Teaching Script — Module B9: OWASP Agentic Top 10 as Engineering Checklist

Course: Course 2B — Securing & Attacking Harnesses and LLMs Module: B9 — OWASP Agentic Top 10 as Engineering Checklist Duration: ~55 minutes (spoken at ~140 wpm; 90-min module includes lab and discussion) Format: Verbatim transcript with [SLIDE N] cues. Read aloud or use as speaker notes.


[SLIDE 1 — Title]

Welcome to Module B9. This is the synthesis module. Everything from B2 through B8 — the injection defense, the memory-poisoning controls, the tool and MCP security, the identity and permission design, the sandbox, the observability layer — converges here into a single deliverable: the OWASP Agentic Top 10 as an engineering checklist. The OWASP Agentic AI Top 10 is not a reading list. It is a test checklist with an attack procedure and a defense architecture for each of the ten risks, and every risk maps to a module in this course where the defense already lives. By the end of these ninety minutes you hold the checklist that B12 uses as engagement scope, and you can run each of its ten tests against any agent harness you are asked to assess.

[SLIDE 2 — The thesis: not a reading list, a checklist]

Here is the thesis. The web OWASP Top 10 became operationally useful the day it stopped being a document and became a test suite. SQL injection, the original A1, is not a concept you understand. It is a test you run. Send a payload, observe whether the database executes it. The test is the value. A team that can run the test for each row can fail its CI on a finding, can measure its regression over time, and can scope an assessment to the rows that matter. A team that has only read the list has none of those things. The agentic Top 10 is at the same inflection point. For each of the ten ASI risks, this module provides four things: the attack procedure — the specific red-team action, not a category; the defense architecture — the control, and the Course 1 layer it specializes; the course module — where the control is built in depth; and the test — the runnable assertion the lab encodes. The checklist is the deliverable. Ten rows. Each has a risk, an attack, a control, a module, and a test. The test is runnable. B12 uses this checklist as engagement scope.

[SLIDE 3 — B9.1 The checklist as thesis and the attack-surface map]

Sub-section one. The checklist as thesis, and the attack-surface map. Why a checklist, the ten risks as one surface, and the mapping that makes this module a synthesis.

[SLIDE 4 — The ten risks are one attack surface]

The ten OWASP risks, read individually, are a list. Read as an attack chain, they are a map of where an agent fails from input to impact. They group into five boundaries. The input boundary — ASI01 goal hijacking and ASI02 prompt leakage — is where untrusted content becomes instruction or extracts the privileged prompt. B2 defends it. The permission boundary — ASI03 excessive agency and ASI10 broken access control — is where the agent acts with more authority than the task requires or on behalf of the wrong principal. B5 defends it. The state boundary — ASI04 memory poisoning and ASI06 cascading hallucination — is where persisted facts or a hallucinated intermediate result corrupts downstream reasoning. B3 and B8 defend it. The tool boundary — ASI05 tool or skill abuse and ASI08 supply chain attacks — is where legitimate tools are misused or a malicious tool enters the chain. B4 defends it. The output and resource boundary — ASI07 insecure output handling and ASI09 resource exhaustion — is where agent output is consumed unsanitized downstream or the agent is induced to run indefinitely. B7 defends it. This is the attack-surface map. It is not ten items. It is five boundaries, each defended by a module, each carrying two risks. And here is the critical point: the risks are entangled. A goal-hijacking payload — that is the input boundary — delivers through a tool output, the tool boundary. It may write a poisoned memory, the state boundary. And it reaches impact through an over-privileged tool, the permission boundary. A checklist that tests each risk in isolation is necessary but not sufficient. The synthesis layer — the mapping — is what shows whether the chain is broken at every link.

[SLIDE 5 — Every risk maps to a defense module]

This is what makes B9 a synthesis rather than a new surface. Every ASI risk maps to a module in this course where the defense is built in depth. ASI01 and ASI02 route to B2 — the taint gate, the instruction isolation, the capability minimization. ASI03 and ASI10 route to B5 — scoped non-human principals, principal binding, tenant isolation. ASI04 routes to B3 — harness-managed writes and retrieval-time tagging. ASI06 routes to B8 — verification and provenance tagging. ASI05 and ASI08 route to B4 — tool contracts and provenance verification. ASI07 and ASI09 route to B7 — sandbox, circuit breakers, output sanitization. No orphaned risk. The implication for you: you have already built every defense this checklist requires. B2 through B8 built them. This module's job is to prove those defenses are present and working — to run the test for each, not to build a new control. A word on numbering before the substance. Two ASI numbering schemes have circulated. Course 1 Module 11, the one students see first, uses the canonical numbering, reconciled against the OWASP primary source. The old Advanced Course S10 used a variant. We use the canonical numbering, verified against the primary source. ASI01 is Goal Hijacking. ASI10 is Broken Access Control. If you encounter the old numbering in a legacy document, reconcile against the primary source, not against the legacy doc.

[SLIDE 6 — B9.2 The ten risks: attack + defense + test]

Sub-section two. The core of the module. For each of ASI01 through ASI10: the risk defined, the attack procedure, the defense architecture, the course module, and a concrete test. The format for each risk is fixed. Read each treatment as a self-contained card. The unified checklist in sub-section three assembles them.

[SLIDE 7 — ASI01-02, the input boundary]

ASI01, goal hijacking. The risk: an attacker redirects the agent's objective from the user's intended goal to an attacker-chosen one, via prompt injection in untrusted content. InjecAgent measured roughly half of undefended agentic tasks susceptible. The attack procedure: plant an indirect-injection payload in a location the agent will retrieve — a web page the fetch-url tool reads. Run the agent against a benign task, summarize this page. Observe whether the tool calls diverge toward the injected objective. Measure the success rate over N attempts, not a single trial. The defense architecture: the B2 five-layer defense. The load-bearing control is Layer 3, the taint gate — even when the model is fooled, the gate blocks the privileged call with tainted arguments, deterministically. The module: B2. The test: run the mini-InjecAgent harness; assert that a high-impact tool call with arguments derived from a tainted tool output is blocked. The result type: measured. A residual rate, because the detector and the model's compliance are probabilistic. ASI02, prompt leakage. The risk: the system prompt or memory is extracted. The attack procedure: three variants — direct, repeat your system prompt; indirect, plant the instruction in a retrieved document; and extraction-by-inference, a sequence of questions whose answers reveal the prompt's structure. The defense: Layer 2 isolation, plus the hard control — output verification, an egress check that blocks any output containing a sufficient verbatim slice of the system prompt. The test: seed the agent with a canary string in its system prompt. Run the three extraction variants. Assert the canary never appears in the output. The result type: pass or fail. The canary check is a substring match — deterministic. Note the difference. ASI01 is measured because its control has a probabilistic component. ASI02 is pass-fail because its control is a gate.

[SLIDE 8 — ASI03-04, ASI10, the permission and state boundaries]

ASI03, excessive agency. The risk: the agent holds more permissions than its task requires. A summarization agent that can also call transfer-funds has excessive agency. This is the amplifier of every other risk — a hijacked agent with minimal capabilities does limited damage; a hijacked agent with a broad tool surface does catastrophic damage. The attack procedure is capability enumeration, not payload crafting. Is execute-python present? Is send-email scoped to a recipient allowlist or unscoped? Is read-file bounded to a directory? The defense: the B5 identity controls — scoped credentials, tool contracts, capability minimization. The test: assert the allowlist contains only task-required tools; assert all high-impact arguments are validated. Pass or fail. ASI04, memory poisoning. The risk: an attacker writes a false fact to memory, and a later session retrieves and acts on it — the sleeper attack. This is the taint-laundering bypass of B2's Layer 3. The attack procedure: induce the agent to write a poisoned fact, then in a second turn, issue a benign request that causes the agent to use the poisoned fact in a high-impact call. The defense: the B3 controls — harness-managed writes, where the harness decides what to persist, never the model; and retrieval-time tagging, where every retrieved fact re-enters tainted. The test: assert the write is gated, and the retrieved fact is tainted and blocked. Pass or fail. ASI10, broken access control. The risk: the agent acts on behalf of a principal it should not represent, or accesses resources outside its principal's scope. The attack procedure: two variants — cross-tenant, induce the agent to access another tenant's resource; and principal forgery, induce the agent to use credentials scoped to a different principal. The defense: the B5 controls — principal binding on every tool call, tenant isolation at the data layer. The test: assert cross-tenant access is blocked; assert the principal is verified on every call. Pass or fail.

[SLIDE 9 — ASI05-06, ASI08, the tool and state boundaries]

ASI05, tool or skill abuse. The risk: a legitimate tool is used for an unintended purpose. The tool is not malicious — that is ASI08. It is correctly provisioned but used outside its intended scope. The attack procedure: identify a tool whose arguments are flexible enough to serve an unintended purpose. The agent has send-email scoped to a recipient allowlist, but the allowlist includes an internal alias that forwards externally. Or query-db permits SELECT, and the injection crafts a SELECT that returns sensitive columns. Or read-file is allowlisted, and the injection uses a path traversal within the allowed prefix. The defense: the B4 tool-contract controls — per-argument validators that are semantic scope checks, not just type checks. The harness resolves symlinks and normalizes paths before validation. The test: attempt each scope-exploitation variant; assert the validator catches each. Pass or fail. ASI06, cascading hallucination. The risk: the agent hallucinates an intermediate result, and downstream reasoning treats it as ground truth. The attack procedure: induce a hallucination in a low-stakes step and observe whether it propagates to a high-impact action. The adversarial variant: an injection primes the agent to hallucinate a specific false fact. The defense: the B8 controls — verification, where every fact used in a privileged decision must be traceable to a source; provenance tagging; and detection that flags compounds where an unverified claim propagated into a decision. The test: induce the pattern; assert the high-impact step is blocked because the intermediate claim has no verified source. The result type: measured. A block rate, because verification catches unverified claims but hallucination-detection has a miss rate. ASI08, supply chain attacks. The risk: a malicious tool, MCP server, or skill package enters the supply chain. The attack procedure: register a malicious MCP server whose description looks benign but whose implementation exfiltrates arguments, or whose return value contains an injection. The defense: the B4 controls — provenance verification, where every tool is signed and verified against a trusted registry; tool sandboxing, where a registered tool runs with no network egress; and output tainting, where the tool's return value is tagged untrusted. The test: attempt to register an unsigned server and a signed-but-malicious tool; assert the unsigned is rejected, the egress is blocked, and the output is tainted. Pass or fail.

[SLIDE 10 — ASI07, ASI09, the output and resource boundary]

ASI07, insecure output handling. The risk: the agent's output is consumed unsanitized by a downstream system — rendered as HTML, executed as SQL, parsed as config. The agent itself is not compromised; the harm is in the consumer that trusts the output. The attack procedure: induce the agent to emit a payload for the downstream consumer. If the output is rendered in a web UI, inject a script tag. If persisted to a DB, inject SQL. The defense: the B7 controls — output sanitization, where the consumer treats the agent's output as untrusted data, escaped before render, parameterized before insertion; and the sandbox, which confines the agent's direct actions so it cannot reach the downstream system directly. The defense is split: B7 confines the agent; the consumer sanitizes the output. The test: emit the payload; assert the consumer escapes it and the agent's sandbox prevented direct access. Pass or fail. ASI09, resource exhaustion. The risk: the agent is induced to run indefinitely, consuming tokens, calls, compute, or money. The attack procedure: deliver an injection that triggers unbounded work — a retrieved document with a list of a million URLs to fetch, or a self-referential tool call. The defense: the B7 controls — sandbox limits, a hard ceiling on tokens, calls, time, and cost, enforced deterministically; circuit breakers that halt the agent at a threshold; and loop detection that breaks repeated identical calls. These are deterministic. The agent cannot reason its way past a hard token ceiling. The test: deliver the injection; assert the harness halts the agent at the ceiling and the circuit breaker fires. Pass or fail. Note that B7 defends both ASI07 and ASI09. The sandbox confines the agent's direct actions; the hard ceilings halt unbounded work. Both are deterministic — the agent cannot reason past either.

[SLIDE 11 — B9.3 The unified checklist and the deterministic/probabilistic split]

Sub-section three. The unified checklist — the table you take away — and the deterministic-versus-probabilistic split that determines each row's result type.

[SLIDE 12 — The unified checklist, the deliverable]

This is the deliverable. Ten rows. Each maps a risk to its attack procedure, its control, its defense module, and its test. Look at the Result column. Eight rows report pass or fail. Two rows — ASI01 and ASI06 — report measured. The distinction matters. A binary test gives certainty. A measured test gives a number. A checklist that reports only pass or fail hides the probabilistic reality of the controls that are not deterministic. This table is what a CISO can act on, and it is what B12 uses as engagement scope.

[SLIDE 13 — Why 8 binary and 2 measured?]

Why the split? Eight rows are deterministic. The question is structural and enumerable. Is the tool in the allowlist? Does the principal match? Is the signature valid? Did the count cross the ceiling? No bypass rate, only coverage gaps. A gate, not a judgment. These report pass or fail. Two rows are probabilistic. ASI01: the taint gate is deterministic, but the detector and the model's compliance have a bypass rate. The result is a measured residual. ASI06: verification catches unverified claims, but hallucination-detection has a miss rate. The result is a measured block rate. These report a number, not a boolean. Here is the anti-pattern to avoid. Collapsing a measured row into pass or fail. ASI01 pass is a lie. The honest result is: residual two percent, the encoded-and-laundered class. The Result-type column enforces the honesty. A row's result type is determined by the kind of control that defends it, not by the tester's preference. This is B2.3's resolution — determinism on the structural boundary, probability on the semantic boundary — applied across all ten risks.

[SLIDE 14 — B9.4 The checklist as assessment scope]

Sub-section four. The checklist as assessment scope. How B12 turns the ten rows into an engagement contract, and why the measured residual is the recurring deliverable.

[SLIDE 15 — From checklist to engagement scope]

B12 operationalizes this checklist as a paid engagement. The translation is direct. The ten rows are the scope. An assessment that covers all ten has covered the agentic attack surface as OWASP defines it. Per row, the engagement contract carries: the test, the attack procedure from sub-section two; the evidence, the B0 discipline — model version, success rate, scope reference; the expected control, the defense architecture; and the deliverable, pass or fail, or a measured residual. The tester runs each test against the client's deployed agent, captures the evidence, and produces the scored report. The report is the engagement's deliverable, not a slide deck of findings. And here is the scope-completeness rule. An assessment covers all ten rows. A genuinely-absent surface — say, the agent does not use MCP — reports N/A with justification. It is never silently skipped. A skipped row is an untested row, and an untested row is a gap the client does not know about.

[SLIDE 16 — The measured residual is the recurring value]

The two measured rows — ASI01 and ASI06 — are where the assessment adds the most value over time. A single engagement reports the residual at a point in time. A recurring engagement, quarterly per B12's methodology, reports the residual's trend. Did the ASI01 rate drop from four percent to one percent after the B2 Layer 4 detector was tuned? Did the ASI06 block-miss rise from three percent to eight percent after a new tool was added? The trend is the signal. The single measurement is the data point. This is the B0 anti-pattern applied in reverse. Do not treat an AI finding as binary fixed or unfixed — and do not treat an AI control as binary secure or insecure. The checklist's measured rows are the mechanism that enforces the discipline over time. A client who sees their ASI01 residual trend over four quarters sees whether their defenses are degrading or improving. That is the assessment's recurring value. One caveat. The checklist covers the OWASP top 10. It does not cover everything. The Microsoft Failure Mode Taxonomy, B10, adds failure modes that overlap but are not identical — the zero-click HITL bypass chain, the inter-agent trust escalation. The governance layer, B11, adds NIST AI RMF, the AI BOM, the audit-trail requirements. The checklist is the agentic-risk floor, not the ceiling. B12's full methodology layers all three.

[SLIDE 17 — Anti-patterns]

Six anti-patterns. One: treating the Top 10 as a reading list. Read but untestable equals no system change. The cure: the checklist is executable. Two: pass or fail on a probabilistic control. ASI01 pass lies about the residual. The cure: the Result-type column. Three: testing each risk in isolation. This misses the compound chain. The cure: the synthesis layer; include at least one end-to-end scenario. Four: skipping rows. We don't use MCP, so skip ASI08. The cure: N/A with justification, never silent. Five: declaring secure after a passing checklist. The cure: the scored report is the deliverable, not a verdict. Six: building new defenses in the assessment module. B9 tests. B2 through B8 build. A failed row routes to its module for remediation, not to a fix built during the test.

[SLIDE 18 — Lab and what's next]

The lab has you build the checklist executor — a Python program that runs a defined test for each of ASI01 through ASI10 against a stub agent harness and produces a scored report. Eight pass-fail rows and two measured-residual rows. The tests are unit-test-style: an injection attempt, a memory-poison attempt, a capability enumeration, a supply-chain registration, a resource-exhaustion trigger. The stub harness has configurable defenses, so you can run the checklist against a defended and an undefended configuration and compare. Python, type hints, no GPU. Next: B10, the Microsoft Failure Mode Taxonomy as a red-team framework. The seven agentic failure modes that complement the OWASP top 10 — including the zero-click HITL bypass chain, where a single external input triggers a multi-step chain and each individual step passes approval but the compound intent is malicious. That chain is exactly the compound scenario the checklist's synthesis layer draws on. Let's build the checklist.

# Teaching Script — Module B9: OWASP Agentic Top 10 as Engineering Checklist

**Course**: Course 2B — Securing & Attacking Harnesses and LLMs
**Module**: B9 — OWASP Agentic Top 10 as Engineering Checklist
**Duration**: ~55 minutes (spoken at ~140 wpm; 90-min module includes lab and discussion)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

Welcome to Module B9. This is the synthesis module. Everything from B2 through B8 — the injection defense, the memory-poisoning controls, the tool and MCP security, the identity and permission design, the sandbox, the observability layer — converges here into a single deliverable: the OWASP Agentic Top 10 as an engineering checklist. The OWASP Agentic AI Top 10 is not a reading list. It is a test checklist with an attack procedure and a defense architecture for each of the ten risks, and every risk maps to a module in this course where the defense already lives. By the end of these ninety minutes you hold the checklist that B12 uses as engagement scope, and you can run each of its ten tests against any agent harness you are asked to assess.

[SLIDE 2 — The thesis: not a reading list, a checklist]

Here is the thesis. The web OWASP Top 10 became operationally useful the day it stopped being a document and became a test suite. SQL injection, the original A1, is not a concept you understand. It is a test you run. Send a payload, observe whether the database executes it. The test is the value. A team that can run the test for each row can fail its CI on a finding, can measure its regression over time, and can scope an assessment to the rows that matter. A team that has only read the list has none of those things. The agentic Top 10 is at the same inflection point. For each of the ten ASI risks, this module provides four things: the attack procedure — the specific red-team action, not a category; the defense architecture — the control, and the Course 1 layer it specializes; the course module — where the control is built in depth; and the test — the runnable assertion the lab encodes. The checklist is the deliverable. Ten rows. Each has a risk, an attack, a control, a module, and a test. The test is runnable. B12 uses this checklist as engagement scope.

[SLIDE 3 — B9.1 The checklist as thesis and the attack-surface map]

Sub-section one. The checklist as thesis, and the attack-surface map. Why a checklist, the ten risks as one surface, and the mapping that makes this module a synthesis.

[SLIDE 4 — The ten risks are one attack surface]

The ten OWASP risks, read individually, are a list. Read as an attack chain, they are a map of where an agent fails from input to impact. They group into five boundaries. The input boundary — ASI01 goal hijacking and ASI02 prompt leakage — is where untrusted content becomes instruction or extracts the privileged prompt. B2 defends it. The permission boundary — ASI03 excessive agency and ASI10 broken access control — is where the agent acts with more authority than the task requires or on behalf of the wrong principal. B5 defends it. The state boundary — ASI04 memory poisoning and ASI06 cascading hallucination — is where persisted facts or a hallucinated intermediate result corrupts downstream reasoning. B3 and B8 defend it. The tool boundary — ASI05 tool or skill abuse and ASI08 supply chain attacks — is where legitimate tools are misused or a malicious tool enters the chain. B4 defends it. The output and resource boundary — ASI07 insecure output handling and ASI09 resource exhaustion — is where agent output is consumed unsanitized downstream or the agent is induced to run indefinitely. B7 defends it. This is the attack-surface map. It is not ten items. It is five boundaries, each defended by a module, each carrying two risks. And here is the critical point: the risks are entangled. A goal-hijacking payload — that is the input boundary — delivers through a tool output, the tool boundary. It may write a poisoned memory, the state boundary. And it reaches impact through an over-privileged tool, the permission boundary. A checklist that tests each risk in isolation is necessary but not sufficient. The synthesis layer — the mapping — is what shows whether the chain is broken at every link.

[SLIDE 5 — Every risk maps to a defense module]

This is what makes B9 a synthesis rather than a new surface. Every ASI risk maps to a module in this course where the defense is built in depth. ASI01 and ASI02 route to B2 — the taint gate, the instruction isolation, the capability minimization. ASI03 and ASI10 route to B5 — scoped non-human principals, principal binding, tenant isolation. ASI04 routes to B3 — harness-managed writes and retrieval-time tagging. ASI06 routes to B8 — verification and provenance tagging. ASI05 and ASI08 route to B4 — tool contracts and provenance verification. ASI07 and ASI09 route to B7 — sandbox, circuit breakers, output sanitization. No orphaned risk. The implication for you: you have already built every defense this checklist requires. B2 through B8 built them. This module's job is to prove those defenses are present and working — to run the test for each, not to build a new control. A word on numbering before the substance. Two ASI numbering schemes have circulated. Course 1 Module 11, the one students see first, uses the canonical numbering, reconciled against the OWASP primary source. The old Advanced Course S10 used a variant. We use the canonical numbering, verified against the primary source. ASI01 is Goal Hijacking. ASI10 is Broken Access Control. If you encounter the old numbering in a legacy document, reconcile against the primary source, not against the legacy doc.

[SLIDE 6 — B9.2 The ten risks: attack + defense + test]

Sub-section two. The core of the module. For each of ASI01 through ASI10: the risk defined, the attack procedure, the defense architecture, the course module, and a concrete test. The format for each risk is fixed. Read each treatment as a self-contained card. The unified checklist in sub-section three assembles them.

[SLIDE 7 — ASI01-02, the input boundary]

ASI01, goal hijacking. The risk: an attacker redirects the agent's objective from the user's intended goal to an attacker-chosen one, via prompt injection in untrusted content. InjecAgent measured roughly half of undefended agentic tasks susceptible. The attack procedure: plant an indirect-injection payload in a location the agent will retrieve — a web page the fetch-url tool reads. Run the agent against a benign task, summarize this page. Observe whether the tool calls diverge toward the injected objective. Measure the success rate over N attempts, not a single trial. The defense architecture: the B2 five-layer defense. The load-bearing control is Layer 3, the taint gate — even when the model is fooled, the gate blocks the privileged call with tainted arguments, deterministically. The module: B2. The test: run the mini-InjecAgent harness; assert that a high-impact tool call with arguments derived from a tainted tool output is blocked. The result type: measured. A residual rate, because the detector and the model's compliance are probabilistic. ASI02, prompt leakage. The risk: the system prompt or memory is extracted. The attack procedure: three variants — direct, repeat your system prompt; indirect, plant the instruction in a retrieved document; and extraction-by-inference, a sequence of questions whose answers reveal the prompt's structure. The defense: Layer 2 isolation, plus the hard control — output verification, an egress check that blocks any output containing a sufficient verbatim slice of the system prompt. The test: seed the agent with a canary string in its system prompt. Run the three extraction variants. Assert the canary never appears in the output. The result type: pass or fail. The canary check is a substring match — deterministic. Note the difference. ASI01 is measured because its control has a probabilistic component. ASI02 is pass-fail because its control is a gate.

[SLIDE 8 — ASI03-04, ASI10, the permission and state boundaries]

ASI03, excessive agency. The risk: the agent holds more permissions than its task requires. A summarization agent that can also call transfer-funds has excessive agency. This is the amplifier of every other risk — a hijacked agent with minimal capabilities does limited damage; a hijacked agent with a broad tool surface does catastrophic damage. The attack procedure is capability enumeration, not payload crafting. Is execute-python present? Is send-email scoped to a recipient allowlist or unscoped? Is read-file bounded to a directory? The defense: the B5 identity controls — scoped credentials, tool contracts, capability minimization. The test: assert the allowlist contains only task-required tools; assert all high-impact arguments are validated. Pass or fail. ASI04, memory poisoning. The risk: an attacker writes a false fact to memory, and a later session retrieves and acts on it — the sleeper attack. This is the taint-laundering bypass of B2's Layer 3. The attack procedure: induce the agent to write a poisoned fact, then in a second turn, issue a benign request that causes the agent to use the poisoned fact in a high-impact call. The defense: the B3 controls — harness-managed writes, where the harness decides what to persist, never the model; and retrieval-time tagging, where every retrieved fact re-enters tainted. The test: assert the write is gated, and the retrieved fact is tainted and blocked. Pass or fail. ASI10, broken access control. The risk: the agent acts on behalf of a principal it should not represent, or accesses resources outside its principal's scope. The attack procedure: two variants — cross-tenant, induce the agent to access another tenant's resource; and principal forgery, induce the agent to use credentials scoped to a different principal. The defense: the B5 controls — principal binding on every tool call, tenant isolation at the data layer. The test: assert cross-tenant access is blocked; assert the principal is verified on every call. Pass or fail.

[SLIDE 9 — ASI05-06, ASI08, the tool and state boundaries]

ASI05, tool or skill abuse. The risk: a legitimate tool is used for an unintended purpose. The tool is not malicious — that is ASI08. It is correctly provisioned but used outside its intended scope. The attack procedure: identify a tool whose arguments are flexible enough to serve an unintended purpose. The agent has send-email scoped to a recipient allowlist, but the allowlist includes an internal alias that forwards externally. Or query-db permits SELECT, and the injection crafts a SELECT that returns sensitive columns. Or read-file is allowlisted, and the injection uses a path traversal within the allowed prefix. The defense: the B4 tool-contract controls — per-argument validators that are semantic scope checks, not just type checks. The harness resolves symlinks and normalizes paths before validation. The test: attempt each scope-exploitation variant; assert the validator catches each. Pass or fail. ASI06, cascading hallucination. The risk: the agent hallucinates an intermediate result, and downstream reasoning treats it as ground truth. The attack procedure: induce a hallucination in a low-stakes step and observe whether it propagates to a high-impact action. The adversarial variant: an injection primes the agent to hallucinate a specific false fact. The defense: the B8 controls — verification, where every fact used in a privileged decision must be traceable to a source; provenance tagging; and detection that flags compounds where an unverified claim propagated into a decision. The test: induce the pattern; assert the high-impact step is blocked because the intermediate claim has no verified source. The result type: measured. A block rate, because verification catches unverified claims but hallucination-detection has a miss rate. ASI08, supply chain attacks. The risk: a malicious tool, MCP server, or skill package enters the supply chain. The attack procedure: register a malicious MCP server whose description looks benign but whose implementation exfiltrates arguments, or whose return value contains an injection. The defense: the B4 controls — provenance verification, where every tool is signed and verified against a trusted registry; tool sandboxing, where a registered tool runs with no network egress; and output tainting, where the tool's return value is tagged untrusted. The test: attempt to register an unsigned server and a signed-but-malicious tool; assert the unsigned is rejected, the egress is blocked, and the output is tainted. Pass or fail.

[SLIDE 10 — ASI07, ASI09, the output and resource boundary]

ASI07, insecure output handling. The risk: the agent's output is consumed unsanitized by a downstream system — rendered as HTML, executed as SQL, parsed as config. The agent itself is not compromised; the harm is in the consumer that trusts the output. The attack procedure: induce the agent to emit a payload for the downstream consumer. If the output is rendered in a web UI, inject a script tag. If persisted to a DB, inject SQL. The defense: the B7 controls — output sanitization, where the consumer treats the agent's output as untrusted data, escaped before render, parameterized before insertion; and the sandbox, which confines the agent's direct actions so it cannot reach the downstream system directly. The defense is split: B7 confines the agent; the consumer sanitizes the output. The test: emit the payload; assert the consumer escapes it and the agent's sandbox prevented direct access. Pass or fail. ASI09, resource exhaustion. The risk: the agent is induced to run indefinitely, consuming tokens, calls, compute, or money. The attack procedure: deliver an injection that triggers unbounded work — a retrieved document with a list of a million URLs to fetch, or a self-referential tool call. The defense: the B7 controls — sandbox limits, a hard ceiling on tokens, calls, time, and cost, enforced deterministically; circuit breakers that halt the agent at a threshold; and loop detection that breaks repeated identical calls. These are deterministic. The agent cannot reason its way past a hard token ceiling. The test: deliver the injection; assert the harness halts the agent at the ceiling and the circuit breaker fires. Pass or fail. Note that B7 defends both ASI07 and ASI09. The sandbox confines the agent's direct actions; the hard ceilings halt unbounded work. Both are deterministic — the agent cannot reason past either.

[SLIDE 11 — B9.3 The unified checklist and the deterministic/probabilistic split]

Sub-section three. The unified checklist — the table you take away — and the deterministic-versus-probabilistic split that determines each row's result type.

[SLIDE 12 — The unified checklist, the deliverable]

This is the deliverable. Ten rows. Each maps a risk to its attack procedure, its control, its defense module, and its test. Look at the Result column. Eight rows report pass or fail. Two rows — ASI01 and ASI06 — report measured. The distinction matters. A binary test gives certainty. A measured test gives a number. A checklist that reports only pass or fail hides the probabilistic reality of the controls that are not deterministic. This table is what a CISO can act on, and it is what B12 uses as engagement scope.

[SLIDE 13 — Why 8 binary and 2 measured?]

Why the split? Eight rows are deterministic. The question is structural and enumerable. Is the tool in the allowlist? Does the principal match? Is the signature valid? Did the count cross the ceiling? No bypass rate, only coverage gaps. A gate, not a judgment. These report pass or fail. Two rows are probabilistic. ASI01: the taint gate is deterministic, but the detector and the model's compliance have a bypass rate. The result is a measured residual. ASI06: verification catches unverified claims, but hallucination-detection has a miss rate. The result is a measured block rate. These report a number, not a boolean. Here is the anti-pattern to avoid. Collapsing a measured row into pass or fail. ASI01 pass is a lie. The honest result is: residual two percent, the encoded-and-laundered class. The Result-type column enforces the honesty. A row's result type is determined by the kind of control that defends it, not by the tester's preference. This is B2.3's resolution — determinism on the structural boundary, probability on the semantic boundary — applied across all ten risks.

[SLIDE 14 — B9.4 The checklist as assessment scope]

Sub-section four. The checklist as assessment scope. How B12 turns the ten rows into an engagement contract, and why the measured residual is the recurring deliverable.

[SLIDE 15 — From checklist to engagement scope]

B12 operationalizes this checklist as a paid engagement. The translation is direct. The ten rows are the scope. An assessment that covers all ten has covered the agentic attack surface as OWASP defines it. Per row, the engagement contract carries: the test, the attack procedure from sub-section two; the evidence, the B0 discipline — model version, success rate, scope reference; the expected control, the defense architecture; and the deliverable, pass or fail, or a measured residual. The tester runs each test against the client's deployed agent, captures the evidence, and produces the scored report. The report is the engagement's deliverable, not a slide deck of findings. And here is the scope-completeness rule. An assessment covers all ten rows. A genuinely-absent surface — say, the agent does not use MCP — reports N/A with justification. It is never silently skipped. A skipped row is an untested row, and an untested row is a gap the client does not know about.

[SLIDE 16 — The measured residual is the recurring value]

The two measured rows — ASI01 and ASI06 — are where the assessment adds the most value over time. A single engagement reports the residual at a point in time. A recurring engagement, quarterly per B12's methodology, reports the residual's trend. Did the ASI01 rate drop from four percent to one percent after the B2 Layer 4 detector was tuned? Did the ASI06 block-miss rise from three percent to eight percent after a new tool was added? The trend is the signal. The single measurement is the data point. This is the B0 anti-pattern applied in reverse. Do not treat an AI finding as binary fixed or unfixed — and do not treat an AI control as binary secure or insecure. The checklist's measured rows are the mechanism that enforces the discipline over time. A client who sees their ASI01 residual trend over four quarters sees whether their defenses are degrading or improving. That is the assessment's recurring value. One caveat. The checklist covers the OWASP top 10. It does not cover everything. The Microsoft Failure Mode Taxonomy, B10, adds failure modes that overlap but are not identical — the zero-click HITL bypass chain, the inter-agent trust escalation. The governance layer, B11, adds NIST AI RMF, the AI BOM, the audit-trail requirements. The checklist is the agentic-risk floor, not the ceiling. B12's full methodology layers all three.

[SLIDE 17 — Anti-patterns]

Six anti-patterns. One: treating the Top 10 as a reading list. Read but untestable equals no system change. The cure: the checklist is executable. Two: pass or fail on a probabilistic control. ASI01 pass lies about the residual. The cure: the Result-type column. Three: testing each risk in isolation. This misses the compound chain. The cure: the synthesis layer; include at least one end-to-end scenario. Four: skipping rows. We don't use MCP, so skip ASI08. The cure: N/A with justification, never silent. Five: declaring secure after a passing checklist. The cure: the scored report is the deliverable, not a verdict. Six: building new defenses in the assessment module. B9 tests. B2 through B8 build. A failed row routes to its module for remediation, not to a fix built during the test.

[SLIDE 18 — Lab and what's next]

The lab has you build the checklist executor — a Python program that runs a defined test for each of ASI01 through ASI10 against a stub agent harness and produces a scored report. Eight pass-fail rows and two measured-residual rows. The tests are unit-test-style: an injection attempt, a memory-poison attempt, a capability enumeration, a supply-chain registration, a resource-exhaustion trigger. The stub harness has configurable defenses, so you can run the checklist against a defended and an undefended configuration and compare. Python, type hints, no GPU. Next: B10, the Microsoft Failure Mode Taxonomy as a red-team framework. The seven agentic failure modes that complement the OWASP top 10 — including the zero-click HITL bypass chain, where a single external input triggers a multi-step chain and each individual step passes approval but the compound intent is malicious. That chain is exactly the compound scenario the checklist's synthesis layer draws on. Let's build the checklist.