The OWASP Top 10 for Agentic Applications 2026 is the new baseline for enterprise AI security. Here is how to map it to BNM RMiT and PDPA, and the six controls Symprio puts into every Malaysian agent we ship.
Agentic AI — AI systems that reason, plan, invoke tools and act — introduces a class of security risks that traditional application security did not have to handle. A classical web vulnerability is confined to the application that contains it. An agent that can be tricked by a single carefully-crafted document can cascade into data exfiltration, unauthorised tool invocation, or financial loss.
In December 2025 OWASP released the Top 10 for Agentic Applications 2026 — the first widely peer-reviewed framework specifically for agent security. For Malaysian enterprises in regulated sectors, this dovetails directly with BNM RMiT's requirements around third-party AI, PDPA's data-handling rules, and the emerging guidance on AI governance from MOHR and MOSTI.
This is the checklist Symprio runs every production agent through before it touches real customer data.
Why agentic AI security is different
A classical LLM chatbot takes a prompt and returns text. An agent takes a goal, chooses tools, calls APIs, reads documents, writes data, and loops. Every tool the agent can invoke is an attack surface. Every document the agent reads is a potential injection vector. And — crucially — the agent can chain its own actions faster than any human reviewer can watch.
This means a single prompt injection buried in a customer email, a scraped web page, or a retrieved PDF can trigger the agent to behave in ways no human ever authorised. The OWASP framework identifies direct and indirect prompt injection as the top threat category for a reason.
The two defence principles that underpin everything else
OWASP's guidance leads with two non-negotiable principles. Every control below flows from these:
Principle 1: Least-Agency
An agent should be granted the minimum autonomy required to complete its task — and nothing more. If the use case is "read this claim and recommend approve / partial / reject", the agent does not need permission to transfer funds, change policy records, or email customers. Every tool in the registry is an attack vector; fewer tools, smaller blast radius.
Principle 2: Strong Observability
You cannot defend what you cannot see. Every tool call, every prompt, every LLM input and output must be logged — with enough context that an auditor can reconstruct the agent's reasoning months later. This is not optional for BNM-regulated workloads in Malaysia; it is table stakes for any production agent anywhere.
The six controls Symprio ships on every Malaysian agent
1. Input sanitisation and prompt hardening
Every external input the agent ingests — customer messages, uploaded documents, retrieved web content, API responses — is treated as untrusted. We wrap user-generated content in unambiguous delimiters inside the prompt, strip known injection patterns, and use structured output formats where possible so the model's output itself is machine-parseable rather than free text.
2. Tool-registry allowlisting with scoped credentials
The agent's tool registry is an explicit, audited allowlist. Each tool has its own credential with the narrowest possible scope — a claims-review agent has a read-only policy-lookup tool and a write-only case-note tool, not a general-purpose database connection. Tool credentials rotate on a schedule and never appear in prompts.
3. Human-in-the-loop gates for anything irreversible
Actions with regulatory weight, customer impact or financial consequence (fund movement, policy issuance, contract signing, regulatory submission) always require human approval before execution. The agent prepares and recommends — humans approve and commit. For BNM-regulated workloads this is not optional; for everyone else it is still the right default.
4. The evaluation harness
Every production agent ships with a ground-truth test set that runs on every prompt change, model swap and tool-registry update. Accuracy, safety, latency and cost are measured on the same inputs so regressions are caught before they reach production. Without this harness, you cannot safely touch a production prompt.
5. Full audit logging with tamper-evidence
Every tool call, every LLM input and output, every decision is persisted with a cryptographic chain so auditors can verify nothing has been retroactively edited. Logs are retained per the PDPA schedule for your customer data class, and indexed so an investigator can reconstruct any agent decision within minutes, not hours.
6. Rate limits, timeouts and circuit breakers
A compromised or malfunctioning agent should not be able to drain your API budget or hit external systems repeatedly. We place rate limits at the agent level, per-tool timeouts, and circuit breakers that automatically pause the agent if error rates spike. A runaway agent is stopped in seconds, not hours.
Mapping OWASP to BNM RMiT and PDPA
For Malaysian financial services in particular, the OWASP controls map cleanly onto existing regulation:
- BNM RMiT third-party technology risk — the tool-registry allowlist and scoped credentials are your evidence that the agent operates under controlled third-party API access.
- BNM RMiT data handling and audit — tamper-evident logging satisfies the audit-trail expectation for AI-driven decisions.
- PDPA 2010 data protection principles — input sanitisation and structured data flows support data-minimisation and purpose limitation.
- Human-in-the-loop — aligns with the "human oversight" expectation emerging across MAS, BNM and OJK guidance for AI in regulated services.
What to do if you have agents already in production
Run the OWASP Top 10 as a gap assessment against each agent. In our experience the most common gaps in Malaysian enterprise deployments are:
- No evaluation harness — prompts get tweaked directly in production
- Tool credentials with broader scope than the agent needs
- Logs that are written but not indexed / searchable for audit
- Indirect prompt injection untested against realistic adversarial inputs
Each of these is a multi-day fix, not a multi-month rewrite. Prioritise in that order.
Symprio runs security reviews of production agentic AI deployments for Malaysian banks, insurers and fintechs — aligned to OWASP, BNM RMiT and PDPA. Book a review or explore our Agentic AI practice.
Imagery via Pexels, used under the Pexels Free License.