Algorithms got out of control before the companies had noticed.
Corporate AI agents are no longer limited to responses in the chat. The agent receives the target, selects the tool, access the API, reads the data, changes records and starts chains of operations. In the new version of State of Agentic AI Security and Governance, OWASP describes a shift that security services can no longer ignore: the risks of agent systems have moved from forecasts for incidents, suppliers warnings, and CVE.
OWASP released the first version of the report in July 2025. Then the authors described the agent risks as a set of possible threats, disassembled the young market and urged companies to build management in advance. During the year, the introduction accelerated. A separate OWASP Top 10 for Agentic Applications has appeared, and regulators in different countries have begun to prescribe rules for harm that may arise due to the actions of autonomous AI systems.
The new version of the report is based on three main conclusions. The first relates to practice: threats have already been confirmed. The architectural weaknesses, which were discussed as possible problems in 2025, are now linked to work incidents, vendor recommendations and CVE in almost all positions from OWASP Top 10 for Agentic Applications. The document added a tracker of real cases and exploits, and the head with the analysis of threats shows at what extension of the agent's capabilities, failure, extra access or other dangerous action occurred.
The main difference between an agent and a regular chatbot is not related to the wording of the answers, but with access to actions. The chatbot writes the text. The agent can perform the task through the connected tool: contact the service, open the file, send a request, change the record, create a message or transfer the result to another system. Error, weak team checking, or failed integration in the agent environment quickly go beyond the model and affect corporate architecture, accounts, logs and workflows.
The second conclusion of OWASP concerns the boundary between AI Safety and AI Security. In the Russian text, it is more convenient to separate two areas as follows: the safety of AI behavior is responsible for predictability, harm from errors and undesirable actions, and the information security of AI is engaged in attacks, access, vulnerabilities and investigations. Agent systems mix both areas because they get autonomy and tools to operate outside of a single model. After launching in the company, it is almost impossible to share behavioral risk and cyber risk.
OWASP shifts the focus to the deployment layer. It refers to architectural solutions, settings, permissions, rights, magazines, restrictions, incident processing routes and working procedures that the organization manages. The security of the model on the side of the provider remains the responsibility of the model developer. But after connecting the agent to the operating systems, the same measures limit the harm from misconduct and damage from the attack. The same journals help to understand why the agent has done a dangerous act, gained extra access or did the command in the wrong context.
The organizational withdrawal from the report is simple: AI Safety and AI Security teams should not work as two parallel directions. When implementing AI agents, specialists have to manage general settings, common risks and common emergency stop mechanisms. The agent acts faster than a person, so checking once a quarter or formal audit after launch does not close the risk.
The third conclusion is related to regulation. Regulators are already proceeding from the fact that the agent can cause harm faster than a person will have time to manually check each action. Therefore, new requirements are increasingly based on constant supervision, rather than on rare inspections. The report provides different response times: DORA demands to notify some incidents within four hours, the NIS2 provides an early warning for 24 hours, the NY RAISE says 72 hours for reporting on advanced AI systems, and the California SB 53 sets a window of 15 days.
The difference in timing shows a change in the logic of control. Companies need not only policies, registers and approvals. You need constant monitoring of the behavior of agents, basic profiles of normal operation, deviation signals, automatic transmission of incidents to the necessary commands and stop mechanics, which work in seconds. For agent systems, delay itself turns into a risk: the wider the law and autonomy, the faster the error passes through the API, accounts and business processes.
The second version of the State of Agentic AI Security and Governance received a more practical structure. The analysis of threats is now based on documented cases, not just on hypotheses. The new section on the relationship between AI Security and AI Security explains why the usual division of commands does not work well when launching autonomous systems. The tracker of real incidents is tied to the categories of OWASP Top 10 for Agentic Applications, so managers and engineers can compare specific cases with the types of risks.
For companies, added Enterprise Adoption Maturity Model, a maturity model for implementing agent AI. The model helps to assess whether the complexity management of deployed agents corresponds to. The greater the independence of the system and the wider access to the tools, the higher the requirements for rights, journaling, monitoring and emergency shutdown. Each account section is related to the top 10 categories for agent applications, so the document can be used as a map for internal evaluation.
A separate chapter is devoted to the identity of agents and inhuman accounting entities. OWASP views identity as a new level of access management. In conventional software, the company controls users, service accounts, keys and roles. In the agenty environment, there is an additional difficulty: an autonomous system can act on behalf of a person, service or its own technical identifier, contact different tools and transfer the result further. Without an accurate answer to the questions of who has performed the action, on whose behalf and with what rights the investigation quickly rests on the gaps of journalism.
Another new section is disassembled by AI SBOM and the origin of the supply chain components. AI SBOM can be described as a statement of the composition of the AI system by analogy with SBOM for software. For agent solutions, not only libraries and dependencies are important. The system includes models, tools, connected services, data sets, plugins, access policies and external components through which the agent performs tasks. The origin of these elements is directly related to security: the company must understand which parts are used, who put the components, how the updates go and where an unbeliever element may appear.
Taxonomy of agents also reassembled. Classification now follows three independent measurements: the type of agent, the method of implementation, and the composition of the system. Autonomy passes through the entire circuit as a separate characteristic. This approach helps not to mix a simple assistant for one limited step with a group of agents connected to the working tools of the company and able to make decisions in the chain of operations. To assess the risk, it is not the very fact of using AI that is important, but the entire design around the agent.
The report also updated the picture of the market. The ecosystem is described on the basis of telemetry on 53 tracing agent projects. The regulation section covers 42 instruments in 10 jurisdictions. The scale shows that the discussion of agent AI has gone beyond the laboratories and pilot launches. Practices, standards, supervisory requirements and individual corporate roles are already emerging around standalone systems.
The practical start of OWASP is associated with inventory. First, the company needs to find the most advanced agents that are already working within the organization. Then the management will have to choose one of two ways: to raise the maturity of management to the level of deployment complexity or reduce the level of implementation if the control does not keep pace with autonomy. Particular attention is paid to the shadow AI. According to the observations of the authors, unofficial or poorly taken into account AI tools are already present in almost every organization studied. It is impossible to manage such systems until the company detects the tools themselves, accesses and real work tasks.
The document is primarily addressed to CISO, C-level managers and senior managers who are responsible for the safety, management and strategy of implementing agent AI. The report is also designed for security architects, AI engineers and specialists who need to understand the change in the threat landscape. Detailed technical measures, checklists and practical schemes OWASP takes to the related materials, and the report itself sets the working framework for managers, risks teams, lawyers and units related to compliance.
The report was released as part of the OWASP Agentic Security Initiative, a direction within the OWASP Genai Security Project. The General GenAI Security project brings together more than 600 participants from over 18 countries and deals with recommendations for the safety of large language models and generative AI. The Agentic Security Initiative focuses on a narrower task: the risks that appear after gaining autonomy and access to action across the trust. Since the first version of the report, the initiative has released several major materials, including OWASP Top 10 for Agentic Security, an industry guide to protecting autonomous AI agents.
The second version of the report translates the conversation into the applied plane. Companies must find working agents, describe rights, check the level of autonomy, link control with real actions and pre-appoint a team that will stop the system with dangerous behavior. For AI agents, the question is no longer the likelihood of future incidents. The main task for security services is to understand which agents are operating in the infrastructure right now and whether there are enough internal mechanisms to stop the error before the pass through the API, accounts and business processes.
Corporate AI agents are no longer limited to responses in the chat. The agent receives the target, selects the tool, access the API, reads the data, changes records and starts chains of operations. In the new version of State of Agentic AI Security and Governance, OWASP describes a shift that security services can no longer ignore: the risks of agent systems have moved from forecasts for incidents, suppliers warnings, and CVE.
OWASP released the first version of the report in July 2025. Then the authors described the agent risks as a set of possible threats, disassembled the young market and urged companies to build management in advance. During the year, the introduction accelerated. A separate OWASP Top 10 for Agentic Applications has appeared, and regulators in different countries have begun to prescribe rules for harm that may arise due to the actions of autonomous AI systems.
The new version of the report is based on three main conclusions. The first relates to practice: threats have already been confirmed. The architectural weaknesses, which were discussed as possible problems in 2025, are now linked to work incidents, vendor recommendations and CVE in almost all positions from OWASP Top 10 for Agentic Applications. The document added a tracker of real cases and exploits, and the head with the analysis of threats shows at what extension of the agent's capabilities, failure, extra access or other dangerous action occurred.
The main difference between an agent and a regular chatbot is not related to the wording of the answers, but with access to actions. The chatbot writes the text. The agent can perform the task through the connected tool: contact the service, open the file, send a request, change the record, create a message or transfer the result to another system. Error, weak team checking, or failed integration in the agent environment quickly go beyond the model and affect corporate architecture, accounts, logs and workflows.
The second conclusion of OWASP concerns the boundary between AI Safety and AI Security. In the Russian text, it is more convenient to separate two areas as follows: the safety of AI behavior is responsible for predictability, harm from errors and undesirable actions, and the information security of AI is engaged in attacks, access, vulnerabilities and investigations. Agent systems mix both areas because they get autonomy and tools to operate outside of a single model. After launching in the company, it is almost impossible to share behavioral risk and cyber risk.
OWASP shifts the focus to the deployment layer. It refers to architectural solutions, settings, permissions, rights, magazines, restrictions, incident processing routes and working procedures that the organization manages. The security of the model on the side of the provider remains the responsibility of the model developer. But after connecting the agent to the operating systems, the same measures limit the harm from misconduct and damage from the attack. The same journals help to understand why the agent has done a dangerous act, gained extra access or did the command in the wrong context.
The organizational withdrawal from the report is simple: AI Safety and AI Security teams should not work as two parallel directions. When implementing AI agents, specialists have to manage general settings, common risks and common emergency stop mechanisms. The agent acts faster than a person, so checking once a quarter or formal audit after launch does not close the risk.
The third conclusion is related to regulation. Regulators are already proceeding from the fact that the agent can cause harm faster than a person will have time to manually check each action. Therefore, new requirements are increasingly based on constant supervision, rather than on rare inspections. The report provides different response times: DORA demands to notify some incidents within four hours, the NIS2 provides an early warning for 24 hours, the NY RAISE says 72 hours for reporting on advanced AI systems, and the California SB 53 sets a window of 15 days.
The difference in timing shows a change in the logic of control. Companies need not only policies, registers and approvals. You need constant monitoring of the behavior of agents, basic profiles of normal operation, deviation signals, automatic transmission of incidents to the necessary commands and stop mechanics, which work in seconds. For agent systems, delay itself turns into a risk: the wider the law and autonomy, the faster the error passes through the API, accounts and business processes.
The second version of the State of Agentic AI Security and Governance received a more practical structure. The analysis of threats is now based on documented cases, not just on hypotheses. The new section on the relationship between AI Security and AI Security explains why the usual division of commands does not work well when launching autonomous systems. The tracker of real incidents is tied to the categories of OWASP Top 10 for Agentic Applications, so managers and engineers can compare specific cases with the types of risks.
For companies, added Enterprise Adoption Maturity Model, a maturity model for implementing agent AI. The model helps to assess whether the complexity management of deployed agents corresponds to. The greater the independence of the system and the wider access to the tools, the higher the requirements for rights, journaling, monitoring and emergency shutdown. Each account section is related to the top 10 categories for agent applications, so the document can be used as a map for internal evaluation.
A separate chapter is devoted to the identity of agents and inhuman accounting entities. OWASP views identity as a new level of access management. In conventional software, the company controls users, service accounts, keys and roles. In the agenty environment, there is an additional difficulty: an autonomous system can act on behalf of a person, service or its own technical identifier, contact different tools and transfer the result further. Without an accurate answer to the questions of who has performed the action, on whose behalf and with what rights the investigation quickly rests on the gaps of journalism.
Another new section is disassembled by AI SBOM and the origin of the supply chain components. AI SBOM can be described as a statement of the composition of the AI system by analogy with SBOM for software. For agent solutions, not only libraries and dependencies are important. The system includes models, tools, connected services, data sets, plugins, access policies and external components through which the agent performs tasks. The origin of these elements is directly related to security: the company must understand which parts are used, who put the components, how the updates go and where an unbeliever element may appear.
Taxonomy of agents also reassembled. Classification now follows three independent measurements: the type of agent, the method of implementation, and the composition of the system. Autonomy passes through the entire circuit as a separate characteristic. This approach helps not to mix a simple assistant for one limited step with a group of agents connected to the working tools of the company and able to make decisions in the chain of operations. To assess the risk, it is not the very fact of using AI that is important, but the entire design around the agent.
The report also updated the picture of the market. The ecosystem is described on the basis of telemetry on 53 tracing agent projects. The regulation section covers 42 instruments in 10 jurisdictions. The scale shows that the discussion of agent AI has gone beyond the laboratories and pilot launches. Practices, standards, supervisory requirements and individual corporate roles are already emerging around standalone systems.
The practical start of OWASP is associated with inventory. First, the company needs to find the most advanced agents that are already working within the organization. Then the management will have to choose one of two ways: to raise the maturity of management to the level of deployment complexity or reduce the level of implementation if the control does not keep pace with autonomy. Particular attention is paid to the shadow AI. According to the observations of the authors, unofficial or poorly taken into account AI tools are already present in almost every organization studied. It is impossible to manage such systems until the company detects the tools themselves, accesses and real work tasks.
The document is primarily addressed to CISO, C-level managers and senior managers who are responsible for the safety, management and strategy of implementing agent AI. The report is also designed for security architects, AI engineers and specialists who need to understand the change in the threat landscape. Detailed technical measures, checklists and practical schemes OWASP takes to the related materials, and the report itself sets the working framework for managers, risks teams, lawyers and units related to compliance.
The report was released as part of the OWASP Agentic Security Initiative, a direction within the OWASP Genai Security Project. The General GenAI Security project brings together more than 600 participants from over 18 countries and deals with recommendations for the safety of large language models and generative AI. The Agentic Security Initiative focuses on a narrower task: the risks that appear after gaining autonomy and access to action across the trust. Since the first version of the report, the initiative has released several major materials, including OWASP Top 10 for Agentic Security, an industry guide to protecting autonomous AI agents.
The second version of the report translates the conversation into the applied plane. Companies must find working agents, describe rights, check the level of autonomy, link control with real actions and pre-appoint a team that will stop the system with dangerous behavior. For AI agents, the question is no longer the likelihood of future incidents. The main task for security services is to understand which agents are operating in the infrastructure right now and whether there are enough internal mechanisms to stop the error before the pass through the API, accounts and business processes.
