Skip to content
Standards

OWASP Agentic Top 10, covered.

The OWASP Top 10 for Agentic Applications (ASI01–ASI10) treats agents as principals with goals, tools, memory, and inter-agent protocols. Alyria maps the whole list to concrete controls — recorded in one signed audit chain. OWASP ASI for what attackers do; NIST AI RMF and ISO/IEC 42001 for how you govern it.

10 / 10
risks mapped to named controls
8 covered
concrete controls shipping today
2 maturing
the hard two — stated honestly
CoveredConcrete controls, shipping today

A named control exists across Beacon, Lyra, Umbra, Constellation, or Observatory and enforces the risk in v1. Coverage is strongest when the modules run as a suite — several risks lean on more than one plane.

MaturingReal approach, still hardening

The approach is designed and staged monitor-first, but some primitives are still hardening. These are the two hardest risks in the standard — we describe them confidently and we do not claim they are done.

Pillars: APG = Agent Policy Governance (prevention) · ADR = Agent Detection & Response (detection) · Mesh = Constellation, the shared-memory plane.

Coverage map

Every risk, mapped to a named control.

One row per OWASP ASI risk: the threat in plain language, the Alyria modules and planes that address it, and an honest coverage rating. No opaque engine — every control is authored from auditable source.

ASI01Covered
ADRMesh

Agent Goal Hijack

Injected instructions hidden in a web page, tool output, or retrieved document quietly redirect an agent away from the task its operator actually gave it.

How Alyria addresses it

Beacon Plane C runs a content-safety scan over every tool/MCP response and model input/output — reusing Constellation's prompt-injection layer — while a Tier-3 intent classifier asks “does this action match the stated task?” and Tier-2 flags trajectory anomalies before they complete.

Beacon Plane CConstellation content-safetyTier-2 / Tier-3 detection
ASI02Covered
APG

Tool Misuse & Exploitation

A legitimate tool is invoked in a harmful way — or tools are chained — to reach data or actions the agent was never meant to touch.

How Alyria addresses it

The core wedge: Beacon Plane A mediates every tool call and gates it against Lyra capabilities and Tier-1 policy. Anything ambiguous is escalated to an Observatory JIT approval instead of silently running.

Beacon Plane ALyra capabilitiesObservatory JIT approvals
ASI03Covered
APG

Identity & Privilege Abuse

An agent runs with more privilege than its task requires, or reuses a standing credential to reach systems well beyond its remit.

How Alyria addresses it

Identity is resolved from your IdP through Constellation and enforced with relationship-based access control; Lyra's capability-brokering makes least-privilege the default; and Umbra issues short-lived secret leases, so there are no standing credentials for an agent to abuse.

Constellation identityLyra capabilitiesUmbra leases
ASI04Covered
APGADR

Agentic Supply-Chain

A poisoned, down-level, or malicious MCP server, tool, or package the agent pulls in becomes the way into your environment.

How Alyria addresses it

Beacon inventories installed AI tooling and MCP servers and refuses down-level or malicious ones at launch; all MCP traffic flows through the Beacon gateway; Lyra ships signed, versioned policy bundles; code-integrity allow-listing constrains what may run; and Umbra's A2A key exchange authenticates every agent-to-agent link.

Beacon inventory + gatewayLyra signed bundlesUmbra A2A
ASI05Covered
ADRAPG

Unexpected Code Execution

The agent sidesteps the mediated tool path by spawning a shell, a detached job, or an out-of-band process to run code directly.

How Alyria addresses it

Beacon observes process launches and agent activity from user space (no kernel driver), flags out-of-band processes, and Lyra capability limits bound what any launched process may do.

Beacon runtime observation (user-space)Lyra capability limits
ASI06Covered
MeshADR

Memory & Context Poisoning

Malicious content is planted in an agent's long-term memory or a shared RAG corpus so it resurfaces later and quietly steers behavior.

How Alyria addresses it

Constellation scopes memory and documents behind one ACL and runs content-safety on every ingest, so poisoned context never enters shared memory in the first place; Beacon Plane C additionally scans retrieved content at recall time.

Constellation scoped memoryContent-safety on ingestBeacon Plane C
ASI07Covered
APG

Insecure Inter-Agent Comms

Agents coordinate over channels an attacker can spoof, intercept, or read — turning agent-to-agent protocols into an exfiltration path.

How Alyria addresses it

Umbra performs A2A key exchange with signed agent identities over mTLS, sealing shared files and secrets for the recipient under client-held keys (roadmap: externally audited protocol); Beacon Plane C inspects the flow at the endpoint.

Umbra A2ASigned identities / mTLSBeacon Plane C
ASI08Maturing
APGADR

Cascading Failures

A single compromised or malfunctioning agent triggers a runaway chain — retries, fan-out, or a rate spike — that cascades across the mesh.

How Alyria addresses it

Lyra enforces capability budgets with rate and circuit limits, Beacon's Tier-2 trajectory analysis catches the escalation early, and a disposition kill-switch can halt an agent outright — all staged monitor-first before anything enforces.

Lyra capability budgetsTier-2 trajectoryDisposition kill-switch

Honest status: the rate-limit and circuit-breaker primitives are an active design item, not yet fully shipped in v1.

ASI09Covered
APG

Human-Agent Trust Exploitation

An agent produces a polished, confident justification for a risky action, and a human approves on the strength of the wording rather than the evidence.

How Alyria addresses it

Observatory's policy-driven JIT approvals put independent risk evidence, a rationale, and a score in front of the human approver — not the agent's own self-justification — and every decision is written to the signed audit chain.

Observatory JIT approvalsHuman-approver workflowLyra policy

The strength here depends on the approval UX surfacing independent evidence — the principle the whole approver workflow is built around.

ASI10Maturing
ADR

Rogue Agents

An agent goes off-mission — self-directing, concealing what it's doing, or pursuing goals no one assigned — and works to avoid detection.

How Alyria addresses it

Beacon layers Tier-3 behavioral anomaly detection and Tier-2 trajectory analysis with Plane B user-space runtime correlation and a kill-switch; posture refuses unknown agents at launch; and Umbra's zero standing privilege bounds the blast radius when something does slip through.

Tier-2 / Tier-3 detectionBeacon Plane BPostureUmbra zero standing privilege

Honest status: the hardest of the ten. Mature behavioral ML is an ongoing investment; zero standing privilege bounds the damage in the meantime.

Standards anchor

OWASP ASI for what attackers do. NIST and ISO for how you govern it.

The same signed audit chain that proves an ASI05 code-execution block to a red team is the evidence that satisfies a 42001 audit — one source of truth, so the adversarial story and the compliance story can never drift.

NIST AI RMF

Map / Measure / Manage / Govern — the risk-management spine US enterprises align to.

ISO/IEC 42001

The AI management-system standard your auditors and procurement teams ask for by number.

EU AI Act

Risk-tiered obligations for AI systems — the regulatory anchor for governance buyers.

One chain, both audiences. Alyria maps to the standards without a second system to reconcile — see how the crypto, audit chain, and enforcement fit together on the security model.

See the coverage map against your estate.

Walk ASI01 through ASI10 with our team on your own agents and tooling, or read how the keys you hold and one tamper-evident audit chain hold it all together.