Skip to content
AM-126
← Back to ledger
Holding·last review3 May 2026

The OWASP Agentic AI Top 10 names what to defend against; it does not say how to test that the defences work. The 2026 enterprise red-team for agentic systems is a distinct discipline from generalised pen-testing, with its own methodology (four disciplines: prompt injection, tool misuse, context-window attacks, multi-turn objective drift), tooling stack (PyRIT v0.13.0, Garak, custom harnesses, MITRE ATLAS for structured threat-modelling vocabulary), evidence model (six-section report including ATLAS technique mapping plus residual-risk plus EU AI Act Article 12 substrate alignment plus Article 16 post-market monitoring recommendations), and procurement decisions (in-house vs specialist-vendor vs hybrid). Most enterprises run the wrong test (generalised application pen-test) and pass it; the passing report is the procurement evidence that produces false confidence.

Red-team companion to AM-043 (OWASP walkthrough). Verified primary sources: OWASP Top 10 for Agentic Applications 2026 (released 9 Dec 2025, 100+ contributor peer review); the eight published threats (ASI01 Agent Goal Hijack, ASI02 Tool Misuse, ASI03 Identity & Privilege Abuse, ASI06 Memory & Context Poisoning, ASI07 Insecure Inter-Agent Comm, ASI08 Cascading Failures, ASI09 Human-Agent Trust Exploitation, ASI10 Rogue Agents); MITRE ATLAS knowledge base (2025 expansion under Secure AI program with agentic-systems investigation); PyRIT v0.13.0 release (17 Apr 2026, MIT-licensed, 3.8k stars on the active microsoft/PyRIT repository after Azure/PyRIT was archived 27 Mar 2026); Garak open-source LLM scanner. Linked to AM-043 (OWASP walkthrough), AM-027 (EchoLeak), AM-029 (NHI), AM-046 (Article 12), AM-123 (observability companion). 60-day review cadence; trigger conditions include OWASP ASI04/ASI05 publication, NIST AI 600-1 generative AI profile updates, named red-team failures or breaches in production agentic deployments, MITRE ATLAS framework version updates.

Published
3 May 2026
Last reviewed
3 May 2026
Next review
+16d· 2 Jul 2026
Source piece
Agent red-teaming in 2026: the OWASP Agentic Top 10 companion, the four disciplines, and the evidence modelRead piece →
Primary sources
Permalink/holding/AM-126/
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-126's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: The OWASP Agentic AI Top 10 names what to defend against; it does not say how to test that the defences work. The 2026 enterprise red-team for agentic systems is a distinct discipline from generalised pen-testing, with its own methodology (four disciplines: prompt injection, tool misuse, context-window attacks, multi-turn objective drift), tooling stack (PyRIT v0.13.0, Garak, custom harnesses, MITRE ATLAS for structured threat-modelling vocabulary), evidence model (six-section report including ATLAS technique mapping plus residual-risk plus EU AI Act Article 12 substrate alignment plus Article 16 post-market monitoring recommendations), and procurement decisions (in-house vs specialist-vendor vs hybrid). Most enterprises run the wrong test (generalised application pen-test) and pass it; the passing report is the procurement evidence that produces false confidence.

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-132 · Partial · 10 Jun 2026

    One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.

  • AM-129 · Partial · 10 Jun 2026

    One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.

  • AM-201 · Partial · 10 Jun 2026

    One of four named datasets unanchored on review. The claim text names 'Stanford DEL's 12% clearing 300%+ ROI vs 88% at or below break-even' as one of four independent datasets. Full-text verification on 10 Jun 2026 found the Stanford DEL Enterprise AI Playbook contains no such distribution — it studies 51 successful deployments by design and carries no ROI-realisation failure data (full finding at AM-029, correction of 10 Jun 2026). The McKinsey (23% scaling, 17% EBIT-attribution), Gartner (28% fully paying off), and MIT NANDA (95% no measurable P&L impact) datasets verify; the claim's spine stands on three datasets rather than four. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric from an ROI distribution. Status Up -> Partial.

Reviews coming up in Reporting

  • AM-063 · Holding · next +11d (27 Jun 2026)

    AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…

  • AM-061 · Holding · next +11d (27 Jun 2026)

    Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…

  • AM-003 · Partial · next +11d (27 Jun 2026)

    GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…