What happened
At the OWASP GenAI Security Summit during Infosecurity Europe (June 4, 2026), the OWASP GenAI Security Project introduced the Enterprise Adoption Maturity Model for agentic AI, drawn from its June 3 paper 'State of Agentic AI Security and Governance v2.01'. The model maps six agent deployment levels (AT0 shadow AI through AT5 custom in-house agents) against four governance maturity levels (ad hoc through continuous governance-as-code), producing a red/yellow/green matrix that flags where governance fails to match deployment. OWASP also announced the formation of an Agentic Research Council to coordinate ongoing security research for agentic systems.
Why it matters
Most organisations deploying agents are operating in the 'red cells' — shipping AT3–AT5 autonomous agents while still running AT1-grade governance designed for AI copilots. The maturity model provides shared language for threat modelling, procurement requirements, and audit criteria that consulting teams and CISOs can apply immediately to justify specific control investments or autonomy reductions.
Action needed
Plot your organisation's deployed agents on the OWASP deployment-governance matrix; any agent in a red cell must either gain named-owner accountability, AI-SBOM, real-time logging, and autonomy limits (to reach Level 2), or have its tool scope and permissions reduced until existing controls suffice.