State of Agentic AI Security and Governance

Source: OWASP GenAI Security Project — State of Agentic AI Security and Governance (v2.01, June 2026). Local copy: .raw/papers/owasp-state-of-agentic-ai-security-governance-v2.01.pdf (md5 9d91e1699749cb616b07f93062fd2efe).

Key Claim

Organizations are deploying agents faster than they can govern them, and more budget for existing programs will not close the gap.1 Three findings carry the report: the threats are real now (the v1.0 risk portfolio has documented production incidents behind nearly every category), safety and security converge at the deployment layer, and governance must move from periodic audit to continuous oversight.1 The operational answer is a two-dimensional maturity model that scores governance capability against agent adoption tier.2

Methodology

The report is a CISO-facing synthesis, not a control standard.3 It is the v2 edition of an ASI deliverable first published July 2025, re-grounded in a year of evidence.1 Inputs:

  • Documented 2025–2026 incidents and public CVE disclosures, curated in the ASI Exploits and Incidents Tracker (424+ total CVEs, 74 critical, 17 platforms studied; 290 agentic CVEs in Q1 2026 alone).4
  • GitHub telemetry from 53 tracked agentic repositories via the OWASP State of AI GitHub Surveyor, snapshot April 2026.5
  • Enterprise adoption data from a16z (29% of Fortune 500 and ~19% of Global 2000 are live paying customers of a leading AI startup).6
  • A regulatory survey of 42 instruments across 10 jurisdictions plus 12 watchlist items, assessed across nine governance dimensions, verified through April 4, 2026.7
  • Prior OWASP, CSA, NIST, and academic work; cross-referenced to the ASI Top 10 throughout.3

Licensed CC BY-SA 4.0.8

Agent Taxonomy (three independent dimensions)

A deployed agent is classified as Agent Type + Implementation Pattern + Composition Pattern, at some autonomy level.9 Any type can be built through any implementation and participate in any composition.9

DimensionValuesGoverns
Agent typeEnterprise, Coding, Client-Facing, Personal, Infrastructure/OpsWhat the agent does, where it operates
ImplementationOrchestration frameworks, Lightweight library, Platform-native / Low-codeAudit surface, monitoring, org visibility
CompositionSingle Agent + Tools, Multi-Agent Systems, Distributed Agent Chains, Agent-SpawningTrust-boundary structure, cascading-failure risk
Autonomy (cross-cutting)Supervised, Semi-autonomous, Fully autonomousWindow for unsupervised action; blast radius

Lightweight-library and low-code implementations carry the highest Shadow AI risk because security properties are builder-determined or platform-dependent, which complicates inventory.10 Composition determines where the lethal trifecta and permission-inheritance risks land.11

Threat Landscape (six areas)

Threat areaCore observation
Expanding autonomyPrivileged capabilities chain across systems never built to trust a probabilistic intermediary
Prompt injectionPrimary delivery mechanism; maps to 6 of 10 ASI categories; data/control plane collapse is unsolved12
Agentic supply chainMoved from theory to active exploitation across protocol, skill-registry, and core-package layers13
Governance gapVibe coding plus Shadow AI; ~50% of employees use unsanctioned AI, only 37% of orgs have policy14
Agent identity gapNon-human identities outnumber humans 100:1 or more; identity governance immature15
Layered attack surfaceIndependent efforts (MAESTRO, A2A, vendor frameworks) converged on a multi-layer model16

Pull-quote framing the report’s central thesis on convergence:

At the deployment layer, AI safety and AI security cannot be operationally separated. Security harm comes from what an agent is permitted to do; safety harm comes from what the agent is. The same design decisions (tool access, oversight reduction, multi-agent composition, supply-chain growth) create both exposures, and the same telemetry detects both.17 Model-level safety remains the provider’s domain; deployment-layer safety belongs with the security function.17

Real-World Incidents (selected)

DateIncidentASI mapping
Dec 2025Claude Skills ransomware deployment (Cato CTRL)ASI04, ASI0518
Sep 2025OpenAI Codex CLI sandbox bypass (CVE-2025-59532)ASI02, ASI0518
May 2025EchoLeak zero-click Copilot exfiltrationASI01, ASI02, ASI0618
Apr 2025A2A agent-in-the-middle / fake agent cardASI03, ASI06, ASI07, ASI08, ASI1018
Jan 2026Cursor allowlist bypass (CVE-2026-22708)ASI04, ASI0519

The recurring structure: controls calibrated for human operators (sandboxes, allowlists, human-in-the-loop approval) become exploitable when the executor can influence its own containment.19

Agent Identity vs Non-Human Identity

The report separates two layers the industry conflates: Non-Human Identity (NHI) is an authentication primitive (is this credential valid?); Agent Identity is a governance framework that attests provenance, intent, and authority continuously.20 NHI gates identity at session start; Agent Identity must govern behavior at the moment of each action.20 Scale evidence cited from Entro Security’s 2025 NHI report: 97% of NHIs carry excessive privileges, 0.01% of machine identities control 80% of cloud resources, 71% are not rotated within recommended timeframes.21 See AI Agent Identity Architecture and NHI Governance for AI Agents.

Enterprise Adoption Maturity Model

The model crosses two dimensions: Adoption Tier (AT0–AT8, what is deployed) against Governance Maturity (Levels 0–4, how mature the governing capability is).2 Required governance scales with tier, not with a flat checklist.2

TierNameDefining characteristic
AT0Shadow AINo org awareness; users self-adopt outside governance22
AT1Vendor Embedded AssistantFully vendor-controlled (e.g. M365 Copilot)22
AT2Platform IntegratedAI-native platform on your data; no arbitrary code22
AT3Citizen Developer AgentLow/no-code flows acting on org data22
AT4Code Executing AgentGenerates and executes code with local/cloud privileges22
AT5Custom In-House AgentYou built it; you control identity, tools, boundaries22
AT6Externally Extended AgentConnects to external tools/services across trust boundaries22
AT7Multi-Agent OrchestrationMultiple agents coordinate within the org22
AT8Federated / Cross-BoundaryAgents operate across organizational boundaries22
LevelNamePosture
0Unaware and Ad HocNo formal recognition of agentic risk; informal oversight23
1Experimentation without GuardrailsPilots without autonomy limits or escalation criteria23
2Policy-Defined, Human-in-the-LoopPolicies map to regulation; HITL for high-impact decisions23
3Integrated, Continuous OversightReal-time monitoring, kill switches, governance-as-code23
4Adaptive, Self-RegulatingGovernance at model speed; crypto identity, auto-tuned guardrails23

The Governance Posture Matrix marks insufficient combinations: AT0 is CRITICAL at every level below continuous monitoring (the only remedy is elimination into managed tiers); AT8 Federated is “DO NOT DEPLOY” below Level 3.24 CSA’s 2026 survey found only 27% of organizations planning agentic deployments felt confident in their ability to secure them.25

ASI Risk Classes by Adoption Tier

Tier bandDominant ASI risks
AT0 Shadow AIASI01 Goal Hijack, ASI06 Memory Poisoning, ASI09 Human-Agent Trust26
AT1–AT2 Vendor/PlatformASI01, ASI06 (constrained by vendor controls)26
AT3 Citizen-DeveloperAdds ASI02, ASI03, ASI05 (action without review)26
AT4–AT5 Code-Exec/CustomASI05 Unexpected Code Execution dominant; 6–8 ASI entries active26
AT6–AT7 External/Multi-AgentASI02 escalates; ASI04, ASI07, ASI08, ASI10 activate26
AT8 FederatedAll ASI01–ASI10 at maximum severity; systemic cross-org risk26

Regulatory Landscape (10 jurisdictions, 42 instruments)

InstrumentAgentic-relevant obligation
EU AI ActArt 14 human oversight, Art 72 post-market drift monitoring, Art 25 value-chain liability, Art 73 serious-incident reporting27 (article numbers verified in the 2026-Q2 EU AI Act review)
DORA4-hour initial incident notification; annual threat-led penetration testing (financial sector)28
NIS224-hour early warning; Art 21(2)(d) supply-chain security (critical infrastructure)29
GDPR Art 22Hard floor on agent autonomy in consequential automated decisions30
EU Revised Product Liability DirectiveStrict no-fault liability across the AI value chain (effective Dec 2026)31
NY RAISE Act / CA SB 5372-hour / 15-day safety incident reporting; $1M-per-violation penalties32

Compressed reporting clocks (DORA 4h, NIS2 24h, NY RAISE 72h, CA SB 53 15 days) assume continuous oversight, not quarterly review.33 U.S. federal preemption of 145+ state AI laws is unresolved, leaving conflicting obligations with no safe harbor.34

Notable Findings

  • Adoption velocity is the governance problem. Coding agents are 53% of tracked repos and the fastest-growing category; seven projects ship releases daily or faster, compressing the gap between first commit and enterprise use to below traditional security-review cycles.35
  • Cyber-insurance coverage is collapsing. Verisk’s ISO CGL AI exclusions took effect January 2026; WR Berkley filed an absolute AI exclusion. A dedicated AI-insurance market (Armilla, Testudo, HSB/Munich Re) requires demonstrated governance as an underwriting prerequisite, so security posture now determines insurability.36
  • Adversarial agent weaponization is documented. The GTG-1002 campaign used jailbroken Claude Code for largely autonomous espionage against ~30 organizations, with AI executing 80–90% of tactical operations; CrowdStrike reported an 89% increase in AI-enabled attacks with average breakout time falling to 29 minutes.37
  • Personal-agent coverage is partial. The OpenClaw threat model (37 threats, 8 tactics) maps 24 threats directly to ASI categories; the multi-agent categories ASI07/ASI08/ASI10 do not apply to single-agent architectures, and four patterns (config tampering, approval-prompt manipulation, staged payload delivery, pairing/token theft) fall outside the Top 10.38
  • What remains unsolved. Three structural problems lack solutions: the assurance model (pre-deployment docs describe a system that composes behavior at runtime), human oversight at machine speed (an agent at 10,000 actions/hour against a reviewer evaluating 50 covers 0.5% of decisions), and regulatory fragmentation across jurisdictions.39

Strengths and Weaknesses

Strengths:

  • The Adoption-Tier × Governance-Maturity matrix gives boards and risk leaders a falsifiable self-assessment instrument rather than a flat checklist, with explicit “do not deploy” cells.24
  • Evidence-grounded: nearly every threat carries a named 2025–2026 incident or CVE, and quantitative claims cite external sources (a16z, Entro, CSA, CrowdStrike).
  • The safety/security convergence argument is operationally specific (shared telemetry, shared root cause, shared incident-response), not rhetorical.17

Weaknesses:

  • An awareness-and-governance document, not a compliance standard: no shall-level requirements, no certification or audit-evidence mechanism, no graded maturity criteria that an assessor could score. The same enforceability limit applies as to the ASI Top 10.
  • Several headline figures are cited to secondary or vendor sources rather than primary data (the a16z adoption percentages, the Entro NHI statistics, the CSA 27% confidence figure), and some incident attributions name colloquial campaign labels (GTG-1002, ClawHavoc, hackerbot-claw) without primary links.
  • The maturity model assumes organizations can inventory and classify their agents at Level 1+; the report acknowledges this inventory step is hardest for the lightweight-library and low-code implementations that carry the most Shadow AI risk.10

Relations

Footnotes

  1. OWASP GenAI Security Project, State of Agentic AI Security and Governance, v2.01, June 2026 — Executive Summary (pp. 7–8): “Most organizations are deploying agents faster than they can govern them. More budget for the programs we already run will not close that gap”; three findings. .raw/papers/owasp-state-of-agentic-ai-security-governance-v2.01.pdf. 2 3

  2. Same source, Enterprise Adoption Maturity Model (pp. 53–60): two dimensions (Adoption Tier AT0–AT8, Governance Maturity Levels 0–4) and the Governance Posture Matrix. 2 3

  3. Same source, Scope and Audience / Fit with Agentic Initiative Resources (pp. 9–11) and Agents Taxonomy Scope (p. 12): CISO/C-level audience; detailed controls deferred to companion OWASP resources. 2

  4. Same source, Real-World Incidents and Exploits Tracker (pp. 35–36): “424+ Total CVEs, 74 Critical, 17 Platforms Studied”; “2026* OpenClaw 238, MCP 30+, CrewAI, PraisonAI (Q1 only): 290 CVEs.”

  5. Same source, Notable Agentic Projects Survey (p. 20) and Appendix 4 (pp. 118–123): GitHub telemetry across 53 tracked repositories, snapshot April 2026.

  6. Same source, Notable Agentic Projects (p. 20) and Enterprise Adoption Maturity Model (p. 53): a16z April 2026 analysis — 29% of Fortune 500 and ~19% of Global 2000 are live paying customers of a leading AI startup.

  7. Same source, Appendix 2: Global Regulatory and Compliance Landscape (p. 77): “42 regulatory instruments, standards, and frameworks across ten jurisdictions … plus 12 watchlist items … nine dimensions … verified through April 4, 2026.”

  8. Same source, License and Usage (p. 2): Creative Commons CC BY-SA 4.0.

  9. Same source, Agents Taxonomy (pp. 12–13): three independent dimensions; “Deployed agent = Agent Type + Implementation Pattern + Composition Pattern, at some autonomy level.” 2

  10. Same source, Implementation Patterns (pp. 15–16): governance properties are builder-determined (lightweight library) or platform-dependent (low-code); highest Shadow AI risk; ForcedLeak (Agentforce) cited at the low-code layer. 2

  11. Same source, Composition Patterns (pp. 17–18): single-agent lethal-trifecta risk, multi-agent shared-memory poisoning, distributed-chain trust transitivity, agent-spawning permission inheritance.

  12. Same source, Prompt Injection: The Primary Delivery Mechanism (pp. 24–25): LLM01:2025; data/control plane collapse; maps to six of ten ASI categories; cites Willison’s lethal trifecta and Meta’s “Agents Rule of Two.”

  13. Same source, The Agent Supply Chain Moved from Theory to Active Exploitation (pp. 25–26): postmark-mcp first malicious MCP server; CVE-2025-6514 (CVSS 9.6); Tool Poisoning Attacks; ClawHavoc / ToxicSkills; hackerbot-claw / LiteLLM token theft.

  14. Same source, Vibe Coding and Shadow AI (pp. 23–24): roughly half of employees use unsanctioned AI; only 37% of organizations have policies to manage AI or detect shadow AI (IBM Cost of a Data Breach Report).

  15. Same source, The Agent Identity and Governance Gap (p. 26) and Agent Identity vs NHI (p. 40): non-human identities outnumber human users 100:1, with some organizations reporting 500:1.

  16. Same source, The Attack Surface Model Found Its Shape (pp. 26–27): CSA MAESTRO, AWS scoping matrix, NVIDIA/Lakera, Google A2A converge on a layered model.

  17. Same source, AI Safety vs AI Security (pp. 28–34): definitions table (p. 28), convergence-trends table (p. 32), “Safety and security, governed together” five-dimensions figure (p. 34). 2 3

  18. Same source, Real-World Incidents and Exploits Tracker table (p. 36): Claude Skills ransomware (Cato CTRL), Codex CLI sandbox bypass (NVD), EchoLeak (Microsoft / Aim Security), A2A agent-in-the-middle (Trustwave). 2 3 4

  19. Same source, The Expanding Autonomy of Agents — Coding Agents (p. 23) and Appendix 1.2 (p. 72): CVE-2026-22708 (Cursor allowlist bypass) and CVE-2025-59532 (Codex CLI sandbox boundary); “controls calibrated for human operators become exploitable when the executor can influence its own containment.” 2

  20. Same source, Agent Identity vs Non-Human Identity (NHI) (pp. 40–45): NHI as authentication primitive vs Agent Identity as governance framework; Provenance, Attestation, Intent; “Agentic identity control plane” figure (p. 45). 2

  21. Same source, Agent Identity vs NHI (p. 40): Entro Security’s 2025 State of NHI report — 97% of NHIs carry excessive privileges; 0.01% of machine identities control 80% of cloud resources; 71% not rotated within recommended timeframes.

  22. Same source, Adoption Tier as a Maturity Dimension (pp. 53–55): Agentic Adoption Tiers AT0–AT8 table. 2 3 4 5 6 7 8 9

  23. Same source, Agentic AI Governance Maturity Model (pp. 55–57): Maturity Levels 0–4 with key enterprise actions. 2 3 4 5

  24. Same source, Maturity Level × Adoption Tier: Governance Posture Matrix (pp. 57–58): AT0 CRITICAL / elimination-only; AT8 “DO NOT DEPLOY” below Level 3; bold cells = governance insufficient for tier. 2

  25. Same source, Governance-Deployment Collision at Advanced Adoption Tiers (p. 67): “CSA’s 2026 survey found only 27% of organizations planning agentic deployments felt confident in their ability to secure them.”

  26. Same source, Appendix 3: Key ASI Risk Classes by Adoption Tier (pp. 116–117). 2 3 4 5 6

  27. Same source, Appendix 2.1 EU (pp. 77–80): EU AI Act Art 14 (human oversight), Art 72 (post-market monitoring / behavioral drift), Art 25 (value-chain liability), Art 6/Annex III high-risk classification.

  28. Same source, Appendix 2.1 (p. 78): DORA — 4-hour initial incident notification; annual threat-led penetration testing; enforceable Jan 17, 2025; fines up to 2% annual turnover.

  29. Same source, Appendix 2.1 (p. 79): NIS2 — 24-hour early warning, 72-hour notification, one-month final report; Article 21(2)(d) supply-chain security.

  30. Same source, Appendix 2.1 (p. 78): GDPR Article 22 — hard floor on agent autonomy in solely-automated consequential decisions; right to contest.

  31. Same source, Appendix 2.1 (p. 79): EU Revised Product Liability Directive (2024/2853) — strict no-fault liability across the AI value chain; no maximum liability cap.

  32. Same source, From Static Compliance to Runtime Governance (p. 64): NY RAISE Act ($1M first violation; 72-hour safety incident reporting), California SB 53 ($1M per violation; 15-day window), Colorado SB 24-205 (up to $20,000 per violation, delayed to June 30, 2026).

  33. Same source, Executive Summary (p. 8) and From Static Compliance to Runtime Governance (p. 64): DORA 4-hour, NIS2 24-hour, NY RAISE 72-hour, CA SB 53 15-day windows assume continuous oversight.

  34. Same source, What Remains Unsolved (p. 67): U.S. federal preemption unresolved; “over 145 state AI laws enacted in 2025 create overlapping obligations with conflicting definitions and penalty structures.”

  35. Same source, Notable Agentic Projects Survey and Key Trends (pp. 20–21): 28 of 53 repos classified as coding agents (53%); seven projects ship releases daily or faster; trycua/cua averaged a release every 8 hours.

  36. Same source, Cyber Insurance Coverage Collapse for Agentic AI Deployments (pp. 67–68): Verisk ISO CGL exclusions effective January 2026; WR Berkley absolute AI exclusion; Armilla, Testudo, HSB/Munich Re require demonstrated governance as underwriting prerequisite.

  37. Same source, Adversarial Agent Weaponisation (p. 68): GTG-1002 jailbroken Claude Code espionage against ~30 organizations (AI executing 80–90% of tactical operations); CrowdStrike 2026 report — 89% increase in AI-enabled adversary attacks, average breakout time 29 minutes.

  38. Same source, Appendix 6: The Top 10 Impacting Personal Agents (pp. 128–133): OpenClaw threat model — 37 threats across 8 tactics; 24 direct ASI matches; ASI07/ASI08/ASI10 do not apply to single-agent architecture; four product-type gaps.

  39. Same source, What Remains Unsolved (pp. 66–67): assurance model mismatch, human oversight at machine speed (10,000 actions/hour vs 50 reviewed = 0.5% coverage), regulatory fragmentation.