OWASP has released the “State of Agentic AI Security and Governance v2.01” report, a technical blueprint aimed at security teams racing to secure rapidly proliferating autonomous AI agents in production.
The report, part of the OWASP GenAI Security Project’s Agentic Security Initiative, reframes AI security as an operational reality rather than a theoretical concern, backed by live incidents, CVEs, and an aggressive open‑source ecosystem around agent frameworks and coding agents.
At the strategic level, OWASP argues that AI safety and AI security cannot be treated as separate disciplines once systems gain autonomy and access to tools.
In traditional environments, safety failures (systems behaving harmfully on their own) and security failures (adversarial exploitation) could be owned by different teams; agentic AI collapses that boundary at the deployment layer.
When an agent can autonomously invoke APIs, modify code, and touch production data, the same over‑permissive design choice becomes both a safety flaw and a security gap.
Governance, monitoring, and incident response across both failure modes, rather than routing them through disconnected risk taxonomies and escalation paths.
The report introduces a detailed taxonomy for agentic systems, classifying them by operational role such as enterprise, coding, client-facing, personal, and infrastructure/ops.
It also categorizes them by implementation pattern and composition pattern, including orchestration frameworks, low-code platforms, single-agent systems, multi-agent systems, distributed chains, and agent-spawning architectures.
Autonomy is treated as a cross‑cutting dimension: supervised agents, semi‑autonomous agents, and fully autonomous agents carry sharply different blast radii, especially when combined with persistent memory and broad tool permissions.
OWASP urges organizations to explicitly map agent autonomy levels and implement circuit breakers, kill switches, and deterministic enforcement hooks for high‑autonomy deployments.
The report also grounds its guidance in an ecosystem survey of high‑velocity agentic projects, highlighting where security teams should focus monitoring and advisory tracking.
Gravitas, with roughly 183,000 stars, is cited as a fully autonomous framework/platform that pioneered autonomous-agent loops and now has over 430 contributors.
n8n, also at about 183,000 stars, is a semi‑autonomous enterprise-orchestration platform with 6 years of production‑grade evolution and more than 570 releases, recently adapted for agentic workflows.
Dify, with approximately 137,000 stars and 462 contributors, stands out for one of the highest pull request volumes, signaling rapid iteration and potential attack-surface churn.
On the coding‑agent front, Claude Code (Anthropic) is described as a semi‑autonomous coding agent with around 110,000 stars, shipping roughly one release per day and already associated with 22 published CVEs, making it the fastest‑growing CLI in the dataset.
Gemini CLI from Google, with about 100,000 stars, 445 contributors, and 676 new issues opened in a 90‑day window, shows similar acceleration in developer adoption and vulnerability discovery pressure.
Infrastructure and ops agents like browser‑use (around 80,000 stars, fully autonomous browser automation with extremely high commit density).
Skyvern (roughly 18,000 stars, fully autonomous with a 77% PR merge rate) exemplifies high‑risk categories in which agents bridge directly into browsers, the cloud, and CI/CD environments.
The ecosystem also includes semi‑autonomous coding and editor tools such as Zed (~79,000 stars, Rust‑native with over 1,000 tracked releases and multiple security advisories).
OpenHands (~71,000 stars, fully autonomous coding agent with one of the most active pull‑request pipelines). Cline (~62,000 stars, semi‑autonomous with 11 published CVEs and over 1,000 PRs opened per 90 days).
crewAI (~48,000 stars as a semi‑autonomous framework with 126% commit growth) and Aider (~38,000 stars, semi‑autonomous with a 21% rising commit trend and growing contributor base).
Personal agents such as AgentSeek by Fosowl (~15,000 stars, supervised with 67% commit growth over 90 days) illustrate how “shadow AI” can leak into enterprises via user devices, bypassing traditional governance.
For defenders, OWASP’s message is to treat agentic AI as a first‑class security domain. Inventory agents across this ecosystem track advisories and CVEs on high‑velocity projects and align deployments to OWASP’s Top 10 for Agentic Security and its new governance maturity model.
With autonomous agents now touching production infrastructure, security programs must move from one‑off model assessments to continuous runtime oversight and supply‑chain provenance for AI components.
Strong non‑human identity controls before attackers and misbehaving agents define the risk surface for them.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
