The Security Landscape Just Changed
In December 2025, OWASP released its Top 10 for Agentic Applications — the first framework specifically addressing the security risks of autonomous AI systems. It built on the LLM Top 10 (2025 edition) but went deeper into the threats that emerge when AI agents can take actions, not just generate text.
The release wasn't academic. Microsoft's agentic failure modes documentation now references OWASP's threat and mitigations guide. NVIDIA's Safety and Security Framework for Real-World Agentic Systems cites the Agentic Threat Modelling Guide extensively. AWS and GoDaddy have already begun implementing the recommendations.
For healthcare, where AI agents are being deployed to process patient records, manage billing pipelines, coordinate care workflows, and communicate with patients — this framework isn't optional reading. It's the security baseline.
Why Traditional Security Tools Fall Short
Healthcare organizations have invested heavily in security tooling: endpoint detection, SIEM platforms, vulnerability scanners, penetration testing programs. These tools are essential, but they're designed for a world where software follows deterministic logic paths.
AI agents don't work that way.
An agent processing a patient intake form might generate different outputs for the same input depending on context, temperature settings, and the current state of its conversation history. A multi-agent workflow might route data through different paths depending on which agents are available and how the orchestrator interprets the task. A retrieval-augmented agent might pull different source documents depending on embedding similarity scores that shift as the vector store is updated.
Traditional DAST scanners like Invicti can tell you if your API endpoints have injection vulnerabilities. They cannot tell you if your clinical intake agent is hallucinating ICD-10 codes that don't exist in the current code set. They cannot detect if a poisoned document in your RAG pipeline is causing your compliance agent to generate incorrect HIPAA guidance. They cannot flag that Agent A is passing PHI to Agent B through an unencrypted inter-agent channel.
This is why OWASP created separate frameworks for LLM applications and agentic systems — the threat model is fundamentally different from traditional application security.
The OWASP LLM Top 10: Healthcare Implications
The 2025 OWASP Top 10 for LLM Applications maps directly to healthcare deployment risks:
LLM01: Prompt Injection
Healthcare risk:
Patient-submitted data (intake forms, portal messages, uploaded documents) can contain adversarial inputs that hijack agent behavior. A patient's intake form could contain text that causes the processing agent to bypass PHI de-identification or output data it shouldn't disclose.
Mitigation:
Input sanitization layers that treat all patient-submitted data as untrusted. Output validation that verifies agent responses against expected schemas before they reach downstream systems.
LLM02: Sensitive Information Disclosure
Healthcare risk:
This is the big one. PHI in prompt logs, context windows, cached responses, error outputs, and model training data. A 2025 IBM report found that 97% of organizations with AI-related security incidents lacked proper AI access controls.
Mitigation:
PHI scrubbing before any data enters an LLM context window. Ephemeral contexts that don't persist beyond the immediate task. Contractual guarantees (BAAs) with LLM providers that data is not retained or used for training.
LLM04: Data and Model Poisoning
Healthcare risk:
Corrupted training data or adversarial inputs in RAG pipelines that cause agents to generate incorrect clinical outputs. The PoisonGPT attack demonstrated that models on Hugging Face could be directly tampered with to spread misinformation while bypassing safety features.
Mitigation:
Pin retrieval sources to authoritative clinical databases (NLM, CDC, peer-reviewed journals). Hash-verify all documents before vector store indexing. Version vector stores with rollback capability.
LLM05: Improper Output Handling
Healthcare risk:
Agent outputs that are passed directly to downstream systems without validation. A billing agent that generates an invalid CPT code, or a clinical agent that recommends a contraindicated medication — if the output isn't validated before it reaches the EHR or the patient, it becomes a patient safety issue.
Mitigation:
Deterministic validation gates between agent output and data persistence. Clinical code set verification. FHIR schema conformance checking. Business rule engines that catch impossible or contradictory outputs.
LLM10: Excessive Agency
Healthcare risk:
Agents with permissions to write to EHRs, send patient communications, trigger prescription workflows, or modify billing records — without human approval gates. OWASP breaks this into three root causes: excessive functionality, excessive permissions, and excessive autonomy.
Mitigation:
Least-privilege defaults on every agent. Human-in-the-loop requirements for irreversible clinical actions. Permission scoping that limits each agent to the minimum tools required for its specific task.
The Agentic Threat Layer
Beyond individual LLM vulnerabilities, OWASP's Agentic Top 10 addresses threats that only emerge when multiple agents work together in orchestrated workflows:
Agent Impersonation
An unauthorized agent masquerades as a vetted agent in the workflow, processing PHI through unvalidated pipelines. In a healthcare context, this could mean a compromised agent generating clinical recommendations that bypass quality checks.
Defense: Cryptographic agent identity verification. Signed agent manifests that verify provenance before an agent can join a workflow. Agent registry with revocation capability.
Multi-Agent Collusion
One compromised agent passes tainted context to downstream agents, cascading unsafe behavior across the pipeline. In a clinical workflow where an intake agent feeds an eligibility agent feeds a billing agent, a single poisoned handoff can corrupt the entire chain.
Defense: Inter-agent trust boundaries with schema validation at every handoff. Context provenance tracking that logs which agent produced each piece of data. Cascade kill-switches that halt a workflow if an upstream agent is flagged.
Tool Misuse and Lateral Movement
An agent that gains access to one tool (e.g., a scheduling API) uses that access to reach other tools (e.g., the EHR write API) that it shouldn't have access to. This mirrors traditional lateral movement attacks but in an agentic context where permissions may be dynamically assigned.
Defense: Static permission boundaries that cannot be expanded at runtime. Tool-level access control lists that are independent of the orchestrator. Monitoring for anomalous tool access patterns.
Building the Four-Layer Security Architecture
Based on the OWASP frameworks and the specific threat profile of healthcare AI deployments, we recommend a four-layer approach:
Layer 1 — Code and Infrastructure. Traditional security: DAST/SAST scanning, dependency CVE detection, OWASP Web Top 10 coverage, encryption validation. Tools like Invicti, Snyk, and GitHub Advanced Security handle this layer. This is necessary but insufficient for agentic systems.
Layer 2 — Agent Output Validation. Deterministic checks on every agent output before it enters a dataset or downstream system. ICD-10/CPT code existence validation, FHIR resource schema conformance, clinical recommendation contradiction detection. No ML required — just healthcare reference data and structured validation logic.
Layer 3 — Inter-Agent Trust. Schema validation, provenance verification, and scope checking on every agent-to-agent handoff. Row-level security principles applied to agent communication. Cascade kill-switches for compromised agents.
Layer 4 — Retrieval Integrity. Source pinning to known-good clinical databases. Document hash verification before indexing. Versioned vector stores with rollback. Strict separation between retrieval corpus and agent output — agents never write back to their own knowledge base without human review.
What This Means for Healthcare Engineering Teams
If you're deploying AI agents in healthcare today, the OWASP LLM Top 10 and Agentic Top 10 should be your security baseline — not an aspirational roadmap.
The teams that treat agent security as an afterthought — bolting HIPAA checkboxes onto generic tools — are building on a foundation that will crack under the first serious security review, the first compliance audit, or the first breach investigation.
The teams that build security into the agent layer from day one — with purpose-built healthcare agents, validated output gates, inter-agent trust boundaries, and retrieval integrity checks — are building the infrastructure that healthcare's AI future will run on.
OWASP has given us the framework. The healthcare industry has the urgency. The question is whether engineering teams will implement it before or after the first major AI-agent-driven healthcare breach.
Our bet is before.