The Open Worldwide Application Security Project (OWASP) has rolled out a new agentic AI security maturity framework intended to help organizations close the gap between the agentic systems they deploy and the governance those systems require.
The framework appears in the OWASP GenAI Security Project’s latest paper, State of Agentic AI Security and Governance, published on June 3, and is presented as a practical decision tool rather than a catalog of ever‑growing rules.
Ariel Fogel, AI security researcher at Pillar Security’s Office of the CTO and one of the report’s co‑leads, introduced the new framework at the OWASP GenAI Security Summit, at Infosecurity Europe 2026, on June 4.
The new guidance has been dubbed the ‘Enterprise Adoption Maturity Model.’
“Most organizations are deploying agents faster than they can govern them. Governance is still operating at the maturity levels designed for AI copilots while teams are shipping and running custom and multi-agent systems,” Fogel commented.
How OWASP’s New Agentic AI Security Maturity Model Works
The framework maps the governance problem across two linked dimensions. One axis captures what is being deployed, ranging from shadow AI and single‑vendor tools through custom agents to multi‑agent and federated systems.
The authors have defined six levels of agentic AI adoption:
- AT0 – Shadow AI: No organizational awareness or approval. Users self-adopting AI tools outside governance
- AT1 – Vendor embedded assistant: Fully vendor-controlled. You consume it, not build it
- AT2 – Platform integrated: AI-native platform with your data. Cannot execute arbitrary code
- AT3 – Citizen developer agent: Low-code/no-code platform. User configures flows and prompts, not code. Actions on real organization data
- AT4 – Code executing agent: Generates and executes code with local/cloud privileges
- AT5 – Custom in-house agent: You built it. You control identity, tools and boundaries
The other criterion measures governance maturity, from ad hoc processes up to continuous monitoring and adaptive automated enforcement.
The authors have defined four level of maturity:
- Level 0 – Unaware and ad hoc: No formal recognition of agentic AI’s distinct governance/security risks beyond traditional AI. Shadow IT experiments lack policies, AI-software bills of materials (SBOMs) or guardrails; oversight is informal with minimal logging and generic IT incident handling
- Level 1 – Experimentation without guardrails: Pilot projects with single agents/small workflows lack defined autonomy limits, decision scopes or escalation criteria. Generic AI policies and occasional red-teaming provide governance without continuous monitoring or risk-tiering; accountability is diffuse
- Level 2 – Policy-defined, human-in-the-loop: Formal policies map use cases to regulations (EU AI Act, GDPR) with mandatory human-in-the-loop for high-impact decisions. Cross-functional governance includes named owner (e.g. CAIO); logging/versioning/AI-SBOM established but monitoring is periodic
- Level 3 – Integrated, continuous oversight: Agentic AI treated as critical infrastructure with risk-tiered workflows and autonomy ladders across regulated domains. Real-time dashboards track drift/anomalies; kill switches enable autonomy pauses. Governance-as-code enforces machine-readable policies across AI lifecycle
Assessing Agentic AI Adoption-Maturity Matches and Mismatches
By combining these two criteria, for each agentic AI workflow organizations can assess whether their governance matches their deployment or governance cannot see what the agents are doing.
Fogel presented this with a table showing green areas (when governance matches the deployment), yellow areas (when security and governance teams may not have full oversight) and red areas (when deployment is applied without the right level of governance).
“Don’t operate in the red cells,” Fogel warned.
The framework’s operational logic is straightforward. Organizations place an agent on the deployment axis and then check whether their governance maturity lines up.
If governance is insufficient, the framework points to two practical responses: invest in controls specifically designed for agentic systems or reduce the agent’s permissions and autonomy until existing controls suffice.
The paper emphasizes that the needed controls are not merely stronger versions of traditional security measures.
As Fogel put it, agents operate at machine speed and scale, so teams need monitoring infrastructure that operates on the same speed as their agent workloads.
That means live behavioral baselines, real time containment and stop mechanisms, joined incident response across safety and security teams and better identity hygiene (e.g. ephemeral credentials and cryptographic attestation) so that each action can be traced and limited.
How to Make Agentic AI Guidance Directly Actionable
John Sotiropoulos, co-lead and board member of OWASP’s GenAI Security Project and Agentic Security Initiative, stressed that the new framework also aims to reduce human and organizational friction.
“There is a cognitive tax on us giving you stuff again and again,” he said, warning that large, frequently updated volumes of guidance become unusable for busy teams.
He pushed the framework’s simple decision posture as a way to focus action: discover the most advanced agents in use, prioritize the riskiest workloads and decide whether to invest in faster, different controls or to constrain deployments.
Sotiropoulos also linked governance upgrades to broader business goals, asking, “How do we actually accelerate innovation? I think people hiding and not doing AI is a vulnerability.”
He argued that prudent governance enables safe adoption rather than just blocking it.
Finally, Fogel emphasized the convergence of AI safety and security at the deployment layer: the same architectural choices that create safety exposure often create security exposure too and the maturity framework encourages aligned telemetry and incident playbooks to avoid misdiagnosis during live incidents.
