OWASP's agentic maturity model: don't run in the red cells
OWASP's June 2026 State of Agentic AI report adds an Enterprise Adoption Maturity Model — a two-axis grid where agent autonomy outruns governance, leaving 'red cells' no one can see into.
What is this?
On June 1, 2026, the OWASP GenAI Security Project published version 2.01 of its State of Agentic AI Security and Governance report. The headline change is not a new threat. It is a decision tool: an Enterprise Adoption Maturity Model that co-lead Ariel Fogel (Pillar Security) presented at the OWASP GenAI Security Summit during Infosecurity Europe on June 4. The framing matters because the 2025 edition catalogued plausible threats; the 2026 edition attaches a CVE, vendor advisory, or production incident to nearly every category. The risk is now empirical, and the report’s argument is that most organizations are deploying agents faster than they can govern them.
How it works
The model maps governance onto two linked axes.
The first axis is what you deploy, in six levels of increasing autonomy: AT0 shadow AI (self-adopted, outside any governance), AT1 vendor-embedded assistant (you consume it), AT2 platform-integrated (AI-native platform on your data, no arbitrary code), AT3 citizen-developer agent (low-code flows acting on real data), AT4 code-executing agent (generates and runs code with local or cloud privileges), and AT5 custom in-house agent (you built it; you own identity, tools, and boundaries).
The second axis is governance maturity, in four levels: Level 0 unaware/ad hoc (no AI-specific policy, minimal logging), Level 1 experimentation without guardrails (pilots with no defined autonomy limits or escalation criteria), Level 2 policy-defined with human-in-the-loop (use cases mapped to EU AI Act/GDPR, a named owner such as a CAIO, AI-SBOM established), and Level 3 integrated continuous oversight (risk-tiered workflows, real-time drift dashboards, kill switches, governance-as-code).
Plot an agent on the deployment axis, then check whether governance lines up. Fogel presented the result as a colored grid: green where governance matches the deployment, yellow where security and governance teams may lack full oversight, and red where autonomy is shipped without the matching controls. His one-line summary: “Don’t operate in the red cells.” A Level 1 governance posture running an AT4 code-executing agent is a textbook red cell — the agent can run arbitrary code while no one is watching at machine speed.
Why it matters
The report’s data explains why the red cells are crowded. Of 53 agentic projects OWASP tracks, 28 are coding agents, and the repositories with the most security advisories are workflow and agent platforms (n8n at 57, Claude Code at 22, AutoGPT at 15). Seven projects ship updates daily or faster, outpacing traditional software-composition-analysis pipelines. Prompt injection maps to six of the ten categories in OWASP’s Top 10 for Agentic Applications, because a model treats the system prompt, the user request, and retrieved text as one undifferentiated token stream — Simon Willison’s “lethal trifecta” and Meta’s “Agents Rule of Two” both describe the same exposure. Yet according to IBM data cited in the report, only 37% of organizations have a policy to detect shadow AI at all — meaning many AT0 deployments sit at Level 0 governance without anyone knowing.
Defenses
The model is prescriptive about the fix. When governance is insufficient for the deployment level, OWASP points to exactly two responses: invest in controls designed for agentic systems, or reduce the agent’s permissions and autonomy until existing controls suffice. There is no third option of hoping.
Crucially, the report stresses that the needed controls are not stronger versions of traditional security. Because agents act at machine speed and scale, teams need: live behavioral baselines rather than periodic review; real-time containment and stop mechanisms (kill switches); joined incident response across the safety and security teams, since the same architectural choice often creates both exposures; and better identity hygiene — ephemeral credentials and cryptographic attestation so each action can be traced and bounded. Co-lead John Sotiropoulos framed the goal as reducing the “cognitive tax” of ever-growing guidance: discover your most advanced agents, prioritize the riskiest workloads, and decide to invest in faster controls or constrain deployment. Practically: inventory every agent, place it on both axes, and treat any red cell as an action item, not a backlog note.
Status
| Item | Detail |
|---|---|
| Report | State of Agentic AI Security and Governance v2.01 |
| Publisher | OWASP GenAI Security Project |
| Published | June 1, 2026; framework presented June 4 (Infosecurity Europe) |
| Deployment axis | AT0–AT5 (shadow AI → custom in-house agent) |
| Governance axis | Level 0–3 (ad hoc → continuous oversight) |
| Action rule | ”Don’t operate in the red cells” |