OWASP Releases Agentic AI Security Report With New Governance Guidance for Security Teams

OWASP has released State of Agentic AI Security and Governance 2.01, a new report aimed at helping security leaders manage the risks created by autonomous AI agents, coding agents, tool-using assistants, and multi-agent systems.

The report warns that agentic AI security is now an operational issue, not a future concern. OWASP says documented incidents, vendor advisories, CVEs, and fast-moving open-source projects have made agent security a live risk for organizations deploying AI into real workflows.

The new State of Agentic AI Security and Governance 2.01 report is part of the OWASP GenAI Security Project and its Agentic Security Initiative, which focuses on securing autonomous agents and multi-step AI workflows.

OWASP says agentic AI risk is no longer theoretical

OWASP says the threat model for AI agents has changed quickly since its first version of the report in 2025. Agentic systems now connect to APIs, repositories, browsers, cloud services, enterprise apps, file systems, and production data.

That access changes the risk. A chatbot that only answers questions has a limited blast radius. An AI agent that can call tools, write code, send messages, change tickets, or query customer data can cause real damage when it gets hijacked or misconfigured.

The report also argues that AI safety and AI security converge at the deployment layer. Once an AI agent can act inside production systems, the same guardrails, logs, permissions, and incident processes must address both harmful behavior and adversarial abuse.

Key report theme	What it means for security teams
Threats are real now	Agentic AI risks now have real incidents, advisories, and CVEs attached to them.
Safety and security converge	Teams need shared controls for harmful outcomes and attacker-driven abuse.
Governance must keep pace	Agent monitoring, incident routing, and stop mechanisms need to work in near real time.
Identity becomes a control plane	Organizations need clear ownership, permissions, and lifecycle controls for non-human agent identities.

The report introduces a practical taxonomy for AI agents

One of the report’s main additions is a revised taxonomy for agentic systems. OWASP groups agents by what they do, how they are built, how they interact with other agents, and how much autonomy they have.

The taxonomy covers enterprise agents, coding agents, client-facing agents, personal agents, and infrastructure or operations agents. It also looks at implementation patterns such as orchestration frameworks, low-code platforms, custom agents, and agent-based services.

The OWASP report says autonomy should cut across every category. A supervised agent, a semi-autonomous agent, and a fully autonomous agent can create very different risks even when they use similar tools.

• Enterprise agents can touch internal workflows and sensitive business data.
• Coding agents can affect repositories, CI/CD pipelines, and cloud environments.
• Client-facing agents can expose organizations to public abuse and regulatory issues.
• Personal agents can create shadow AI risks on work devices.
• Infrastructure agents can affect cloud resources, monitoring, incident response, and deployment systems.

OWASP ties the report to its Top 10 for Agentic Applications

OWASP also connects the new report to the OWASP Top 10 for Agentic Applications 2026, a framework for the most important risks facing autonomous and agentic AI systems.

The Top 10 covers risks such as agent goal hijacking, tool misuse, identity and privilege abuse, agentic supply-chain vulnerabilities, unexpected code execution, memory and context poisoning, insecure inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents.

For security teams, this gives agentic AI deployments a shared risk language. It also gives builders and executives a clearer way to discuss risk before an agent reaches production.

Risk area	Practical concern
Agent goal hijack	An attacker changes what the agent is trying to do through prompt injection or tool manipulation.
Tool misuse	An agent uses a legitimate tool in a harmful or unauthorized way.
Identity and privilege abuse	An agent receives more access than its job requires.
Supply-chain vulnerabilities	Malicious tools, packages, plugins, or MCP servers influence agent behavior.
Cascading failures	A failure in one agent spreads across connected agents or workflows.

Fast-moving AI projects create a governance gap

OWASP’s ecosystem survey uses GitHub telemetry from 53 agentic AI repositories, with a snapshot taken in April 2026. The report says coding agents dominate developer mindshare, with 28 of the 53 tracked projects classified as coding agents.

The report highlights projects such as AutoGPT by Significant Gravitas, n8n, Dify, Claude Code, Gemini CLI, browser-use, Skyvern, OpenHands, Cline, crewAI, and Aider. OWASP says the speed of development creates pressure for security teams because some projects ship releases daily or faster.

This is especially important for coding agents. A compromised or poorly governed coding agent can affect software upstream, allowing bad code or unsafe changes to flow into downstream applications with limited human review.

• OWASP says seven tracked projects ship releases daily or faster.
• The five fastest-growing projects in the dataset are coding agents.
• Security advisory volume appears tied to adoption and community activity, not only autonomy level.
• Traditional review pipelines may struggle when agent tooling changes faster than organizations can assess it.

Non-human identity is becoming a major AI security issue

The report gives special attention to agent identity and non-human identity. This matters because AI agents often act through service accounts, API tokens, delegated user permissions, cloud roles, and tool credentials.

If organizations do not know which agent owns which credential, what tools it can use, and who can shut it down, they lose control of the agent’s blast radius. OWASP says identity is becoming the new control plane for agentic AI.

OWASP’s AI Vulnerability Scoring System project also supports this shift by creating a structured method for scoring agentic AI security risks. The project says AIVSS v0.8 adds updated scoring methodology, refined risk categories, and expanded assessment guidance for agentic AI architectures.

Control area	What organizations should define
Agent owner	Who approves, monitors, and retires the agent.
Agent identity	Which non-human identity the agent uses to access systems.
Tool permissions	Which APIs, files, repositories, or workflows the agent can touch.
Autonomy level	Whether the agent needs approval before taking action.
Kill switch	How teams can pause or stop the agent quickly during an incident.

AI SBOMs and MCP security are now part of the same discussion

Agentic AI also expands the software supply-chain problem. Traditional SBOMs help organizations understand software components, but agentic systems can assemble tools, prompts, models, connectors, and delegated agents at runtime.

That is why OWASP points organizations toward the AI SBOM Initiative. The report argues that agentic systems need inventories that cover models, datasets, RAG systems, MCP servers, agent frameworks, connectors, tool ecosystems, and external registries.

MCP also receives attention because it connects AI assistants to external tools, APIs, and data sources. OWASP’s secure MCP server development guide says MCP servers operate with delegated user permissions, dynamic tool-based architectures, and chained tool calls, increasing the impact of a single vulnerability.

• Inventory every AI agent and every tool it can call.
• Track model versions, data sources, prompts, connectors, and MCP servers.
• Apply least privilege to tool access and delegated credentials.
• Require provenance for high-impact agent workflows.
• Log tool calls, agent decisions, and delegation paths for investigation.

The governance maturity model starts with shadow AI

OWASP’s new Enterprise Adoption Maturity Model asks organizations to evaluate two things: what kinds of agents they deploy and how mature their governance controls are.

The model starts with AT0, or shadow AI. OWASP says unmanaged AI usage exists in many organizations and must be discovered before leaders can govern it. That includes personal agents, browser-based assistants, coding tools, workflow automations, and local tools employees use without formal approval.

At higher maturity levels, OWASP recommends formal governance policies, human-in-the-loop workflows, agent registries, AI-SBOM or provenance systems, structured incident processes, real-time monitoring, anomaly detection, kill switches, and governance-as-code.

Maturity level	Short description	Security focus
Level 0	Unaware and ad hoc	Find undocumented agentic AI use.
Level 1	Initial awareness	Create policies and basic approval paths.
Level 2	Managed governance	Add ownership, audit processes, and human oversight.
Level 3	Integrated continuous oversight	Use real-time monitoring, kill switches, and machine-readable policy.
Level 4	Adaptive governance	Continuously adjust controls as agents, threats, and regulations change.

What security leaders should do next

The practical message from OWASP is simple: organizations should treat agentic AI as a first-class security domain. That means agents need inventory, ownership, identity controls, tool governance, logging, incident response, and supply-chain review.

Security teams should also align agent deployments with the Top 10 for Agentic Applications and use AIVSS to build more consistent risk scoring for agentic AI findings.

For technical teams, the next step is to review how agents call tools. The OWASP MCP guidance is relevant because agent tool connections can become a high-impact attack path when they carry delegated permissions.

• Create an inventory of approved and shadow AI agents.
• Assign every production agent an owner and a documented business purpose.
• Map agent permissions against the principle of least privilege.
• Track third-party tools, plugins, MCP servers, and agent frameworks.
• Build logging that can reconstruct agent decisions and tool calls.
• Add circuit breakers and kill switches for high-autonomy agents.
• Use the AI SBOM Initiative approach to improve transparency across AI components.

The new report gives CISOs, developers, AI teams, and risk leaders a practical way to discuss agentic AI security before problems reach production. It also makes clear that occasional model reviews are no longer enough when agents can act continuously across systems.

The Agentic Security Initiative now gives organizations a growing set of resources for this work, from risk taxonomies and maturity models to incident tracking, MCP guidance, AI SBOM work, and hands-on training.

For enterprises already deploying AI agents, the takeaway is direct. Discover what agents exist, limit what they can do, log what they actually do, and make sure teams can stop them quickly when behavior drifts or attackers interfere.

FAQ