[ COMPLIANCE_DOSSIER / OWASP_AGENTIC_TOP_10 ]

OWASP Agentic Top 10 mapped to Centurian

[ TL;DR ]

The OWASP Agentic Top 10 catalogs the 10 most critical security risks for autonomous AI agents. Centurian’s five-product surface maps directly: Connect handles identity and attestation; Govern enforces deterministic Rego rules; Measure runs trajectory eval and anomaly detection; Cost gates runaway spend; Prove writes the bitemporal evidence. Centurian assumes the application is secure (a Noma-style scanner’s job) and governs the operational actions. They run together.

Risk-to-product mapping

OWASP Risk	Centurian Surface
A1 — Prompt Injection	Connect (input policies) + Noma partnership for runtime blocking
A2 — Insecure Tool Use	Govern (Rego rules + tool allowlists) + step-up MFA on high-privilege actions
A3 — Excessive Autonomy	Govern (registration tiers, Autonomous-Narrow Default-OFF, kill switch SLO 30s)
A4 — Untrusted Model Outputs	Measure (trajectory eval, deterministic checks) + Govern (output policies)
A5 — Identity Spoofing	Connect (registration, attestation, ephemeral 5s-TTL credentials, signed)
A6 — Sensitive Data Leakage	Govern (PII export rules) + Measure (trajectory anomaly detection)
A7 — Supply-Chain Risk	Connect (platform integration adapters, signed artifact catalog)
A8 — Denial-of-Service / Runaway Cost	Cost (multi-rail per-agent budgets, hard stops at rail layer, $5/mo free-tier cap)
A9 — Evaluation Gaps	Measure (4 eval acquisition paths + active prompts at 14d + periodic audit)
A10 — Audit-Trail Tampering	Prove (bitemporal evidence, Ed25519, append-only spine, sampled verification)

Where Centurian stops + a security scanner starts

Centurian assumes the underlying application is secure and governs the operational actions and spending. Runtime threat protection — prompt-injection blocking, jailbreak detection, shadow-MCP-server discovery — is the job of a security scanner like Noma Security. The two are complementary: Centurian logs actions in a court-defensible chain; Noma blocks attacks. Centurian ingests Noma alerts as a source so a single audit covers both.

FAQ

What is the OWASP Agentic Top 10?

The OWASP Agentic Top 10 is a community-driven catalog of the 10 most critical security risks specific to autonomous AI agents. It covers prompt injection, insecure tool use, excessive autonomy, untrusted model outputs, identity spoofing, sensitive data leakage, supply-chain risk, denial-of-service, evaluation gaps, and audit-trail tampering. The framework is the AI-agent counterpart to the OWASP Top 10 for web applications.

How does Centurian map to each OWASP Agentic Top 10 risk?

Each risk is mapped to one or more Centurian product surfaces: Connect (registration, attestation, cryptographic identity), Govern (Rego enforcement, exception queue, step-up MFA, ephemeral tokens), Measure (trajectory eval, anomaly detection, regression detection), Cost (multi-rail attribution, $5/mo free-tier hard cap, runaway-spend gate), Prove (bitemporal evidence chain, framework distribution, three audit tiers).

Does Centurian replace a security scanner like Noma Security?

No. Noma Security is a runtime threat protection product — prompt-injection blocking, jailbreak detection, deep discovery of shadow MCP servers. Centurian governs the agent's operational actions and spending, assuming the underlying application is secure. The two are highly complementary: Centurian logs actions, Noma blocks attacks. Centurian's bitemporal evidence chain ingests Noma alerts as a source.

How does Centurian handle excessive autonomy?

Centurian's Govern product enforces five high-privilege actions through step-up MFA: delete agent, modify global policy, run targeted-deep audit, grant external invitation, modify Master Admin. The Autonomous-Narrow operator mode is Default-OFF for HIPAA, GDPR, EU AI Act, and PCI-DSS frameworks — opt-in is per framework, requires admin sign-off, and ships with a 30-second kill switch. Registration tiers (Observation / Restricted / Standard / Trusted / Autonomous) auto-promote and demote based on attested behavior.

What about audit-trail tampering?

Centurian's evidence chain is bitemporal and cryptographically hashed. Every action carries an Ed25519 signature plus a transaction-time / valid-time pair. The audit trail is append-only at the spine layer; deletion is a separate signed event. Targeted-deep audits sample randomly; if any sampled row fails verification, the audit aborts and the operator is alerted.

Get early access →

First agent free, forever · No credit card