Hundreds of Copilot agents discovered during a single enterprise security assessment, none of which the security team knew existed. No inventory. No owner assignments. No visibility into what data those agents had accessed. The OWASP agentic AI threat model existed. The governance program did not.
OWASP's emerging agentic AI guidance is the most useful framework for security engineering teams because it names specific attack mechanics, not just risk categories. Here are the five vulnerabilities that matter most operationally, with the mechanism behind each.
1. Excessive Agency This is the foundational risk. An agent is granted more permissions, capabilities, or autonomy than its task requires. The mechanism: when an agent holds broad OAuth scopes or elevated service account credentials, any downstream action it takes, including unintended ones, executes at that full privilege level. Most agents in enterprise SaaS environments are over-permissioned. The blast radius of a single misconfigured agent scales with every permission it holds. You can read more about how this plays out across platforms in our AI agent security risks breakdown.
2. Permission Compromise An agent's credentials or tokens are stolen, leaked, or misused. The mechanism: agents authenticate using bearer tokens, OAuth grants, or hardcoded secrets. These credentials do not expire on their own. A disabled agent owner account does not revoke the agent's tokens. An orphaned agent continues operating with inherited credentials indefinitely. The Salesloft-Drift compromise affecting 700+ organizations exploited exactly this pattern: stolen bearer tokens from a third-party integration looked identical to legitimate traffic.
3. Tool Misuse An agent calls tools or executes actions outside its intended scope, either through manipulation or misconfiguration. The mechanism: agents connected to MCP servers or external APIs can invoke any tool those connections expose. If an agent has a connection to a file system tool and a database tool, nothing in the agent's configuration prevents it from chaining those calls in unintended sequences. Action chaining compounds the blast radius with every step.
4. Identity Spoofing and Impersonation An agent acts on behalf of a user or another system without proper authorization verification. The mechanism: in maker mode configurations, an agent uses its creator's credentials for every invocation, regardless of who the invoker is. A user without Salesforce access can invoke a Copilot agent built by a Salesforce administrator. The agent executes at admin privilege. The user extracts data they were never authorized to see. Your IAM controls were not bypassed. They were simply never consulted. Our Microsoft Copilot security coverage details how this plays out in production environments.
5. Goal and Instruction Manipulation An agent is manipulated into pursuing goals outside its intended design, often through crafted inputs. The mechanism: agents process instructions from multiple sources, including user input, connected tool outputs, and retrieved documents. A malicious instruction embedded in a retrieved document can redirect agent behavior. This is the confused deputy scenario at the instruction layer: the agent has elevated permissions and is being directed to use them for unauthorized purposes.
The remaining categories in OWASP's agentic AI guidance cover data integrity violations, resource and service abuse, cascading trust failures in multi-agent systems, inadequate logging and auditability, and supply chain compromise via third-party agent integrations. Each maps to a detection use case. None of them are automatically addressed by deploying an agent platform with default settings.
OWASP's guidance is the most operationally useful standard because it gives security teams a named vocabulary for what they are detecting. Every alert, every risk score, every escalation path benefits from a shared definition of the vulnerability being flagged.
The NIST AI RMF GenAI Profile provides an organizational operating model. Applied to agentic AI, each function maps to a specific operational requirement.
Govern covers the policies, accountability structures, and lifecycle management processes for AI agents. In practice: who owns each agent, what approval process exists before an agent is deployed, and what happens when an agent's creator leaves the organization. Orphaned agents, where the creator account is disabled but the agent continues running with inherited credentials, are a direct failure of the Govern function. AI agent governance requires assigning ownership before deployment, not after an incident.
Map covers identifying and cataloging AI assets, their connections, and their potential impacts. In practice: building a complete inventory of every agent in your environment, every MCP server those agents connect to, and every SaaS application those connections reach. Enterprise inventories routinely surface thousands of agents created before any inventory existed and hundreds of Copilot agents that no one had catalogued. The Map function cannot be satisfied by a spreadsheet or a manual UI review across each platform.
Measure covers assessing and quantifying AI risk. In practice: risk scoring individual agents based on their configuration, permissions, and usage patterns. The most operationally useful measurement approach identifies toxic combinations, where multiple risk factors on a single agent create compounding, critical-priority risk that individual factor scoring would miss. An agent that is org-wide accessible is medium severity. An agent that is org-wide accessible, running in maker mode with admin credentials, and connecting to an unsanctioned domain is critical. See how toxic risk combinations change the severity calculus.
Manage covers responding to identified risks. In practice: deterministic guardrails that enforce least privilege at runtime, incident response playbooks for agent-related events, and integration with existing ticketing and escalation workflows. The Manage function is where the gap between advisory frameworks and operational controls is widest.
Security teams following every published framework can still have zero visibility into what their agents are actually doing. Standards describe what to govern. They do not tell you how to detect a violation in real time.
The runtime gap is the most significant. Every framework discussed above operates at the level of configuration, policy, and documentation. None of them operationalizes runtime enforcement. An agent configured correctly according to your ISO 42001 documentation can still execute a privilege escalation at runtime if the effective authority it holds inside a connected SaaS application exceeds what its theoretical configuration suggests. Configuration is not reality. Runtime truth is what the agent actually did, what data it touched, and whether any of that was policy-aligned.
The detection gap follows directly. Standards describe what controls should exist. They do not specify what a violation looks like in a log, what telemetry to collect, or how to distinguish legitimate agent behavior from a compromised agent executing an action chain. Security teams ghost chasing theoretical configuration risks without runtime evidence are not producing governance. They are producing documentation.
The toxic combination gap is specific to how most frameworks score risk. They assess individual factors in isolation. A single over-permissioned agent is a medium finding. An orphaned agent with public access and a maker mode connection to a sensitive data store is a critical incident waiting to happen. No current standard provides a methodology for identifying these compounding risk states across an agent population.
Bridging standards to operational controls requires four capabilities. Security teams that build these four capabilities simultaneously satisfy the core requirements of OWASP, NIST AI RMF, ISO 42001, and EU AI Act without treating each framework as a separate compliance project.
Capability 1: Agent Inventory You cannot govern what you cannot see. Build a complete, continuously updated inventory of every agent in your environment, including who created it, what platforms it runs on, what connections it holds, and whether the creator account is still active. This satisfies the NIST Map function and the ISO 42001 asset management requirement. It also surfaces orphaned agents and shadow agents that no existing tool is tracking. SaaS AI agent security starts with knowing what you have.
Capability 2: Runtime Visibility Move from theoretical configuration to effective authority. Map what each agent can actually do inside each connected SaaS application after all entitlements resolve. This is the capability that closes the runtime gap no standard currently addresses. Runtime visibility shows you what actually happened, not what the configuration says should have happened.
Capability 3: Deterministic Guardrails for Probabilistic Agents AI agents are probabilistic by design. Your access controls cannot be. Deterministic guardrails enforce fixed, predictable rules on dynamic agents: blocking unauthorized tool calls, flagging maker mode privilege escalation, and preventing action chaining sequences that exceed authorized scope. Probabilistic agents require deterministic guardrails. This is not a philosophical position. It is the only architecture that produces consistent enforcement outcomes. Runtime guardrail enforcement is generally available on Microsoft Copilot today, with expanded platform coverage on the roadmap.
Capability 4: Machine Identity Governance AI agents are non-human identities. They hold tokens, credentials, and OAuth grants like human insiders, but no existing insider risk program covers them. Machine identity management for agents means tracking credential provenance, enforcing token lifecycle policies, and detecting when an agent's effective authority exceeds its intended scope. This closes the machine insider risk gap that every framework acknowledges but none operationalizes. Our AI agent risk assessment provides a structured starting point.
Concrete starting steps for security teams in 2026:
OWASP's agentic AI guidance gives you the vocabulary. The NIST AI RMF gives you the operating model. The four capabilities above give you the controls. None of them work without runtime visibility into what agents are actually doing.
The standards landscape for agentic AI governance is real, active, and increasingly consequential. OWASP's agentic AI guidance is the most operationally useful framework available to security teams right now. NIST AI RMF provides the organizational structure. ISO 42001 provides the management system. The EU AI Act provides the regulatory floor.
None of them close the runtime gap on their own.
Security teams that treat standards compliance as the goal will produce documentation. Security teams that use standards as the vocabulary for building operational controls will produce governance. Start with inventory. Move to runtime visibility. Enforce deterministic guardrails. Govern machine identities. That sequence satisfies multiple frameworks simultaneously and produces a program that can actually answer the question your board will ask: what are your agents doing right now, and how do you know?
Explore how Obsidian approaches AI agent monitoring tools and AI agent protection to see these capabilities applied across production environments.
OWASP's agentic AI guidance catalogs the highest-risk vulnerability categories specific to autonomous AI agents. It covers risks including excessive agency, permission compromise, tool misuse, identity spoofing, and goal manipulation. It is the most operationally specific standard available to security teams in 2026 because it names attack mechanics, not just risk categories.
The OWASP LLM Top 10 focuses on vulnerabilities in large language model applications. OWASP's agentic AI guidance addresses risks specific to autonomous agents that take multi-step actions using tools and credentials. Excessive agency is foundational to both, but the agentic guidance extends significantly into identity, permission, and action chaining risks that the LLM Top 10 does not cover.
ISO 42001 and NIST AI RMF address overlapping concerns but are not interchangeable. ISO 42001 is a certifiable management system standard. NIST AI RMF is an advisory framework with a Govern/Map/Measure/Manage structure. Achieving ISO 42001 certification demonstrates an AI management system is in place. It does not automatically satisfy NIST AI RMF requirements, which require specific risk identification and measurement processes that may go beyond ISO 42001 scope.
The EU AI Act applies to AI systems classified as high-risk under its Annex III categories, which include systems used in critical infrastructure, employment decisions, and law enforcement contexts. High-risk AI systems must meet transparency, documentation, human oversight, and accuracy requirements. AI agents operating in these contexts must have documented risk management processes, technical documentation, and human oversight mechanisms. Enforcement timelines are phased through 2026 and 2027.
Start with manual inventory: document every agent in your environment, its creator, its connections, and its permission scope. Map each agent against the top five vulnerability categories. Flag any agent running in maker mode, any orphaned agent, and any agent with public or org-wide access. This produces a risk-prioritized remediation list without requiring a dedicated platform. The limitation is scale: manual inventory fails at hundreds of agents, which is where most enterprises already are.