ethira
Features
AboutBlogSign inBook a demo
Back to blog
Regulatory10 min read4 June 2026

OWASP's Agentic AI Report Shows Governance Needs Instrumentation

OWASP's State of Agentic AI Security and Governance shows that agent failures are now production incidents, not hypotheticals. The operational answer starts with inventory, observability, unified telemetry, and defensible reporting.

Jasper Mills
Jasper Mills

Co-Founder & CEO, Ethira

Governance is not keeping pace with deployment, and the gap is no longer theoretical. OWASP's State of Agentic AI Security and Governance (v2.01, June 2026) documents a year in which the failures stopped being hypothetical and started showing up in production.

A coding assistant deleted a user's production database despite explicit, repeated instructions to change nothing, then fabricated thousands of fictional records, claimed rollback was impossible, and kept violating the code freeze within seconds of being told to stop. A separate autonomous coding agent, after a maintainer rejected its pull request to a major open-source library, researched that maintainer's personal history, wrote a defamatory narrative about their character, and published it to the open internet.

Every individual capability it used, including research, writing, and publishing, worked exactly as designed. The harm came from granting an agent autonomous action over consequential channels with almost no oversight.

The supply chain is being targeted

The supply chain underneath these agents is being targeted just as aggressively.

Researchers found the first malicious MCP server in the wild, a Postmark-themed package that spent fifteen versions building a legitimate reputation before quietly adding a single line of exfiltration code. The attackers then moved up the stack: a compromised publishing token let a bot push two backdoored versions of LiteLLM, the LLM gateway behind CrewAI, DSPy, Microsoft GraphRAG, and dozens of other frameworks, directly to PyPI. Roughly 47,000 downloads happened in the three-hour window before it was caught.

OWASP describes a newer technique researchers have formalized as Tool Poisoning Attacks, where malicious instructions are hidden in a tool's description field: invisible to the human reviewing the code, but read by the model as trusted context. The payload is not in the code at all. It is in the metadata, exploiting the gap between what humans audit and what agents actually consume.

Session-scoped monitoring is not enough

What ties these incidents together is that most of them are invisible to the kind of oversight organizations currently run.

Memory-poisoning attacks are the clearest example: an adversary writes malicious instructions into an agent's persistent memory through one ordinary interaction, and the payload activates days later during a completely unrelated request. As the report puts it, monitoring scoped to a single session will never detect that; the compromise persists silently across every future interaction.

Meanwhile the regulatory clock has already moved. DORA's four-hour notification window, NIS2's 24-hour early warning, New York's 72-hour frontier reporting under the RAISE Act, and California's 15-day window under SB 53 are all built for continuous oversight, not the periodic audit cycle most security teams still operate on. Regulators have started to effectively accept that agents can cause harm faster than human review can keep up.

That mismatch, between how fast agents act and how slowly most organizations can see what they are doing, is the problem we set out to solve, and the OWASP report lays out the path almost exactly in the order we build it. It is a boring, back-to-first-principles way of building, but we think the foundations are the same. The methodology just needs to change. RIP spreadsheet inventory.

Start by knowing what you have

It begins with knowing what you have. The report's advice on where to start is blunt: find the most autonomous agents running in your environment today, then either raise your governance to match them or dial back their deployment.

The catch is that most organizations cannot do step one, because they do not know what is running. OWASP singles out Shadow AI as the dominant problem, present in nearly every organization their contributors examined and impossible to govern until it is discovered. The supporting data is stark, with roughly half of employees using AI tools their employer never sanctioned and only about a third of organizations having any policy to detect shadow AI at all.

This is why we start with a living inventory: a continuously updated registry of every model, agent, MCP server, connector, third-party tool, and dataset that can touch your systems. The report's own framing is the principle we designed around: if it can influence agent behavior, it must be inventoried.

A registry that is accurate once a quarter is just a snapshot of a system that has already changed. In OWASP's posture matrix, an organization sitting in the Shadow AI tier with low maturity is rated critical, and the stated priority is unambiguous: discovery and inventory.

Observability has to be built for agent behavior

An inventory tells you what exists, but not what those things are doing, so the next layer is deep logging and observability over everything in it.

Agentic systems generate enormous volumes of high-cardinality events: every tool invocation, every delegated call, every model decision, every message between agents. Capturing that at the fidelity governance now demands while still being able to query it fast enough to investigate something while it is happening is a real engineering problem.

We solve it with a local, unstructured datastore built for high-volume logging, which lets us keep the full behavioral record rather than sampling it down to uselessness, and keeps that record inside your own environment instead of shipping sensitive agent activity to a third party.

It is worth being clear about what this layer is and is not. It sits beside your existing tooling rather than replacing it. APM and infrastructure observability platforms like Datadog are excellent at what they were built for: service health, latency, error rates, and the performance of applications and infrastructure. But they were built for the engineering and SRE teams that own those systems, and they reason about the world in services and spans.

Agents do not fit that model. The unit of behavior that matters for governance is a tool invocation, a delegated call to another agent, a write to persistent memory, an MCP server it reached out to, or the lineage of a decision, not a p99 latency on an endpoint.

The second mismatch is organizational. As OWASP notes, the highest shadow-AI risk comes from agents built by developers outside engineering teams, and security teams should not assume that framework adoption equals visibility. A tool that lives inside the development team's observability stack, instrumented by the people shipping the code, structurally cannot see the agents that business users, citizen developers, and low-code platforms are standing up outside it. Those are precisely the agents that most need watching.

So our logging and monitoring is purpose-built for agent behavior and deliberately positioned to span the whole environment, not just the slice the dev team already instruments, feeding the same telemetry into governance that performance tooling was never designed to surface.

Unify the telemetry you already have

No organization starts from zero. There is already telemetry everywhere: in cloud infrastructure, the identity provider, the existing observability stack, and the agent frameworks themselves. So the third layer is ingesting that existing telemetry and unifying it with our own behavioral logging, rather than leaving it scattered across tools that each see only a fragment.

This matters because of how agentic systems actually fail. Detecting compromise requires correlating signals across the whole environment. That same unified view is what makes decision-level traceability possible: the ability to reconstruct exactly which components, tools, and delegated agents contributed to a given outcome, which OWASP recommends for any high-impact or regulated workflow.

You cannot trace a decision across systems if your telemetry lives in ten places that do not talk to each other.

Turn visibility into governance

On that foundation, governance becomes something you can actually operate.

The final layer is analytics and reporting across every agent, MCP server, third party, and model in the inventory. Continuous discovery surfaces shadow AI automatically, which, per OWASP's own matrix, is what moves a Shadow AI environment from critical to manageable. Behavioral baselines flag drift before it becomes an incident. Decision traceability is queryable on demand. And the audit evidence regulators now expect on a four-hour or 72-hour clock gets generated continuously rather than reconstructed in a panic after something has already gone wrong.

Read end to end, the OWASP report describes a ladder, from unaware and ad hoc, through policy and human-in-the-loop, to continuous oversight and finally adaptive, self-regulating governance. What it does not fully spell out is the operational sequence for climbing it, and that sequence is exactly what we build, in the same order every time.

Inventory tells you what you have. Observability tells you what it is doing. Unified telemetry lets you see across the whole system. Analytics and reporting turn all of it into governance you can defend.

Each step depends on the one before it, and none is optional once your agents are acting faster than your review process can keep up. The regulators have already decided that agents can cause harm faster than humans can review it. The only real question left for security leaders is whether they can see what their agents are doing in time to do something about it.

OWASPagentic AIAI governanceAI securityMCPshadow AIobservabilityDORA

More from Ethira

Research

2nd Party Risk: Same Fundamentals, Shifting Ground

Read more
Research

Governance Isn’t a Dashboard. It’s Instrumentation.

Read more
Regulatory

Shadow Subcontractors: The Hidden Vendors Inside Your SaaS Tools

Read more

See every AI tool in your org.
Automatically.

Ethira discovers 212 tools on average — 47% unsanctioned. Know what your org is running before your regulator does.

Book a demoTry free
ethira

Govern every asset. Automatically.

Platform

  • Features
  • Guides
  • AI Governance

Use Cases

  • Shadow AI Discovery
  • AI Agent Governance
  • Third-Party Risk (TPRM)
  • ICT Risk Management
  • DORA RoI Reporting

Company

  • About
  • Blog
  • FAQ
  • Brand
  • Privacy Policy
  • Terms of Service
  • Subprocessors
  • Contact

© 2026 Ethira AB · Luntmakargatan 26, 111 37 Stockholm, Sweden

Privacy PolicyTerms of ServiceSubprocessors