depend on specific data about the target, names, roles, relationships, prior interactions. When the agent's permitted-class set excludes the data required to construct a targeted payload, the manipulation is constrained to information the agent is authorised to hold.

• Tier 2 Dual control (Human dual-control — four-eyes rule for irreversible high-impact approvals)

  An AI agent operating with broad authority can propose actions that are irreversible: deleting records, modifying IAM policies, moving funds. A single human reviewer at the approval gate is a single point of failure, one compromised account, one fatigued reviewer, or one successful social-engineering attempt is enough to commit the action. Human dual-control addresses that by requiring two distinct, independent humans to approve before the action commits.

  why it helps Manipulation through AI-generated content is the threat. An attacker uses fluent, contextually plausible content to persuade a reviewer to approve a harmful action. A second independent reviewer, who reaches their verdict without seeing the first reviewer's decision, must be persuaded separately, social engineering that succeeds once must succeed twice against independently-informed reviewers.

• Tier 2 Egress DLP (Output egress DLP — inspection gate for PII, secrets, and IP at the agent boundary)

  An agent produces output continuously across multiple channels: user-facing responses, tool-call parameter envelopes, log records, and outbound HTTP requests. Any of those channels can carry sensitive content the agent has retrieved, been fed, or been tricked into including. Output egress DLP places an inspection gate at the boundary so that PII, credentials, and proprietary content are classified and either redacted or quarantined before they leave the trust boundary, regardless of how they got into the output.

  why it helps Human Manipulation via agent output includes substituted banking details or fabricated invoice content delivered to the user. The egress gate classifies outbound user-facing responses and flags or redacts phishing-payload content before it reaches the user.

• Tier 2 Insider program (Insider threat program — personnel security for operators of high-privilege agentic systems)

  Privileged-access personnel are the human layer behind every agentic system. A person with legitimate administrative credentials can tamper with logs, manipulate approval gates, or extract training data through authorised channels, and no technical control prevents it when the access itself is valid. An insider threat program addresses that gap: it governs who holds operator access, what they agree to, how quickly credentials are revoked on departure, and whether anomalous behaviour is surfaced before damage accumulates.

  why it helps Social engineering of operators into approving fraudulent agent actions is reduced by documented training requirements, attestation obligations, and the published sanctions the program defines. An operator who has signed an access agreement and completed training has less deniability and a clearer decision framework when faced with a suspicious request.

• Tier 2 OOB verify (Out-of-band verification — independent-channel confirmation for irreversible agent actions)

  An agent that can propose payments, update banking details, or modify production configuration is, by construction, a manipulation surface. If the only thing standing between a proposed change and its execution is the agent's own UI, a successful prompt injection or RAG poisoning attack requires no additional steps. Out-of-band verification breaks that dependency by routing a one-use confirmation code through a channel that is structurally separate from the agent's primary interaction channel, so an attacker who controls the agent's context cannot complete the approval without also compromising the user's registered secondary device.

  why it helps Human Manipulation via AI-powered invoice fraud works by substituting attacker-controlled payment details into an outgoing transaction that the user then approves in the agent's UI. OOB verification requires the user to confirm the same details through a channel the attacker has not compromised, so approval of the substituted details in the primary channel is no longer sufficient to commit the transaction.

• Tier 2 Output moderation (Output moderation gates — independent moderation pass before emission)

  An AI agent can produce output that is harmful, deceptive, or factually wrong while still sounding fluent and confident. Output moderation places an independent classifier or moderation model between the agent and its destination, checking every output before it reaches a user or a downstream system. The generating model does not evaluate its own answer; a separate gate does.

  why it helps Human Manipulation exploits user trust in AI output by producing fluent, contextually plausible text that directs users toward fraudulent actions, phishing links, fake payment details, false urgency. Content classifiers trained on manipulation patterns catch this class of output at the emission boundary, before it reaches the user and before the social-engineering effect has any chance to take hold.

• Tier 2 Render restriction (Link and HTML rendering restriction — an allow-list control on what agent output may render)

  An agent can include links and rich HTML in its output. When that output is attacker-influenced, a clickable link, embedded image, or rich preview card becomes the delivery mechanism for phishing or data exfiltration via markdown image injection. Rendering restriction removes that delivery vector by allowing clickable content only from an explicit allow-list of trusted domains and reducing everything else to plain text before the output reaches the user.

  why it helps AI-assisted phishing requires the agent to present a manipulated link or preview in a form the user is likely to trust and click. Restricting rendering to an explicit allow-list of trusted domains means an attacker-supplied link appears only as raw text, removing the affordance a phishing attack requires to succeed.

Red-team pivot: MITRE ATLAS techniques

MITRE ATLAS catalogues adversary techniques against AI systems. Where this OWASP threat has an attacker-perspective counterpart, the ATLAS technique is shown below. That is what a red team would actually be doing on the wire. Use this for detection-signal anchoring, threat-hunting hypotheses, and IR runbooks. Source: mitre-atlas/atlas-data v5.6.0.

Related threats

• T1: Memory Poisoning
• T6: Intent Breaking and Goal Manipulation
• T10: Overwhelming Human-in-the-Loop (HITL)

Sources

• OWASP-Agentic-AI ↗ · 1.1 (Dec 2025) · Agentic Threats Taxonomy Navigator §Step 5 — Human Related Threats
• MAESTRO ↗ · 1.0 (Apr 2025) · Layer 7 Agent Ecosystem