← Noma Blog

Noma: The Standard for Autonomous Agent Security and the OWASP Agentic Top 10

Gal Moyal
CTO Office
Published: Dec 22, 2025 · 5 min. read

Moving Your Security Focus from Content to Action

The simple “Chatbot” is obsolete. We are now in the age of the Autonomous Agent, with systems that plan, use tools, access sensitive data, and make decisions on their own. As businesses rapidly deploy these agents, the security threat has fundamentally changed. A security breach is no longer just a bad chat response; it is a dangerous API call that could delete a database or leak your whole payroll. Organizations must stop simply watching the content and start controlling the conduct of their agents. The question for every CISO and AI Security Professional is how.

The OWASP Top 10 for Agentic Applications, released on December 9, 2025, is the new standard. This specialized list addresses the serious, unique risks of autonomous systems, including threats like ForcedLeak and GeminiJack. Discovered and disclosed by Noma researchers, these vulnerabilities affected major platforms like Salesforce and Google Gemini. Since your agents are now powerful users, protecting them requires a complete change in your existing security plan.

AI Security Posture Management (AI-SPM) and AI Runtime Protection

As the market leader in AI Security Posture Management (AI-SPM) and AI Runtime Protection, Noma secures the entire lifecycle of the AI agent. We help you both “Move Fast” and “Stay Secure”. Our platform does more than just filter prompts and responses; it gives you deep, agent-specific visibility and control. We build this protection around three main parts of defense, and covers the entire OWASP Top 10 Agentic risks.

Pillar 1: Controlling Agent Actions (Conduct & Tool Validation)

The ability of autonomous agents to plan and use tools is both their greatest strength and their most significant vulnerability. Noma ensures that agent actions are safe and do not result in unauthorized or harmful outcomes.

Goal Hijack (ASI01) & Tool Misuse (ASI02)

  • The Issue: Attackers attempt to manipulate an agent’s internal reasoning (Goal Hijack) or trick it into using authorized tools to cause harm (Tool Misuse).
  • Broad Impacts: Beyond system destruction, tool misuse can lead to sensitive data leakage, unauthorized lateral movement, or significant financial impact such as “denial of wallet” through resource exhaustion.
  • Primary Risk Vector: Indirect Prompt Injection is the leading threat. Malicious instructions can be hidden within loaded context, such as data sources or third-party tool outputs.

Noma’s Defense

  • Behavioral Validation: Noma monitors agent behavior in real-time, stopping hijack attempts before they influence the planning stage.
  • Action Firewall: Our runtime protection validates every tool invocation. We analyze the tool metadata (tool description, input parameters, schema), user identity and intent, and the potential impact of the action in order to block malicious or attacker-driven behaviors instantly.
  • Orchestration Depth: Unlike standard protection layers, Noma inspects the internal orchestration of the agent. This allows us to block malicious inputs from the prompt and the loaded context, including poisoned data sources and manipulated tool responses.

Pillar 2: Securing the Agent System (Privilege, Code, & Communication)

Agents operate within a complex ecosystem of permissions, external integrations, and inter-agent dialogues. Each of these segments represents a critical point of failure that requires robust governance.

Identity and Privilege Abuse (ASI03)

  • The Issue: Agents often inherit expansive permissions, which increases the potential impact if an agent is compromised or exhibits unintended behavior.
  • Noma’s Defense: Noma provides deep visibility into the capabilities assigned to each agent. We help teams implement and monitor Least Privilege models by identifying accessible resources and detecting the use of maker, static, or shared identities to prevent unauthorized access.

Securing the Supply Chain (ASI04)

  • The Issue: Agentic workflows are vulnerable to insecure external components. This includes risks such as malicious MCPs, tool poisoning, tool shadowing, and “rug pulls” where a trusted tool is replaced with a malicious version.
  • Noma’s Defense: We provide integrity checks at pre-runtime and runtime stages for external components as well as a comprehensive Agentic Risk Map. Noma is uniquely positioned to detect malicious and suspicious MCPs and other emerging supply chain threats before an agent can exploit them.

Hardening Code Execution (ASI05)

  • The Issue: Attackers can manipulate agents into generating and running malicious scripts. This leads to remote code execution (RCE), unauthorized system changes or a catastrophic data loss.
  • Noma’s Defense: Noma provides defense-in-depth through both AI-SPM and Runtime Protection. We flag high-risk agents operating without human oversight. Our Execution-Safety Guardrails apply granular inspection to block unsafe commands and file-system actions, preventing high-impact tool calls such as the unauthorized removal of databases or drives.

Validating Inter-Agent Communication (ASI07)

  • The Issue: In multi-agent systems, attackers can use A2A (Agent-to-Agent) spoofing to inject fake messages or manipulate coordination. This can disrupt critical business workflows.
  • Noma’s Defense: Noma validates the integrity and provenance of messages sent between agents. By enforcing authenticated communication, we prevent A2A spoofing and ensure that agent interactions remain secure and trusted.

Pillar 3: Real-Time Protection and Emergency Response

Noma inspects every step of the agent’s decision-making process. This includes the prompt, response, context loaded from data sources, and the outputs from tool calls.

Preventing Memory & Context Poisoning (ASI06)

  • The Issue: This is a lasting corruption of an agent’s long-term memory by injecting malicious instructions which will be used upon any future response. Malicious data can cause the agent to make consistently bad decisions over time.
  • Noma’s Defense: Noma checks every data loaded into the agentic context for malicious data, as well as any memory write actions. We stop self-ingestion loops and block corrupted updates to keep the agent’s knowledge reliable.

Mitigating Cascading Failures (ASI08) & Human Trust Exploitation (ASI09)

  • The Issue: Small problems can quickly spread and get worse across the agent system in a Cascading Failure. Agents can also be tricked into misleading human users for malicious reasons, known as Human Trust Exploitation.
  • Noma’s Defense: Noma shows a map of your whole agent system called the Agentic Risk Map. This finds unusual agent chains and blocks problems before they can spread. We also limit how much control agents have over sensitive actions and block misleading advice.

Quarantining Destructive Agents (ASI10)

  • The Issue: A critical emergency occurs when an agent’s purpose changes. It may then start doing destructive, self-directed actions.
  • Noma’s Defense: Noma provides Behavioral Integrity Monitoring to detect when an agent’s purpose changes. We offer a central Kill Switch to instantly isolate any agent attempting destructive actions.

The Cost of Incomplete Security: Why Content Filtering is Not Enough

Your agents are no longer just chatbots; they are powerful users with direct access to your most sensitive assets. Trying to fight the OWASP Agentic Top 10 with traditional content filtering or siloed point solutions is a strategy built on failure.

The Risks of a Non-Holistic Approach

  • Financial and Data Catastrophe: A single, unchecked action from a compromised agent leads to a dangerous API call. This can delete a database, leak your entire payroll, or interrupt critical workflows.
  • Systemic Instability: Without controls over long-term memory, an agent is vulnerable to Memory & Context Poisoning (ASI06). This leads to a lasting corruption of its knowledge base and causes it to make consistently bad, high-risk decisions.
  • Operational Shutdown: Unmonitored agent-to-agent communication and the lack of a system-wide view can result in Cascading Failures (ASI08). This can turn a minor issue into a full-scale emergency, including the development of Rogue Agents (ASI10) that perform harmful, self-directed actions.

Don’t Settle for Filtering. Demand Control.

To fully secure the age of the autonomous agent, you must control the conduct, not just the content. You need deep, real-time visibility into the agent’s intent, actions, and system environment.

Noma Security provides this complete, holistic defense with our market-leading AI Security Posture Management (AI-SPM) and Runtime Protection solution. We move beyond simple prompt filters to provide the Intent Firewall, Least Privilege enforcement, and the central Kill Switch required to meet and defend the challenges of the OWASP Agentic Top 10.

Noma Security makes sure your AI workforce is as safe as it is capable.

Are you ready to secure your agentic future? Reach out to us for a demo to learn more