Disclosure: I co-led the OWASP State of Agentic AI Security and Governance 2026 with Ariel Fogel and Evgeniy Kokuykin. I’ll also show you the places I’d push back on it even with my name on the cover, so you can weigh the case on its merits instead of on mine. The report lives here: https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/

Share

A year ago, agentic AI security was a stack of position papers and vendor pitches. Today, almost every category in the OWASP Top 10 for Agentic Applications has a production incident, a vendor advisory, or a CVE attached to it. The OWASP State of Agentic AI Security and Governance 2026, published June 1, 2026, collects that evidence into one place and hands you a map. If you run security or AI risk anywhere agents are deployed, and you do, whether you’ve gone looking or not, this is the report you read ASAP.

How The OWASP State of Agentic AI Security and Governance 2026 Audits The Present

When v1 shipped in July 2025, I expected the threat catalog to fill in over a couple of years. It filled faster. ASI04, the supply chain category, and ASI05, code execution, are now tied for the highest volume of disclosed incidents. I expected regulation to lag the technology by years. It didn’t. This year’s report maps 42 instruments across 10 jurisdictions. The gap I watch in client environments, between how mature their governance is and how aggressive their agent deployments are, turned out wider than I would have guessed. Shadow AI sits in nearly every organization our contributors examined.

2025 called out the future. 2026 audits the present, and it’s organized around three findings:

1. The threats are real now

2. Safety and security converge at the deployment layer

3. Governance runs on a clock measured in hours.

Here’s what each one means for your program, and where I’d still argue with the document.

Finding One: The Threats Have Receipts Now, And Here’s What To Demand

2025 listed architectural concerns. 2026 attaches names, dates, and CVE numbers to them. The Real-World Incidents and Exploits Tracker is the chapter I point people to first, because it ends the “show me a real attack” conversation in about thirty seconds.

EchoLeak was a zero-click prompt injection that turned a single email into a Microsoft Copilot data exfiltration path, as documented by Aim Security. Cato CTRL showed Claude’s Skills feature deploying MedusaLocker ransomware by re-uploading a Skill carrying malicious code that ran on its own. OpenAI’s Codex CLI shipped a sandbox bypass, CVE-2025-59532, in which the model’s own output could redraw the writable boundary it was supposed to stay within. Cursor carried a sibling flaw, CVE-2026-22708, where an attacker who influenced the agent’s instructions could ride an already-approved command like git branch straight into arbitrary code execution. Trustwave’s SpiderLabs team published an agent-in-the-middle attack against the A2A protocol, in which a fake agent card claiming high trust was selected by an LLM judge and used to intercept data. Pillar Security demonstrated manipulated code suggestions seeding backdoors and leaked keys into production through GitHub Copilot and Cursor.

Notice the structural lesson under the Cursor and Codex flaws. The controls were calibrated for human operators, and they broke the moment the executor could influence its own containment. An allowlist that auto-approves a git branch is a convenience for a developer and a loaded gun for an agent that can rewrite what runs behind that command. That’s the shift 2026 keeps returning to. The model stopped being a component inside your application and became an actor with hands on your tools.

Two patterns matter more than any single incident. First, ASI04 and ASI05 are tied for the most disclosed incidents, and a security audit nicknamed IDEsaster found vulnerabilities in 100% of the major AI coding IDEs it tested. Code sits upstream of everything else you ship, so an exploit in a coding agent is a supply chain event, not a developer inconvenience. Second, ASI03, identity and privilege abuse, carries the widest gap between how severe the risk is and how ready anyone is for it. Non-human identities already outnumber humans across most enterprises, and almost nobody has a strategy for governing them.

Here’s what the evidence tells you to demand. Treat agent identity as its own control plane, not a service account with a fancier name. The report tracks NIST’s AI Agent Standards Initiative, the OpenID Foundation’s work on recursive delegation, and MCP’s move to OAuth 2.1 with resource-indicator-scoped tokens, all converging over the next 18 to 24 months. Ask vendors how an agent’s permissions get derived, when they expire, and how revocation propagates through a delegation chain. If they can’t answer, you have your answer. Treat security advisory density as a buying signal rather than a red flag in isolation.

n8n carries 57 advisories, and Claude Code carries 22, not because they’re careless but because they’re everywhere. The projects with the most advisories tend to be the ones with the most adoption. Ask for the AI-SBOM and the disclosure history. Silence is the warning sign, not volume.

Finding Two: Safety And Security Collapse At The Deployment Layer

For most of software’s history, safety was an engineering problem, and security was an adversarial one, owned by different teams running different playbooks. Agentic systems break that split at the deployment layer, meaning the architectural decisions, permissions, configurations, and operational controls your organization owns once an agent acts on production systems.

The report argues that once an agent can send the email, move the money, or commit the code, the same controls govern a benign malfunction and a deliberate attack, and the same investigation surfaces both root causes. Model-level safety stays with the provider. Everything downstream of the prompt lands on one function, no matter how you choose to draw the org chart.

Picture an agent whose memory got poisoned weeks ago. It starts exfiltrating data and taking actions nobody approved. To the team watching the dashboards in real time, that looks like a reliability bug. They restart it, check for drift, and review the inputs. A team treating it as a safety issue misses the persistence mechanism and gets compromised again. A team treating it as a security issue hunts the initial access vector, and the memory state stands a chance of containing it. The symptom is the same, the right response is the opposite, and the org chart decides which one you run.

The categories still separate cleanly when an agent has limited autonomy or a human in the loop. They stop separating when the agent runs with broad permissions and thin oversight, which describes most of the deployments racing into production right now. If your AI safety people and your AI security people sit in separate meetings with separate budgets, that division is now a liability. Read this chapter with your CTO and your head of AI in the room.

Finding Three: The Governance Clock Runs In Hours, And The Matrix Tells You Where You Stand

Regulators stopped pretending periodic audits are enough. DORA gives you a four-hour notification window. NIS2 wants a 24-hour early warning. New York’s RAISE Act sets 72 hours for frontier reporting. California’s SB 53 allows 15 days. The EU AI Act’s Article 72 requires post-market monitoring that explicitly covers behavioral drift, though the Digital Omnibus proposal from November 2025 may push the high-risk deadlines to December 2027 if it clears trilogue.

2026 maps 42 instruments across 10 jurisdictions, so you can see which clock applies where without assembling it yourself from primary texts. The count isn’t the point. The point is that runtime governance moved from a nice-to-have to the unit regulators measure. Pre-deployment certification stopped being enough the moment the thing you certified could rewrite its own behavior after launch.

Then the report hands you the artifact I wish boards had a year ago. The Enterprise Adoption Maturity Model maps your governance maturity (Levels 0 through 4) against your adoption tier (AT0 through AT8). AT0 is Shadow AI, the unmanaged usage already running in your org. The tiers climb through vendor-embedded assistants, platform-integrated agents, citizen-developer flows, code-executing agents, custom in-house builds, and externally extended agents, up to AT8, where agents operate across organizational boundaries in federated networks.

A bold cell means your governance is too thin for what you’re running, and you get two honest moves: raise maturity or lower the tier, with no third option where you cross your fingers and hope it holds. The model survives the way a Bayesian wants a model to survive. It’s calibrated, it’s falsifiable, and it updates in response to evidence instead of flattering the program you already built. The urgency shows in the adoption data. a16z found that 29% of the Fortune 500 and roughly 19% of the Global 2000 are paying customers of a leading AI startup, counting only signed, contracted deployments. The unmanaged AT0 volume sitting on top of that is, by definition, unmeasured.

Where I’d Push Back, Even As A Co-Lead

A review where the author agrees with himself for 2,000 words isn’t worth your time, so here’s where I’d lean on the document.

The report is honest about what it hasn’t solved, and the “What Remains Unsolved” section names three problems I’d watch closely. Cyber insurance for agentic deployments is heading toward a coverage gap nobody has priced yet, and the first big agent-driven loss will test it in public. The governance-deployment collision at AT6 and above, where agents reach across trust boundaries, has no clean answer, and the matrix tells you to slow down rather than how to move fast safely. Agentic AI in OT and ICS has no documented enterprise-agent safety incident yet. Read that as early, not as safe.

I encourage you to pay close attention to the weaponization curve, as the offense is scaling faster than the controls. Anthropic disclosed GTG-1002, a campaign that ran largely autonomous espionage across roughly 30 organizations using jailbroken Claude Code, with the AI executing 80 to 90% of the tactical operations at request rates no human could match. Credit Anthropic for disclosing it in that detail, because that kind of transparency is how the rest of us learn what’s coming. CrowdStrike documented an 89% increase in AI-enabled adversary attacks, with breakout time falling to 29 minutes. IAPS HACCA found frontier models jumping from near-zero to 60% success on expert-level offensive security challenges inside a few months. The report maps the threat well. It doesn’t pretend anyone has solved the defense that scales at machine speed. Neither do I. That’s the honest state of it.

Key Takeaway: 2026 won’t secure your agents for you, but it’s the first document that tells you, with evidence, exactly where your governance is too thin for what you’ve already deployed.

What To Do Next

Start with AT0, this week. Assume Shadow AI exists until you’ve proven it doesn’t. Here’s a hint: it does… if you think you’ve proven it doesn’t, try again.

Pull network and DLP telemetry for AI-service traffic, run a short employee survey on the tools people are already using, and you’ll surface more than you expect. Then map your three highest-tier agent deployments against the maturity matrix. Where you land in a bold cell, pick one of the two moves: raise governance maturity or lower the deployment tier. Print the matrix and walk it with your CTO, your head of AI, and your board chair, because this is a conversation about deployment decisions, not policy language.

If you want the deeper background on why authorization scope and least agency are the metrics that survive contact with production, and why governance is a deployment-review problem before it’s a policy problem, I’ve written both up at rockcybermusings.com, and the consulting side of how I run these assessments lives at rockcyber.com.

Then download the report, read the threat tracker and the maturity model first, and send the link to the two people who own the deployments you inventoried: https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check our AMA on the 2026 OWASP GenAI Security Project State of Agentic AI Security and Governance report with me and the other co-leads (it was live, so start at time marker 09:45)

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings