Skip to content

OWASP Agentic AI Top 10 Evidence Cross-walk

Non-normative. This document is informative only. Nothing here changes TRACE v0.1 schema fields, wire formats, required claims, or conformance requirements. References to "TRACE" mean the TRACE v0.1 Trust Record as defined in spec/trace-v0.1.md.

Purpose

OWASP's Agentic AI Top 10 (ASI01–ASI10) names the principal risk categories for autonomous AI agents. TRACE is an evidence and attestation layer: it does not prevent these risks, but it produces verifiable, hardware-rooted records that support audit, incident review, and governance verification after or during execution.

This page answers a concrete question for each OWASP risk: which TRACE Trust Record claims carry relevant evidence, what that evidence actually proves, and where TRACE v0.1 leaves a gap that a future profile would need to close.

Field names are exact TRACE v0.1 claim names as specified in §3.1 of the spec. Sub-field references such as policy.bundle_hash, runtime.platform, and appraisal.status refer to the nested fields shown in the §3.2 wire-format example.

Mapping table

OWASP risk Relevant TRACE claims Evidence TRACE can provide Limitations / out of scope Future TRACE profile need
ASI01: Agent Goal Hijack policy, tool_transcript, data_class, runtime, transparency policy.bundle_hash shows which policy was bound at execution time; policy.enforcement_mode shows whether it ran in enforce or silent; tool_transcript.hash and tool_transcript.call_count show the scope of tool activity; data_class shows the sensitivity of data processed; transparency anchors the record to an append-only log for independent audit. Does not capture the agent's internal goal representation or reasoning chain. Does not itself detect or block prompt injection. A hijacked goal that stays within recorded tool boundaries leaves no additional fingerprint in v0.1 claims. MCP/A2A profile fields for intent binding, goal hash, prompt-to-plan linkage, and per-decision policy outcome records.
ASI02: Tool Misuse and Exploitation tool_transcript, policy, data_class, runtime, transparency tool_transcript.hash binds the transcript of tool invocations crossing a protocol boundary (MCP, A2A) into the signed record; tool_transcript.call_count bounds the observed call volume; policy.bundle_hash and policy.enforcement_mode show what rules were in force; data_class shows the sensitivity classification applied at the call layer; runtime.platform and runtime.measurement bind the execution environment. tool_transcript covers calls crossing an instrumented protocol boundary. Functions embedded inside the deployed binary are bound only by build_provenance and model, not by per-invocation transcript records. Does not prove each call was semantically appropriate without per-call policy decision records. MCP profile for per-call tool identity, parameters, egress data class, and allow/deny decision outcome per invocation.
ASI03: Identity and Privilege Abuse subject, cnf, signature, runtime, policy, appraisal subject carries the SPIFFE SVID binding workload identity to a TEE-held key; cnf binds the signing key to the TEE via the hardware measurement in runtime; appraisal.status records the verifier's judgment of the evidence against policy; policy.bundle_hash shows what authorization rules were bound. Together these allow a verifier to confirm that the claimed identity corresponded to a genuine, measured workload at record issuance time. Does not replace IAM or RBAC systems. Does not prove that external permissions granted to the workload were correctly scoped. Does not cover lateral movement or privilege escalation that occurred at infrastructure layers outside the TEE boundary. Delegation profile fields for scoped credentials, audience restriction, purpose binding, and per-action authorization evidence.
ASI04: Agentic Supply Chain Vulnerabilities build_provenance, model, runtime, transparency, appraisal build_provenance.slsa_level, build_provenance.builder, and build_provenance.digest bind build-time provenance to the running workload; model.weights_digest and model.model_id bind the model artifact; runtime.measurement and runtime.rim_uri bind the runtime image to vendor-published Reference Integrity Manifests; transparency provides an append-only anchor for the full record. Does not enumerate every transitive dependency. Does not detect malicious code that was present at build time but is not reflected in measurement divergence. Does not prove model behavior is safe -- only that the identified artifact was the one that executed. Richer AIBOM/SBOM linkage in the model sub-claim; vendor platform annexes specifying per-silicon supply-chain appraisal criteria.
ASI05: Unexpected Code Execution runtime, build_provenance, tool_transcript, policy, appraisal runtime.measurement shows what workload and container digest were loaded; build_provenance.digest and build_provenance.slsa_level bind the build artifact; tool_transcript.hash captures tool invocations at protocol boundaries; appraisal.status records whether the verifier accepted the runtime evidence against current RIMs. Does not prevent code execution. Does not prove no code ran outside the recorded tool_transcript scope: inline code execution embedded in the workload binary is not captured at invocation granularity by v0.1 claims. Tool and code-execution profile: sandbox identity, command execution transcript hash, filesystem and network boundary evidence per invocation.
ASI06: Memory and Context Poisoning model, data_class, tool_transcript, build_provenance, transparency model.model_id and model.weights_digest identify the model artifact; data_class records the sensitivity classification applied to inputs and outputs; tool_transcript.hash captures context-retrieval calls that crossed an instrumented boundary; build_provenance.digest binds the build artifact that includes any vector-store or RAG client code. TRACE v0.1 does not bind memory snapshots, RAG corpus roots, embedding-store contents, or poisoning scan results. Context provenance -- where retrieved chunks originated and whether they were validated -- is not a v0.1 claim. Memory and RAG profile: context source hashes, corpus Merkle roots, poisoning scan status, namespace and tenant boundary evidence.
ASI07: Insecure Inter-Agent Communication subject, cnf, signature, runtime, tool_transcript, transparency subject and cnf establish and bind workload identity for each participating agent; signature (or the enveloping-signature equivalent) proves record integrity; runtime.measurement binds the TEE that produced the record; tool_transcript.hash anchors the inter-agent call transcript; transparency anchors the record in an append-only log accessible to any verifier. TRACE v0.1 does not define a normative A2A profile. Message-level semantic validation, nonce binding per message, and delegation chain records across multiple hops are not v0.1 claims. A2A profile: peer agent identity, per-message hash, audience restriction, nonce, delegation chain, and protocol version binding.
ASI08: Cascading Failures tool_transcript, transparency, subject, appraisal, policy tool_transcript.hash and tool_transcript.call_count provide a bounded activity record for post-incident traceability; subject identifies the workload at each hop where a Trust Record was issued; appraisal.status and appraisal.verifier record the verification outcome; policy.bundle_hash shows what controls were bound; transparency provides an auditable anchor for reconstructing the sequence of records. Does not itself detect cascade conditions, stop propagation, or reconstruct full multi-agent lineage unless every participating agent issued Trust Records and those records are correlated at analysis time. Lineage reconstruction requires out-of-band tooling. Workflow provenance profile: parent/child record references, propagation lineage identifiers, blast-radius counters, and circuit-breaker event records.
ASI09: Human-Agent Trust Exploitation tool_transcript, policy, data_class, transparency, appraisal tool_transcript.hash records the set of actions the agent took at protocol boundaries; policy.bundle_hash and policy.enforcement_mode show what rules were in force; data_class records the sensitivity class of data involved; appraisal.status provides the verifier's assessment; transparency anchors the record for independent audit. Collectively these support a post-incident review of what the agent was authorized to do and what it did. Does not prove what a human was shown in the UI, whether the explanation was accurate, or whether informed consent was obtained. Does not detect social engineering at the human layer. HITL (human-in-the-loop) evidence profile: approval record, reviewer identity, hash of displayed risk summary, and human decision evidence bound into the Trust Record.
ASI10: Rogue Agents subject, runtime, cnf, signature, policy, tool_transcript, appraisal, transparency The full v0.1 claim set combines hardware-bound identity (subject, cnf), measured execution environment (runtime), policy binding (policy.bundle_hash, policy.enforcement_mode), tool activity (tool_transcript), verifier judgment (appraisal.status), and transparency anchoring (transparency) into one signed, independently verifiable record. A verifier can confirm that the agent presenting this record ran as a measured, policy-bound workload with a TEE-rooted identity at the stated time. Does not determine behavioral intent. Does not detect rogue behavior that remained within the boundary of recorded claims. A workload can issue a valid Trust Record and still behave in ways the record does not constrain at inference time. Behavioral integrity profile: declared capability manifest hash, expected tool set, execution baseline hash, and anomaly or quarantine event records.

What TRACE does not do

The table above surfaces per-risk scope boundaries. These apply across all ten risks:

TRACE does not prevent OWASP Agentic AI risks. TRACE is an evidence and attestation layer. It records what happened -- what executed, under what policy, in what environment, on what data class, invoking what tools -- and binds that record cryptographically to a hardware root of trust. Controls that act before, during, or around execution (firewalls, guardrails, RBAC, prompt filters, sandboxing) are out of scope.

TRACE does not adjudicate model behavior. As stated in §2.4 of the spec, prompt injection, jailbreaks, hallucination, and alignment drift are permanent scope boundaries. TRACE proves what model artifact executed and what countermeasures were bound; it does not evaluate whether the model's output was correct or intended.

TRACE v0.1 does not cover intra-binary execution. tool_transcript captures invocations crossing an instrumented protocol boundary (MCP, A2A, or equivalent). Code paths executed inside the deployed binary -- including embedded tool dispatch, in-process memory reads, or direct API calls -- are bound only by build_provenance and model, not at invocation granularity.

TRACE does not replace IAM, RBAC, or network controls. subject and cnf establish and bind workload identity, but the permissions granted to that identity by external systems are outside the Trust Record. A correctly identified workload can still hold excessive privileges.

TRACE does not capture UI or human-layer interactions. What a human sees, approves, or consents to is not a v0.1 claim. This affects ASI09 directly and is a gap for any risk that involves human oversight.

TRACE does not reconstruct multi-agent lineage automatically. Records from multiple agents can be correlated by a verifier using subject, transparency, and tool_transcript identifiers, but the v0.1 schema has no normative parent/child record pointer. Lineage reconstruction requires out-of-band analysis tooling and is addressed in the v0.2 workflow provenance profile item.

Relationship to the TRACE roadmap

This cross-walk is a v0.2 roadmap item listed in ROADMAP.md. The "Future TRACE profile need" column in the table above describes the additional claim structures that would close each gap; those profiles are separate roadmap items and will be specified in later releases.

The MITRE ATLAS cross-walk (a separate v0.2 item) will address tactics and techniques at a finer granularity than the OWASP risk categories here.

References