OWASP Launches Agentic Research Council to Secure AI Agents

OWASP (the Open Worldwide Application Security Project — the globally recognized nonprofit that produces security standards including the OWASP Top 10 Web Application Security Risks used by developers and security teams in every industry) formally launched its Agentic Research Council at Infosecurity Europe 2026 on June 1. The council is a coordinated research initiative under OWASP's GenAI Security Project — now more than 25,000 members globally — targeting the growing gap between the speed at which agentic AI systems are being deployed in production and the pace at which security research can characterize and mitigate their risks. The launch was led by John Sotiropoulos, co-lead of OWASP's GenAI Security Project, who described the initiative as "expert backed, but community driven."

// 01 What Is Agentic AI and Why Security Research Is Falling Behind

Agentic AI refers to AI systems that operate with autonomy — not just answering questions, but executing sequences of actions: browsing the web, writing and running code, calling external APIs, reading and writing files, and coordinating with other agents (sub-agents) to complete complex tasks. Large language models (LLMs — AI systems trained on massive text datasets capable of generating and reasoning over natural language) like GPT-4, Claude, and Gemini are increasingly deployed not as static question-answering tools but as autonomous agents embedded in business workflows.

The security implications of this shift are fundamentally different from classical application security. A web application can be analyzed statically — its code paths, data inputs, and outputs are enumerable. An AI agent's behavior is emergent: it depends on the content of the data it processes, the tools it has been granted access to, and the instructions embedded in inputs it receives from external sources. An agent exposed to adversarially crafted data can be redirected to take actions its operators never intended — and this redirection can happen at machine speed, with no human checkpoint in the loop.

The research cycle problem is real. A security researcher who discovers that a specific multi-agent orchestration architecture is vulnerable to orchestration hijacking will typically publish a paper 12 to 18 months after discovery, after peer review and conference acceptance. By that point, the architectural pattern may be deployed in thousands of production systems. The Agentic Research Council is OWASP's structural answer to this latency problem.

// 02 What the Council Will Do

The council operates through four primary mechanisms:

1. Maintain a public research pipeline. A continuously updated, openly accessible list of open security questions in agentic AI systems, prioritized by operational urgency based on what practitioners are actually encountering. Academic researchers can use this list as a map of where their work has the highest real-world impact.

2. Translate academic findings into deployable mitigations. The gap between a peer-reviewed paper proving vulnerability and a production-ready detection rule or architectural guidance document is enormous — typically years. The council will specifically fund and coordinate the translation layer, accelerating research findings into practitioner-usable tools.

3. Sponsor aligned PhD-level research. Standard academic funding mechanisms do not prioritize "runtime detection of prompt injection (T1059 equivalent — a class of attacks where malicious instructions embedded in external data redirect an AI agent's behavior, analogous to code injection in traditional software) in tool-use chains." The council will direct resources toward research questions that practitioners need answered.

4. Convene regular cross-sector working groups. Academic security researchers, enterprise security teams, government cybersecurity agencies, and policymakers will collaborate in structured quarterly sessions, rather than meeting once or twice a year at conferences.

// 03 What Was Released Today

Timed with the council launch, OWASP released "The State of Agentic AI and Governance" — a framework paper mapping current enterprise AI adoption patterns to governance models and providing a practical risk-tiering scheme for agentic AI deployments.

The tiering scheme answers a question security architects are actively grappling with: does a read-only customer service chatbot belong in the same risk category as an AI agent that can execute code, modify production database records, and spawn additional sub-agents? The governance paper says no — and provides a structured framework for assigning security review requirements, access control boundaries, and monitoring intensity based on an agent's capability scope and data access.

This follows the OWASP Multi-Agent Security Paper published April 29, which examined composability risks — the attack surfaces that emerge specifically when multiple agents interact. Individual agents may each be hardened against known attack patterns; the composition of three agents running in sequence can produce vulnerabilities that exist in none of them individually. The attack surface created by agent-to-agent trust relationships and data hand-offs is a class of risk with no direct analogue in traditional application security.

// 04 The OWASP Top 10 for Agentic Applications 2026

The council launches alongside the existing OWASP Top 10 for Agentic Applications 2026 — a globally peer-reviewed framework identifying the most critical security risks in autonomous AI systems. The top 10 provides the council's initial research scope and maps directly to what OWASP's Q1 2026 GenAI Exploit Round-Up documented as actively exploited in production deployments.

Key entries from the Top 10 Agentic Applications include:

• Prompt injection — The OWASP Q1 2026 exploit report identifies prompt injection as the most widely exploited agentic vulnerability in production: malicious instructions embedded in web pages, documents, or API responses can redirect an agent to exfiltrate data, execute unauthorized tool calls, or propagate to downstream agents.

• Excessive agent permissions — Agents granted capabilities beyond their task requirements (the principle of least privilege applied to AI). An agent that can read documents, send emails, and execute code in a single context presents a dramatically larger blast radius than one scoped to read-only access.

• Unsafe tool execution — Insufficient validation of what external tools an agent is permitted to invoke and with what parameters, enabling tool-misuse attacks where an agent is manipulated into calling legitimate tools with malicious inputs.

• Agent identity attacks — Forging or hijacking the identity credentials that multi-agent systems use to authenticate interactions between agents — an attack surface unique to agentic architectures.

• Supply chain compromise — Malicious packages in AI orchestration frameworks (LangChain, AutoGen, CrewAI, and similar libraries) and tampered model weights or fine-tuning datasets injected into the AI development pipeline.

// 05 What This Means for Security Teams Now

Sotiropoulos identified the core operational shift that agentic AI requires in his Infosecurity Europe remarks: traditional security governance is development-centered — code review, static analysis, SAST (Static Application Security Testing — automated scanning of source code for known vulnerability patterns) and DAST (Dynamic Application Security Testing — automated testing of running applications) occur before or at deployment. Agentic systems produce behavior that cannot be fully characterized from source code. An agent behaving correctly on yesterday's inputs may behave maliciously on today's adversarially crafted inputs. The required shift is toward runtime monitoring — continuous observation of agent behavior, not just pre-deployment review.

For security teams evaluating or currently deploying agentic AI systems, the governance paper released today provides an immediately actionable starting point:

• Classify deployed agents using the risk-tiering framework. Agents with read-only access and no external tool calls sit in a fundamentally different risk tier than agents that can execute code, modify data stores, or communicate with external services.

• Apply the OWASP Top 10 for Agentic Applications to your architecture. Identify which of the top 10 risks your current deployments are exposed to, and prioritize mitigations for excessive permissions, prompt injection surfaces, and agent identity management.

• Instrument for runtime behavior monitoring before expanding agent capabilities. Before granting agents additional tool access or deploying them to broader user populations, ensure you have baseline behavior telemetry that allows anomaly detection when agent behavior deviates from intent.

• Audit AI orchestration framework dependencies. Supply chain attacks targeting LangChain, AutoGen, and similar frameworks were among the most impactful AI security incidents in Q1 2026 per OWASP's report. Treat AI orchestration packages with the same scrutiny as any other production dependency.

// 06 Background: The Shift From Theoretical to Actively Exploited

OWASP's Q1 2026 GenAI Exploit Round-Up Report describes a transition that the council was specifically formed to address: the AI security threat landscape has shifted "from theoretical risks to real-world exploitation" in the period from January through April 2026. Prompt injection, tool misuse, and agent identity attacks are no longer academic attack categories — they are documented production incidents.

This matches the broader pattern in vulnerability research. When a new technology class matures to the point of widespread production deployment, the window between theoretical vulnerability identification and active exploitation compresses rapidly. For web application security, that compression took roughly a decade (1995–2005). For mobile application security, roughly five years (2008–2013). For AI/ML security, the evidence from 2025–2026 suggests the window is far shorter — likely because the attack surface (public LLM APIs, open-source orchestration frameworks, and highly capable base models) was available to attackers at the same time it became available to defenders.

// 07 Conclusion

The OWASP Agentic Research Council is a structural response to a structural problem: agentic AI systems are being deployed in production faster than the security research community can systematically characterize and mitigate their risks. The governance paper released today provides security teams with a practical risk-tiering framework to apply now. The longer-term output — a practitioner-aligned research pipeline with faster translation from academic discovery to deployable defense — is infrastructure the industry has been missing since AI agents began moving from research prototypes to production deployments.