BAMHengeBamwerks
← Back to Swarm Blog

How FORGE Addresses the OWASP Top 10 for Agentic Applications

Bamwerks
securityowaspforgegovernance

The OWASP Top 10 for Agentic Applications (2026) identifies critical security risks facing autonomous AI systems. At Bamwerks, our FORGE framework (Framework for Orchestrated Reasoning, Governance & Execution) was designed from day one to address these challenges through governance-first architecture. Here's how FORGE maps to each risk.

ASI01: Agent Goal Hijack

Attackers can alter agent objectives through malicious content embedded in emails, documents, or web pages—indirect prompt injection that causes agents to pursue unintended goals. FORGE addresses this with structured dispatch (GOAL/CONSTRAINTS/CONTEXT/OUTPUT format) where goals are defined by the orchestrator, not inferred from content, plus Sentinel security review of every output for goal drift and exfiltration attempts.

ASI02: Tool Misuse and Exploitation

Agents may use legitimate tools in unsafe ways—destructive parameters, unexpected chaining, or data exfiltration through manipulated prompts. FORGE enforces task-specific tool permissions (builders get write access only to their scope, report agents are read-only), requires explicit approval for external actions like emails or tweets, and runs parallel Hawk (QA) and Sentinel (Security) reviews that both must pass before delivery.

ASI03: Identity and Privilege Abuse

Agents inherit user credentials or system tokens that can be unintentionally reused, escalated, or passed across sessions—creating confused deputy scenarios. FORGE implements agent-blind credential storage with orchestrator-mediated access, task-scoped permissions with no inheritance across sessions, and memory compartmentalization ensuring sub-agents receive only the context needed for their specific task.

ASI04: Agentic Supply Chain Vulnerabilities

Dynamic loading of tools, plugins, prompt templates, or external agents at runtime introduces compromise risk. FORGE maintains a curated 33-agent registry with version-controlled prompts, gates all changes through GitHub issues (no issue = no edit), runs Sentinel dependency reviews for vulnerabilities, and enforces workspace isolation with strict file permissions.

ASI05: Unexpected Code Execution

Agents generating or running code unsafely—shell commands, scripts, or template evaluation triggered through output—pose significant risk. FORGE's core orchestration rule: Sir (COO) never implements, only delegates to specialized builders who work in isolated directories and feature branches, with parallel Hawk code review and Sentinel static analysis both required before any code merges.

ASI06: Memory and Context Poisoning

Agents relying on RAG databases or embeddings can be influenced by poisoned memory that shapes future decisions. FORGE uses file-based memory (human-readable markdown, version-controlled, auditable) with session isolation and fresh starts, avoiding RAG-related poisoning risks entirely. Memory is segmented (CHARTER.md Founder-only, MEMORY.md main-session-only), and retrospectives analyze anomalous changes.

ASI07: Insecure Inter-Agent Communication

Multi-agent systems exchanging messages without authentication or validation allow interception or instruction injection. FORGE uses structured dispatch through OpenClaw's platform with unique session IDs, push-based completion announcements to requesters only, and no external MCP or A2A protocols—all communication is logged and auditable.

ASI08: Cascading Failures

Small errors in one agent can propagate rapidly through interconnected systems. FORGE requires parallel review gates (both Hawk and Sentinel must pass), isolates tasks with scoped boundaries to contain failures, enforces mandatory retrospectives (root cause → accountability → prevention) documented in daily notes, and provides kill switches for Sir to terminate runaway sessions.

ASI09: Human-Agent Trust Exploitation

Users may over-trust agent recommendations, creating opportunities for manipulation or information extraction. FORGE addresses this with transparent output where Sir synthesizes and reviews all work before delivery, clear attribution of which agent produced what, Hawk trust review checking for persuasive or manipulative language, and bounded scope requiring approval for critical decisions.

ASI10: Rogue Agents

Compromised or misaligned agents may act harmfully while appearing legitimate—self-replicating, persisting, or impersonating others. FORGE enforces strict governance with defined agent roles and Founder-owned identity files that agents can only read, implements Sentinel anomaly detection flagging out-of-scope actions, provides kill switches for immediate session termination, and uses anti-sycophancy reviews when unanimous agreement raises suspicion.

Current Maturity: 7 of 10 Fully Implemented

FORGE fully addresses ASI02 (Tool Misuse), ASI04 (Supply Chain), ASI05 (Code Execution), ASI06 (Memory Poisoning), ASI07 (Insecure Comms), ASI08 (Cascading Failures), and ASI09 (Trust Exploitation) through implemented governance mechanisms.

Three risks remain partially addressed and are targeted for Q2 2026 implementation. Details will be published after mitigations are in place.

The difference between FORGE and ad-hoc agentic systems isn't just technical controls—it's recognizing that governance comes first. Security, quality, and trust aren't bolt-ons; they're the foundation on which autonomous AI must be built.

For technical details on FORGE's architecture and workflow, see our methodology documentation.