AgentGateX Console
Demo workspace

Audit Report

Compliance mapping and export-ready evidence summary.

Period

Q2 2026

Agents

142

Critical findings

7

Policy coverage

86%

Control mapping

CC6.1 — Logical access

SOC 2

partial

CC6.3 — Least privilege

SOC 2

gap

CC7.2 — Monitoring

SOC 2

met

A.9.2 — User access

ISO 27001

partial

A.12.4 — Logging

ISO 27001

met

AC-6 — Least privilege

NIST 800-53

gap
OWASP agentic compliance

OWASP coverage

18%

of 11 assessed categories

Open gaps

9

categories with open high/critical

Partial

1

categories needing review

OWASP Top 10 for Agentic Applications (2026)

Risks unique to autonomous agents that plan, use tools, and persist memory.

ASI01Agent Goal Hijack
gap

Hidden or injected instructions redirect the agent from its intended objective.

  • - P2: Hidden instructions in skill description
  • - support-tools-mcp/summarize_thread: Hidden comment in tool 'summarize_thread' may carry instructions
  • - support-tools-mcp/summarize_thread: Instruction-override phrase in tool 'summarize_thread'
ASI02Tool Misuse & Exploitation
met

Legitimate tools are chained or used in unintended, high-impact ways.

ASI03Identity & Privilege Abuse
gap

Over-permissive credentials or privilege escalation paths in agent identities.

  • - PE3: Agent can attach IAM policies in production
  • - E2: Environment variable harvesting in MCP tool
  • - MCP1: MCP tool requests excessive privileges
ASI04Agentic Supply Chain
gap

Risk from third-party tools, dependencies, and unpinned remote artifacts.

  • - SC2: Deploy agent executes unpinned remote scripts
  • - SC4: Known vulnerable dependency (CVE via OSV.dev)
  • - SC1: Unpinned dependencies
ASI05Unexpected Code Execution
gap

The agent fetches and executes code, opening a remote code execution path.

  • - SC2: Deploy agent executes unpinned remote scripts
ASI06Memory & Context Poisoning
partial

Untrusted content poisons the agent's context or persistent memory.

  • - P2: Hidden instructions in skill description
ASI10Rogue Agents
gap

Agents able to act far beyond their scope with no human-in-the-loop gate.

  • - agt_deploy_bot: ungated lethal trifecta
  • - agt_invoice_agent: ungated lethal trifecta

OWASP MCP Top 10 (2026)

Risks introduced by the Model Context Protocol tool interface layer.

MCP01Secret Exposure
gap

Credentials or environment secrets harvested and exposed by MCP tools.

  • - E2: Environment variable harvesting in MCP tool
MCP02Privilege Scope Creep / Rug Pull
gap

Excessive tool scopes, or a previously-approved tool silently changing.

  • - MCP1: MCP tool requests excessive privileges
  • - devtools-mcp/run_build: Tool 'run_build' changed since approval (possible rug pull)
MCP03Tool Poisoning
gap

Malicious instructions hidden in MCP tool descriptions or schemas.

  • - P2: Hidden instructions in skill description
  • - support-tools-mcp/summarize_thread: Hidden comment in tool 'summarize_thread' may carry instructions
  • - support-tools-mcp/summarize_thread: Instruction-override phrase in tool 'summarize_thread'
MCP07Unauthenticated Tool Access
gap

MCP servers exposing sensitive tools without any authentication.

  • - support-tools-mcp: no authentication