Inkog covers 7 of 10 OWASP Agentic risks today. 10 of 10 by Q3 2026.

User input or environmental data overrides the agent's intended goal.

Notes: Detection across all 15 framework adapters via the universal IR.

Agents misuse tools — recursive call loops, code execution, privilege escalation.

Notes: Inkog's strongest category. Catches the AutoGen CodeExecutor + LangChain ReAct loop patterns.

Agents act with inherited or escalated privileges they shouldn't hold.

Notes: Missing: agent-identity-chain modeling. Coming Q3 2026.

Compromised models, skills, MCP servers, or training data poisoning the agent.

Notes: Inkog's MCP server audit is unique — covers ClawHavoc + Smithery patterns.

Agent generates and executes code (or eval-style content) without sandboxing.

Notes: AST-level taint analysis catches LLM-output → subprocess.run flow.

Persistent memory or RAG context is poisoned by adversarial input.

Notes: Missing: persistent memory-store probing. Coming Q3 2026.

Multi-agent messages lack signing, encryption, or replay protection.

Notes: Detects unsigned messages today; no encryption/replay checks yet.

One agent's failure propagates through a delegation chain.

Notes: Static-analysis-hard. Shipping in 30 days: delegation depth >3 without bounded recursion, agents writing shared memory without scoping.

Operators over-rely on agent decisions, automate bias, or skip review.

Notes: Maps directly to EU AI Act Article 14(4)(b) automation bias.

Agents act outside their declared scope (drift, misalignment, or compromise).

Notes: Static approximations shipping in 30 days: kill-switch absence, rate-limit + audit-log combined.