# OWASP ASI Top 10 to CLAWLINE Crosswalk

**Methodology version:** `CLAWLINE_METHOD_V0.7_ASI_ALIGNMENT_2026-07-02`  
**Status:** Candidate gap-closure mapping / evidence-traceability contract  
**Owner:** CLAWLINE / LeftOutSecurity  
**Source basis:** OWASP Gen AI Security Project, Agentic Security Initiative, `OWASP Top 10 for Agentic Applications 2026`.  
**Automated assessment scope:** `STATIC_SUBMISSION`; `runtime_behavior_verified: false`.

---

## 1. Bottom line

The CLAWLINE v0.7 candidate extension documents gap-closure mappings by adding an explicit audit control layer for all ten OWASP Agentic Security Initiative risks.

The previous v0.6 state was:

- risk coverage broadly present,
- control traceability incomplete,
- assessment report readiness incomplete.

The v0.7 candidate-profile state is:

- **risk coverage:** explicit for all ten ASI items,
- **control traceability:** added through the [public ASI control catalog](https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-asi-control-catalog.md),
- **assessment report readiness:** added through the [public ASI assessment template](https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-asi-assessment-template.md),
- **machine-readable contract:** separated into the untrusted, submitter-supplied [ABOM v0.4 JSON Schema](https://theclawline.com/schemas/abom-v0.4.schema.json) and verifier-owned [ASI assessment v0.7 JSON Schema](https://theclawline.com/schemas/asi-assessment-v0.7.schema.json),
- **finding namespace:** reserved as `CRABS-ASI01` through `CRABS-ASI10`,
- **DAD routing:** added as ASI-specific static-assessment freeze/warn decisions with corresponding CLAWS publication actions.

This does **not** claim OWASP certification or endorsement. It claims CLAWLINE evidence-traceability against the OWASP ASI Top 10 taxonomy.

The v0.7 candidate profile is additive to the v0.5 base submission contract. Its optional ABOM is nested at `clawline_submission.disclosure.clawline_disclosure.abom`; it does not change the accepted v0.5 fields. Automated output always states `assessment_scope: "STATIC_SUBMISSION"` and `runtime_behavior_verified: false`. Accordingly, the DAD and CLAWS values below do not claim that the scanner observed or controlled a live agent runtime.

License, adaptation, trademark, and non-endorsement details are published in the [third-party notices](https://theclawline.com/NOTICE.md).

---

## 2. ID collision fix

The earlier proposed `CRABS-A01` through `CRABS-A10` finding IDs collided with the existing CRABS `A` namespace. `CRABS-A01` already exists in the codebase as a tier-mismatch finding.

The corrected ASI namespace is:

| ASI | CLAWLINE finding |
|---|---|
| `ASI01` | `CRABS-ASI01` |
| `ASI02` | `CRABS-ASI02` |
| `ASI03` | `CRABS-ASI03` |
| `ASI04` | `CRABS-ASI04` |
| `ASI05` | `CRABS-ASI05` |
| `ASI06` | `CRABS-ASI06` |
| `ASI07` | `CRABS-ASI07` |
| `ASI08` | `CRABS-ASI08` |
| `ASI09` | `CRABS-ASI09` |
| `ASI10` | `CRABS-ASI10` |

---

## 3. OWASP ASI coverage matrix

| OWASP ASI item | CLAWLINE v0.7 controls | Candidate mapping status | Evidence artifact |
|---|---|---|---|
| `ASI01` Agent Goal Hijack | Intent capsule, goal-state ID, goal-drift detection, prompt/context hierarchy tests. | Covered with explicit evidence requirements. | `CLAWLINE_ASI_CONTROL_CATALOG_V0_7.md` §5 |
| `ASI02` Tool Misuse & Exploitation | Semantic tool firewall, fully qualified tool names, version pins, sequence policy, cost/rate/fan-out caps. | Covered with explicit evidence requirements. | §6 |
| `ASI03` Identity & Privilege Abuse | Discrete agent identity, per-action auth receipt, delegation-chain map, short-lived credentials, TOCTOU recheck. | Covered with explicit evidence requirements. | §7 |
| `ASI04` Agentic Supply Chain Vulnerabilities | ABOM v0.4, signed/pinned manifests, registry trust tiers, runtime attestation, activation allowlist, kill switch. | Covered with explicit evidence requirements. | §8 |
| `ASI05` Unexpected Code Execution / RCE | Code/exec separation, no unsandboxed `eval`, pre-execution scan, sandbox controls, dedicated workdir, prod execution gate. | Covered with explicit evidence requirements. | §9 |
| `ASI06` Memory & Context Poisoning | Memory write gates, provenance, namespace isolation, TTL/decay, rollback/quarantine, self-reingestion block. | Covered with explicit evidence requirements. | §10 |
| `ASI07` Insecure Inter-Agent Communication | Mutual auth, message signing, anti-replay, descriptor validation, registry trust, semantic intent diffing. | Covered with explicit evidence requirements. | §11 |
| `ASI08` Cascading Failures | Dependency map, fan-out/retry/queue caps, circuit breakers, progress caps, replay tests, rollback drills. | Covered with explicit evidence requirements. | §12 |
| `ASI09` Human-Agent Trust Exploitation | Risk summary, rationale/proof separation, provenance cues, approval impact disclosure, reporting path, anti-dark-pattern review. | Covered with explicit evidence requirements. | §13 |
| `ASI10` Rogue Agents | Behavioral manifest, runtime attestation, watchdog/peer validation, self-replication/provisioning block, kill switch, quarantine playbook. | Covered with explicit evidence requirements. | §14 |

---

## 4. Negative-space closure tests

| ASI | Negative-space evidence test | Default routing |
|---|---|---|
| `ASI01` | No signed task goal, goal-state identifier, or drift alert. | `CRABS-ASI01`; WARN, FREEZE for BR-4+. |
| `ASI02` | No tool sequence policy, semantic firewall, fail-closed resolution, or cost/rate guardrail. | `CRABS-ASI02`; WARN, FREEZE for write/delete/external transfer tools. |
| `ASI03` | No per-action auth receipt, delegated-chain map, short-lived credential proof, or revocation proof. | `CRABS-ASI03`; FREEZE for sensitive, admin, financial, production, or BR-4+. |
| `ASI04` | No signed/pinned manifests, trusted registry, runtime attestation, activation allowlist, or kill switch. | `CRABS-ASI04`; WARN, FREEZE for third-party high-risk tools. |
| `ASI05` | No sandbox proof, no pre-exec scan, unsandboxed `eval`, or direct prod execution allowed. | `CRABS-ASI05`; FREEZE for code/file/shell agents. |
| `ASI06` | No memory provenance, namespace isolation, TTL, rollback, quarantine, or self-reingestion control. | `CRABS-ASI06`; WARN, FREEZE for shared memory or regulated data. |
| `ASI07` | No mTLS/equivalent mutual auth, signed messages, anti-replay, descriptor validation, or registry trust. | `CRABS-ASI07`; WARN, FREEZE for privileged multi-agent workflows. |
| `ASI08` | No fan-out caps, circuit breakers, cascade telemetry, replay tests, or rollback drill. | `CRABS-ASI08`; WARN, FREEZE for autonomous cross-system workflows. |
| `ASI09` | No trust UX review, provenance cues, risk summary, approval impact disclosure, or user-reporting path. | `CRABS-ASI09`; WARN, FREEZE if hidden irreversible action impact. |
| `ASI10` | No behavioral manifest, attestation, watchdog, self-replication/provisioning block, kill switch, or rogue quarantine playbook. | `CRABS-ASI10`; WARN, FREEZE for high-autonomy or BR-4+. |

---

## 5. DAD routing closure

Every ASI item uses the same severity correlation: `WARN` → `DAD-ASIxx-WRN` → `PUBLISH_WITH_WARN`; `CRITICAL` → `DAD-ASIxx-CRT` → `FREEZE`/`QUARANTINE`. An `INFO` item emits no finding and carries `-WRN` only as the canonical placeholder for the route that would apply to a WARN finding.

| Rule | Trigger | DAD decision | CLAWS action |
|---|---|---|---|
| `DAD-ASI01-WRN` / `DAD-ASI01-CRT` | ASI01 gap; critical example: BR-4+ autonomous run lacks intent capsule or goal binding. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI02-WRN` / `DAD-ASI02-CRT` | ASI02 gap; critical example: privileged tool workflow lacks semantic firewall, sequence policy, or fail-closed resolution. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI03-WRN` / `DAD-ASI03-CRT` | ASI03 gap; critical example: sensitive/admin/financial/production action lacks per-action auth or delegation-chain proof. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI04-WRN` / `DAD-ASI04-CRT` | ASI04 gap; critical example: high-risk dependency is unpinned, unapproved, or unattested. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI05-WRN` / `DAD-ASI05-CRT` | ASI05 gap; critical example: code/file/shell agent lacks sandbox and pre-execution gate. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI06-WRN` / `DAD-ASI06-CRT` | ASI06 gap; critical example: shared/regulated memory lacks provenance, namespace isolation, and rollback. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI07-WRN` / `DAD-ASI07-CRT` | ASI07 gap; critical example: privileged multi-agent workflow lacks authenticated, signed, anti-replay messaging. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI08-WRN` / `DAD-ASI08-CRT` | ASI08 gap; critical example: autonomous cross-system workflow lacks circuit breaker, fan-out cap, or rollback. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI09-WRN` / `DAD-ASI09-CRT` | ASI09 gap; critical example: approval UI hides irreversible action consequences. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |
| `DAD-ASI10-WRN` / `DAD-ASI10-CRT` | ASI10 gap; critical example: high-autonomy agent lacks behavioral attestation and rogue-agent quarantine. | WARN / FREEZE | PUBLISH_WITH_WARN / QUARANTINE |

---

## 6. ABOM v0.4 closure

ABOM v0.4 now includes machine-readable submitter-claim fields for:

- `owasp_asi.version`, `claimed_traceability`, and all ten items' `claimed_status` and `claimed_evidence_state`,
- `intent_capsule`,
- `tool_policy`,
- `memory_policy`,
- `inter_agent_security`,
- `behavioral_integrity`,
- `human_trust_controls`,
- `runtime.pre_execution_scan`,
- `runtime.dedicated_working_directory`,
- `runtime.production_execution_gate`,
- `response.circuit_breaker`,
- `response.fanout_caps`,
- `response.rogue_quarantine_playbook`.

Canonical schema artifacts:

- Intake ABOM: [https://theclawline.com/schemas/abom-v0.4.schema.json](https://theclawline.com/schemas/abom-v0.4.schema.json)
- Verifier-owned assessment output: [https://theclawline.com/schemas/asi-assessment-v0.7.schema.json](https://theclawline.com/schemas/asi-assessment-v0.7.schema.json)

The intake schema does not accept CLAWLINE finding IDs, `computed_status`, or unprefixed verifier evidence fields. Even a submitter-supplied literal such as `claimed_evidence_state: "TESTED"` remains an untrusted claim. CLAWLINE writes derived results only to the separate assessment output.

---

## 7. Assessment output closure

The checkup API returns a sanitized, derived `owasp_asi` projection containing `projection_version: "clawline-api-owasp-asi/v1"`, `archival_assessment_schema: "https://theclawline.com/schemas/asi-assessment-v0.7.schema.json"`, `assessment_scope`, `runtime_behavior_verified`, `version`, `traceability`, optional `claimed_traceability`, `claim_conflict`, `risk_tier`, and computed summaries for `items.ASI01` through `items.ASI10`. Those summaries contain stable computed status/evidence, finding-emission, severity, DAD-route, reason-code, and control-ID information. The version and archival-schema pointer make the projection unmistakably distinct from the signed archival object.

A separately signed archival report claiming use of this v0.7 candidate profile must be a top-level verifier-owned object conforming to the ASI assessment v0.7 schema. It is neither the API projection nor an object embedded under the intake `owasp_asi` key.

| Contract area | Required output |
|---|---|
| Identity and integrity | Assessment/submission identifiers, policy and method versions, assessment time, CLAWLINE assessor marker, canonical SHA-256, and assessment signature. |
| Scope disclosure | `assessment_scope: "STATIC_SUBMISSION"` and `runtime_behavior_verified: false`. |
| Agent projection | Opaque identity subject, environment, autonomy tier, and blast-radius tier. |
| Overall result | Verifier-computed `traceability`, `dad_decision`, and `claws_action`. |
| Per-ASI result | Archival `items.ASI01` through `items.ASI10`, each with `computed_status`, derived `evidence_state`, conditional `finding_ids`, `finding_emitted`, severity, bound DAD route, negative-space entries, evidence references, exceptions, and remediation. |

Finding IDs are emitted only for an actual computed gap; a covered or not-assessed item has `finding_emitted: false` and an empty `finding_ids` array. Submitter `claimed_*` values may be carried only as claims and cannot determine the verifier fields by themselves.

Template artifact:

[https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-asi-assessment-template.md](https://theclawline.com/artifacts/agentic-ai/v0.7/clawline-asi-assessment-template.md)

---

## 8. Updated claim language

Use this language for v0.7:

> The CLAWLINE v0.7 candidate extension defines evidence-traceability mappings to the OWASP ASI Top 10 for Agentic Applications 2026. Reports using this candidate profile may claim ASI traceability only when each ASI item includes a coverage state, evidence state, negative-space result, and mapped remediation. This is not a production standard, OWASP certification, or endorsement.

Automated reports must additionally disclose that the assessment covered a static submission and did not verify runtime behavior.

Do **not** claim official OWASP certification, endorsement, or compliance.

---

## 9. Source links

- OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
- OWASP Agentic Security Initiative: https://genai.owasp.org/initiatives/agentic-security-initiative/
- OWASP Agentic AI - Threats and Mitigations: https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/
- OWASP AIUC-1 Crosswalks for Agentic Applications: https://genai.owasp.org/resource/aiuc-1-crosswalks-owasp-top-10-for-agentic-applications/

Attribution: OWASP Gen AI Security Project / Agentic Security Initiative materials are used as external risk taxonomy references. OWASP content is licensed under Creative Commons Attribution-ShareAlike 4.0 unless otherwise specified by OWASP.
