The OWASP Agentic AI Top 10 names what to defend against; it does not say how to test that the defences work. The 2026 enterprise red-team for agentic systems is a distinct discipline from generalised pen-testing, with its own methodology (four disciplines: prompt injection, tool misuse, context-window attacks, multi-turn objective drift), tooling stack (PyRIT v0.13.0, Garak, custom harnesses, MITRE ATLAS for structured threat-modelling vocabulary), evidence model (six-section report including ATLAS technique mapping plus residual-risk plus EU AI Act Article 12 substrate alignment plus Article 16 post-market monitoring recommendations), and procurement decisions (in-house vs specialist-vendor vs hybrid). Most enterprises run the wrong test (generalised application pen-test) and pass it; the passing report is the procurement evidence that produces false confidence.

Red-team companion to AM-043 (OWASP walkthrough). Verified primary sources: OWASP Top 10 for Agentic Applications 2026 (released 9 Dec 2025, 100+ contributor peer review); the eight published threats (ASI01 Agent Goal Hijack, ASI02 Tool Misuse, ASI03 Identity & Privilege Abuse, ASI06 Memory & Context Poisoning, ASI07 Insecure Inter-Agent Comm, ASI08 Cascading Failures, ASI09 Human-Agent Trust Exploitation, ASI10 Rogue Agents); MITRE ATLAS knowledge base (2025 expansion under Secure AI program with agentic-systems investigation); PyRIT v0.13.0 release (17 Apr 2026, MIT-licensed, 3.8k stars on the active microsoft/PyRIT repository after Azure/PyRIT was archived 27 Mar 2026); Garak open-source LLM scanner. Linked to AM-043 (OWASP walkthrough), AM-027 (EchoLeak), AM-029 (NHI), AM-046 (Article 12), AM-123 (observability companion). 60-day review cadence; trigger conditions include OWASP ASI04/ASI05 publication, NIST AI 600-1 generative AI profile updates, named red-team failures or breaches in production agentic deployments, MITRE ATLAS framework version updates.