Capsule Blog

OWASP State of Agentic AI Security and Governance 2026: What Changed, and What It Means

Bar Kaduri
June 3, 2026

When OWASP first published this report in July 2025, agentic AI security was framed as a portfolio of plausible threats. The report surveyed an early ecosystem, mapped likely failure modes, and called for governance to keep up.

A year later, the framing has shifted. The 2026 version is now live, and almost every threat described as plausible in the first paper, now has a CVE, vendor advisory, or production incident attached to it.

I joined the 2026 project and contributed to the Threat Landscape chapter. This post covers what changed in the threat picture, and what changed in the report itself.

Three things 2026 paper says that 2025 did not

1. The threats are operational - The first version reads like a risk assessment of an emerging surface. The 2026 paper reads like a postmortem catalogue. The Threat Analysis chapter places each pattern in the context of where agentic capability was expanding when the break happened, prompt injection scaling through indirect channels, supply chain compromise of MCP servers and skill registries, identity gaps in non-human identity, and sandboxes designed for human operators failing under agent execution. Every section is grounded in documented incidents. The companion Real-World Incidents and Exploits Tracker curates the public record and maps each event to the OWASP Top 10 for Agentic Applications.

2. Safety and security converge at the deployment layer. This is the most consequential framing change in the 2026 paper. Model-level safety remains the provider’s responsibility, but once an agent is acting on production systems, the same controls govern both kinds of harm and the same investigation surfaces both kinds of cause. The Replit production database deletion and the Cursor allowlist bypass have different cause stories: one had no adversary, the other required one, but the permission architecture that produced both is identical. The 2026 paper argues that organizations cannot continue to run AI Safety and AI Security as parallel functions.

3. Governance is being measured in hours. DORA’s four-hour notification, NIS2’s 24-hour early warning, NY RAISE’s 72-hour frontier reporting, and CA SB 53’s 15-day window all assume continuous oversight rather than periodic audit. The 2026 paper covers 42 regulatory instruments across 10 jurisdictions and traces what live monitoring, drift detection, automated incident routing, and agent-speed kill mechanisms actually require to operate.

What’s new in the 2026 paper

  • Threat Analysis grounded in documented incidents, with each pattern mapped to the OWASP Top 10 for Agentic Applications
  • AI Safety vs AI Security as a standalone chapter on why these categories can no longer be separated operationally
  • Real-World Incidents and Exploits Tracker linked to ASI categories
  • Enterprise Adoption Maturity Model that assesses governance capability against deployment complexity (AT0 Shadow AI through AT8 Federated)
  • Agent Identity / Non-Human Identity elevated to a full chapter treating identity as the new control plane
  • AI SBOM and Supply Chain Provenance as a new chapter on what static inventories miss in runtime-composed systems
  • Revised Agents Taxonomy across three independent dimensions (type, implementation, composition)
  • Ecosystem analysis drawing on telemetry from 53 tracked agentic projects

Where to start

The practical starting point in the 2026 paper is to identify the most advanced agents you are running today, then either raise governance maturity to match or reduce the deployment tier. Shadow AI deserves particular attention: it is present in nearly every organization contributors examined and must be discovered before it can be governed.

Read the full report: OWASP State of Agentic AI Security and Governance 2026

Read more articles

Article

Every agent needs a "stop". We're standardizing it.

The industry standardized how agents talk, but never how to stop one mid-action. Capsule is helping change that through the Agent Control Standard, with hooks.security as the developer-facing companion.

Bar Kaduri
May 27, 2026
Research

The Agentic AI Threat Landscape Has Crossed a Threshold

The security risks of AI agents are no longer theoretical. This blog examines the active threat landscape facing agentic AI in 2026, from prompt injection and supply chain attacks against MCP and skill registries to the governance gap created by vibe coding and Shadow AI.

Bar Kaduri
May 24, 2026
Article

The Rise of Guardian Agents: Securing the Agentic AI Ecosystem

Guardian agents are emerging as a critical security layer for the agentic AI era. As enterprises adopt AI agents that execute tools, handle sensitive data, and operate inside real workflows, human approval loops no longer scale. Guardian agents solve this by supervising other agents in real time: monitoring actions, enforcing policy, and blocking risky behavior before execution.

Lidan Hazout
May 7, 2026
Research

CurseChain: How Hidden README Comments Trick Cursor Into Stealing - and Spreading - Your SSH Keys

Capsule found two Cursor IDE vulnerabilities that let hidden prompt-injection instructions in referenced files steal developers’ SSH keys and contaminate future unrelated projects, causing zero-click or one-click exfiltration even when the attacker ships no malicious code.

Bar Kaduri
April 29, 2026
Research

The State of AI Agent Security 2026

Capsule Security’s State of AI Agent Security 2026 report is the largest independent audit of AI agents to date, showing that the ecosystem is rapidly shipping publicly exposed, weakly guarded, highly connected agents with recurring misconfigurations, near-absent runtime controls, widespread prompt-injection risk, expanding supply-chain exposure, and active malicious campaigns still propagating through agent skill and tool registries.

Bar Kaduri
April 27, 2026
News

Capsule Security Raises $7M to Prevent AI Agents from Going Rogue in Runtime: Intent is the New Perimeter

Capsule is launching a runtime security platform for the agentic AI era, built to monitor and stop autonomous agents that can bypass traditional guardrails, misuse legitimate access, and create a new class of enterprise security risk.

Naor Paz
April 13, 2026
Article

Why MCP Gateways are a Bad Idea (and What to Do Instead)

MCP gateways secure only one protocol and create blind spots, while runtime hooks plus approved MCP registries secure the full agent runtime where real risk lives.

Lidan Hazout
April 12, 2026
Article

ClawGuard: Open Source Security for the Agentic Era

ClawGuard was built to stop dangerous agent behavior at the intent level before execution, and NVIDIA’s NemoClaw reinforces that need by securing the runtime environment from the infrastructure side.

Lidan Hazout
April 12, 2026
Research

PipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injection

Capsule research team discover a critical prompt injection vulnerability in Salesforce Agentforce that allows attackers to exfiltrate CRM data through a simple lead from a form submission. No authentication required.

Bar Kaduri
April 9, 2026
Research

ShareLeak: Taking the Wheel of Microsoft’s Copilot Studio (CVE-2026-21520)

The Capsule research team discovered a high severity indirect prompt injection vulnerability in Microsoft Copilot Studio that enables attackers to exfiltrate sensitive data through external SharePoint form.

Bar Kaduri
April 9, 2026
Platform
Home
Resources
About
Blog
Company
Privacy & Policy
Terms & Conditions
Abstract digital artwork with a teal background and textured edges blending into black and red elements on the left.
Get a demo
Capsule ©  2026