multicornHow Shield maps to the OWASP Top 10 for Agentic Applications
Shield was built to solve the problems OWASP formalised. Here is how each risk maps to a shipping feature.
Coverage at a glance
Shield is not OWASP-certified. This table shows how each risk in the OWASP Top 10 for Agentic Applications maps to features Shield ships today.
| ID | Risk | Status |
|---|---|---|
| ASI-01 | Agent goal hijack | Partially mitigated |
| ASI-02 | Tool misuse | Mitigated |
| ASI-03 | Excessive permissions | Mitigated |
| ASI-04 | Inadequate sandboxing | Not applicable |
| ASI-05 | Unexpected code execution | Partially mitigated |
| ASI-06 | Context manipulation | Partially mitigated |
| ASI-07 | Insecure inter-agent communication | Not applicable |
| ASI-08 | Cascading failures | Partially mitigated |
| ASI-09 | Human-agent trust exploitation | Mitigated |
| ASI-10 | Rogue agents | Mitigated |
ASI-01: Agent goal hijack
Partially mitigatedAn attacker manipulates the agent into pursuing a different objective than the one the user intended.
How Shield addresses this
Consent screens require explicit user approval before the agent acts. Scope-based permissions restrict what the agent can target. Action logging creates an audit trail of what the agent actually did vs what it was asked to do.
ASI-02: Tool misuse
MitigatedThe agent calls tools in ways that were not intended, causing unintended side effects or data loss.
How Shield addresses this
The MCP proxy intercepts every tool call before execution. Permission scopes restrict which tools each agent can access. Spending controls cap financial exposure per transaction, per day, and per month. Approval workflows gate high-risk tool calls on human review.
ASI-03: Excessive permissions
MitigatedAn agent holds broader access than it needs, increasing the blast radius when something goes wrong.
How Shield addresses this
This is Shield's core value proposition. Scoped permissions enforce least privilege per agent per service. The consent screen makes permission grants visible and revocable. The dashboard shows exactly what each agent can access.
ASI-04: Inadequate sandboxing
Not applicableThe agent runs without OS-level isolation, so a compromised agent can reach host resources directly.
How Shield addresses this
Shield operates at the MCP protocol layer, not the OS/runtime layer. Sandboxing is handled by tools like Agent Safehouse (macOS) or agentsh (Linux). Shield complements these by governing what the agent is allowed to do within its sandbox.
ASI-05: Unexpected code execution
Partially mitigatedThe agent generates and runs code that the user did not review, opening the door to arbitrary execution.
How Shield addresses this
Shield's permission scopes can restrict execute-level access. The MCP proxy blocks tool calls outside the granted scope set. However, Shield does not inspect generated code for safety.
ASI-06: Context manipulation
Partially mitigatedAn attacker tampers with the data the agent reads, poisoning its decisions without changing the model itself.
How Shield addresses this
The audit trail with SHA-256 hash chaining provides tamper-evident logging. Reconnaissance detection flags agents probing metadata or context they should not have access to. However, Shield does not inspect or validate RAG context directly.
ASI-07: Insecure inter-agent communication
Not applicableAgents pass messages to each other without authentication or integrity checks, allowing spoofing or injection.
How Shield addresses this
Shield governs individual agent-to-tool interactions, not agent-to-agent protocols. Multi-agent delegation and trust chains are on the future roadmap.
ASI-08: Cascading failures
Partially mitigatedOne agent error triggers a chain reaction across connected systems, amplifying a small problem into a large outage.
How Shield addresses this
Spending controls and burst detection act as circuit breakers. When an agent triggers a spending alert or burst activity threshold, it can be auto-frozen, stopping the cascade. Retaliation detection catches escalation patterns where a blocked agent targets the entity that blocked it.
ASI-09: Human-agent trust exploitation
MitigatedThe agent presents misleading information to trick a human into approving something they should not.
How Shield addresses this
Consent screens present permission requests in a clear, user-facing UI that cannot be manipulated by the agent. The consent screen uses Shadow DOM to prevent CSS injection. Approval workflows require explicit human decisions for high-risk actions.
ASI-10: Rogue agents
MitigatedAn agent operates outside its intended boundaries, taking actions that were never authorised.
How Shield addresses this
Agent freeze capability provides a kill switch. Anomaly detection identifies rogue behaviour patterns automatically. The audit trail provides forensic evidence of what a rogue agent did. Scope revocation is immediate and takes effect on the next tool call.
Need more from your compliance tooling?
Need compliance audit exports or custom data retention? These are available on the Enterprise plan.
Get started with Shield
Shield gives your team consent screens, spending controls, and activity logging for every AI agent. Set up in minutes, free to start.