Repudiation and Untraceability

OWASP Top 10 for Agentic Applications 2026

The Agentic Top 10 (ASI01 through ASI10) is a separate practitioner-facing publication that maps onto the master Threats & Mitigations threat numbering. T8 is covered by the following Top 10 entries:

• ASI08 Cascading Failures primary

  A single low-severity fault (a hallucinated value, a corrupted tool output, a poisoned memory entry) propagates across a network of agents that each build on the last agent's output, compounding into system-wide harm that is disproportionate to the original defect. ASI08 is about propagation and amplification, not the fault's origin; the initial trigger may itself be innocuous.

  OWASP LLM Top 10: LLM01:2025LLM04:2025LLM06:2025
• ASI09 Human-Agent Trust Exploitation primary

  Adversaries exploit the tendency of humans to trust fluent, authoritative-sounding agents: an agent presents plausible justification for a harmful action, the human approves it, and the resulting audit trail reads as deliberate human authorisation. The attack surface is the review step itself: human-in-the-loop oversight becomes the vector when reviewers lack the context, time, or authority to challenge what the agent recommends.

  OWASP LLM Top 10: LLM01:2025LLM05:2025LLM06:2025LLM09:2025

Source: OWASP Top 10 for Agentic Applications 2026 (Dec 2025) · the Top 10 is a compass into the master Threats & Mitigations taxonomy, not a replacement for it.

Design principles at stake

When T8 is present, these security design principles are the ones being violated or tested. Each links to the full principle; the mitigations below are how you restore them.

• Defence-in-Depth Repudiation succeeds not by defeating any one control but by exploiting the absence of independent layers: no tamper-evident record, no separate audit identity, no WORM storage. Depth here means the actor-recorder split (the agent never writes to its own audit trail), Sigstore-signed hash-chained logs the actor cannot alter, and legal-hold WORM storage that refuses modification even if the recorder identity is compromised. Three independent controls mean defeating any one still leaves the other two intact.
• Separation of Duties The structural violation T8 exploits is an agent that both acts and records: it can manipulate or omit its own log entries, making the Financial Transaction Obfuscation and Compliance Violation Concealment scenarios possible. Separating the acting identity from a write-only audit identity, enforced by distinct credentials rather than just policy, means no single principal can both authorise an action and erase the evidence.
• Observability / Non-repudiation Ordinary telemetry that captures only what the agent did is insufficient here; the MAESTRO L5 concern is that planning steps, retrieved memory, and tool-selection rationales are absent, so investigators cannot reconstruct why a fraudulent or evasive action was taken. Full observability for T8 means gateway-intercepted, agent-key-signed entries that include reasoning traces and context hashes, stored append-only so the Security System Evasion scenario (interactions with minimal logging) has no place to hide.
• Accountability When an action traverses a multi-agent delegation chain and no delegation register exists, post-incident review cannot name a responsible human. This is the exact condition that enables Compliance Violation Concealment in regulated industries to go unpunished. Authority-lineage registers with signed, scope-attenuating delegation caveats at every hop make every action attributable to a named human officer, collapsing the anonymity that repudiation depends on.
• Transparency / Explainability An investigator who can see that an agent sent a payment but cannot access the reasoning trace that preceded it cannot determine whether an injection caused the action. The injection stays invisible and the repudiation stands. Capturing decision-grade observability alongside each tool call (the reasoning trace, the context hash, the authority under which the call was made) is what converts a log of events into a non-repudiable forensic record.
• Contestability / Redress Without rollback procedures and an attributable, tamper-evident audit trail, an operator challenged over an agent-produced compliance violation can neither reverse the effect nor demonstrate what happened. These are the two capacities contestability requires. Sigstore-signed WORM logs paired with override and rollback procedures directly satisfy the redress obligation: the trail proves what occurred, and the rollback path makes correction possible.

Recommended mitigations

Auto-generated from the mitigation catalog: every mitigation whose coverage map includes T8, sorted by maturity tier (Tier 1 production-canonical first, then Tier 2, then Tier 3 research-stage).

• Tier 1 Sigstore (Sigstore signing — cryptographic provenance for agent artifacts and audit records)

  An agent is composed of artifacts produced at different times by different identities: model weights, prompt templates, tool descriptors, MCP server binaries, and audit-log batches. Any of those artifacts can be substituted or tampered with between the moment they are built and the moment they are loaded. Sigstore addresses this by signing each artifact at build time using a short-lived certificate tied to the workload identity that produced it, recording the signature in an append-only public transparency log, and requiring verification against that log before the artifact is loaded or executed.

  why it helps Repudiation and Untraceability arises when agent actions cannot be reliably traced or attributed after the fact. A signed audit log makes each entry tamper-evident: Rekor's append-only inclusion-proof model means any deletion or alteration is detectable by any verifier, and the identity of the signer is bound to the certificate at signing time.

• Tier 2 Data classification (Data classification with tool-access allow-lists — a sensitivity label on every dataset, enforced at every access seam)

  Every dataset, document, and external system an agent can reach carries a classification label. The agent's permitted-class set and the tool's permitted-class set are intersected at the moment of every read or write. When the requested data's class falls outside that intersection, access is denied at the seam. This is the data-side complement to least-privilege: it adds a data-sensitivity constraint that role scoping alone does not provide.

  why it helps Sensitive data disclosure occurs when an agent reads or surfaces information it was never supposed to reach. Classification enforcement prevents the agent from reading above its permitted class in the first place; the access attempt is denied at the seam and written to the audit trail, rather than succeeded and logged after the fact.

• Tier 2 Egress DLP (Output egress DLP — inspection gate for PII, secrets, and IP at the agent boundary)

  An agent produces output continuously across multiple channels: user-facing responses, tool-call parameter envelopes, log records, and outbound HTTP requests. Any of those channels can carry sensitive content the agent has retrieved, been fed, or been tricked into including. Output egress DLP places an inspection gate at the boundary so that PII, credentials, and proprietary content are classified and either redacted or quarantined before they leave the trust boundary, regardless of how they got into the output.

  why it helps Repudiation and Untraceability are aggravated when sensitive content reaches an audit trail or an external system, creating a disclosure that is then difficult to retract. Stripping that content at the egress seam before it is committed prevents the disclosure from occurring and removes the repudiation surface.

• Tier 2 Insider program (Insider threat program — personnel security for operators of high-privilege agentic systems)

  Privileged-access personnel are the human layer behind every agentic system. A person with legitimate administrative credentials can tamper with logs, manipulate approval gates, or extract training data through authorised channels, and no technical control prevents it when the access itself is valid. An insider threat program addresses that gap: it governs who holds operator access, what they agree to, how quickly credentials are revoked on departure, and whether anomalous behaviour is surfaced before damage accumulates.

  why it helps Evidence Tampering relies on a privileged operator using valid administrative credentials to modify logs or memory without detection. Periodic access reviews surface entitlement drift before it is exercised, off-boarding revokes credentials on departure, and access agreements establish documented legal liability, each reducing the probability that a corrupt operator acts and goes undetected.

• Tier 2 Legal hold (Legal hold and WORM retention — immutable audit storage that survives a compromised recorder)

  An audit trail is only useful if its records cannot be altered after the fact. Without a storage-layer enforcement mechanism, a sufficiently privileged attacker (or a compromised recorder identity) can overwrite or delete the records that document what happened. Legal hold and WORM retention solve this by placing audit records in storage that the provider itself enforces as immutable: no user, including account root, can modify or delete a locked object within the retention window. Legal hold extends that protection indefinitely for active incidents, lifted only through an out-of-band authority outside the normal operations team.

  why it helps T8 Repudiation covers scenarios where an actor rewrites or suppresses the record of its own actions: financial transaction obfuscation, compliance violation concealment, and security system evasion all depend on modifying or deleting stored audit data after the fact. WORM retention removes that path at the storage layer, making post-hoc tampering structurally impossible within the retention window regardless of the attacker's IAM privileges.

• Tier 2 Provenance tracking (Output provenance tracking — record the source of every claim an agent makes)

  When an agent produces a claim derived from retrieved data, that claim needs a record of where it came from: the source document, version, and retrieval time. Without that record, a downstream verifier cannot distinguish a well-grounded output from a fabricated one, a tampered one, or a poisoned one. Provenance tracking attaches source attribution to every claim, carries it through each transformation in the pipeline, and surfaces it in audit logs and user-facing interfaces.

  why it helps Repudiation and Untraceability succeed when no durable record links an output to the agent and source that produced it. Tamper-evident per-claim provenance, signed at generation time, removes the ability to deny or alter the record of what was produced and why.

• Tier 2 Split actor (Separation of actor and recorder — different identities for action and audit)

  An agent that writes its own audit log can omit, alter, or suppress any record of its own actions. This is not a theoretical risk: an attacker who controls the acting identity controls the evidence. Actor/recorder separation is the structural fix. The identity that performs an action and the identity that records it are different principals, with non-overlapping permissions, so no single compromise can both execute and erase.

  why it helps Repudiation relies on an agent or attacker being able to alter or omit audit records after the fact. Actor/recorder separation removes that capability structurally: the actor identity holds no write access to audit storage, so it cannot delete or modify the entries that document its own actions.

Multi-agent variants: OWASP MAS Guide

The OWASP OWASP MAS Threat Modelling Guide v1.0 catalogues 7 named multi-agent variants of T8, anchored to specific MAESTRO layers. Each is a concrete attack pattern that emerges when this threat compounds across agents.

• L5 Distributed Performance Degradation Masking extends T8

  Manipulating per-agent metrics to hide system-wide degradation; individual agents look fine in isolation.

• L6 Data Privacy Violations in Inter-Agent Interactions extends T3, T8

  Sensitive data leaked during inter-agent exchanges; a concern specific to multi-agent data sharing.

• L6 Real-Time Security Violation extends T8, T7

  Lack of continuous security monitoring lets non-deterministic agents drift past guardrails.

• CL Misconfigured Inter-Agent Monitoring extends T8, T10

  Gaps in cross-agent monitoring let anomalous behaviour go undetected.

• CL RAG Manipulation / Semantic Drift / Repudiation Cascade extends T18, T49, T8

  Adversary poisons a shared RAG store (T18); the injected context gradually shifts agent reasoning over time (T49); because logs are sparse or selectively pruned, the drift cannot be attributed after the fact (T8). Cross-layer: L2 data store, L3 agent reasoning, L5 observability.

• CL Blockchain Reorganisation and Audit Integrity Collapse extends T33, T26, T8

  A chain reorganisation attack (T33) rewrites the on-chain audit trail; agents relying on the reorged state make irrecoverable decisions (T26: resource misallocation); the post-hoc audit (T8) is unreliable because the canonical record itself changed.

• CL Auditability Collapse via Log Manipulation + MCP Logging Gap extends T23, T44, T8

  An attacker with write access to centralized logs selectively prunes evidence (T23); MCP tool-call logs are never captured because the MCP server has insufficient logging (T44); the combined gap makes repudiation impossible to disprove (T8).

Source: OWASP MAS Threat Modelling Guide v1.0, §2 Overview of MAESTRO Framework — Extended Threat Scenarios + Cross-Layer table.

Catalogue extensions: Helmwart T18 to T49

This normalized catalogue includes 5 multi-agent entries based on the OWASP MAS Threat Modelling Guide v1.0 that extend T8. The source guide reuses some numbers between worked systems; these Helmwart entries provide stable detail pages, MAESTRO layers, and mitigation coverage.

• T23 Selective Log Manipulation

  Attacker with write access selectively deletes log entries covering fraudulent actions while leaving surrounding entries intact, defeating forensic reconstruction.

• T33 Blockchain Reorganisation Attack (Indirect)

  A major blockchain reorganisation invalidates previously confirmed transactions, leaving downstream agent state incorrect if the agent does not handle reversions.

• T35 Manipulation of Proof of Sampling (PoSP)

  Attacker manipulates the PoSP mechanism to fabricate evidence of legitimate actions or conceal malicious ones from verifiers.

• T44 Insufficient Logging in MCP Server / Client

  MCP server or client implementations lack sufficient logging, blocking incident detection and post-breach investigation.

• T46 Data Residency / Compliance Violation via MCP Server

  An MCP server transfers or processes data in ways that violate data-residency or regulatory compliance requirements.

Related threats

• T9: Identity Spoofing and Impersonation
• T10: Overwhelming Human-in-the-Loop (HITL)
• T23: Selective Log Manipulation
• T33: Blockchain Reorganisation Attack (Indirect)
• T35: Manipulation of Proof of Sampling (PoSP)
• T44: Insufficient Logging in MCP Server / Client
• T46: Data Residency / Compliance Violation via MCP Server

Sources

• OWASP-Agentic-AI ↗ · 1.1 (Dec 2025) · Agentic Threats Taxonomy Navigator §Step 1; Threat Model T8
• MAESTRO ↗ · 1.0 (Apr 2025) · Layer 5 Evaluation & Observability; Cross-Layer Misconfigured Inter-Agent Monitoring