Our Series 1 through Series 4 research established that agentic AI failures are predominantly protocol-level architectural problems — vulnerabilities embedded in the trust assumptions of the systems agents operate within, not configuration defects that hardening alone can resolve. This readout synthesizes five OWASP documents and the NIST CAISI AI Agent Standards Initiative published between late 2025 and April 2026: the OWASP Top 10 for Agentic Applications 2026, the Agentic AI Threats and Mitigations Guide, the AI Security Solutions Landscape Q2 2026, the MCP Security Cheat Sheet, and the AI Agent Security Cheat Sheet. The structural gap analysis and maturity framing in this piece represent Luminity’s analytical contribution, grounded in the Q1 2026 research corpus, and are not drawn from any single external framework.
OWASP compliance has become the table stakes of enterprise AI deployment. AWS, Microsoft, Salesforce, Google — every major platform now publishes an OWASP mapping for its AI products. Security teams run the assessment. Procurement teams ask for the attestation. Vendors cite the categories. The frameworks have achieved institutional recognition at a pace that few technical standards accomplish, and for good reason: the standards bodies have been doing serious, sustained work for over a year, and the frameworks they have produced address real problems with real analytical depth.
And then there is the compliance meeting where someone says, “We’ve mapped to OWASP — we’re covered,” and the room moves on. That moment is what this readout is about. Not to undermine the frameworks — they are necessary and practitioners who have not engaged with them should do so immediately. But because the gap between an OWASP-mapped deployment and an architecturally secure one is specific, documentable, and consequential. Understanding where the standards layer ends is not optional context. It is the practitioner’s working position.
Security experts, researchers, and practitioners contributed to the peer-reviewed OWASP Top 10 for Agentic Applications 2026 — a framework already adopted as a reference standard by Palo Alto Networks and Microsoft Copilot Studio. The Agentic Security Initiative (ASI) taxonomy it establishes gives enterprise teams the shared vocabulary for evaluating risk and assessing vendor claims that has been missing from agentic AI security discussions.
What the Standards Layer Has Built
The OWASP GenAI Security Project has produced a coherent ecosystem of frameworks over the past year, each addressing a different layer of the agentic AI security problem. Reading them as a system — rather than as separate documents — is how practitioners extract their full value.
The OWASP Top 10 for Agentic Applications 2026 is the vocabulary document. Its ten ASI risk categories give enterprise teams a shared language for evaluating risk, writing requirements, and holding vendors accountable. When a vendor claims their product addresses agent goal hijacking, ASI01 gives you the documented preconditions, attack paths, and mitigation requirements against which that claim can be evaluated. That coordination function matters: it closes an interpretive gap that has made agentic AI security conversations inside organizations persistently unproductive.
The ASI Risk Framework — Ten Categories Across the Full Attack Surface
ASI01 (Agent Goal Hijacking) and ASI09 (Advanced Prompt Injection) address instruction subversion — how agents are redirected from their authorized objectives. ASI03 (Identity and Privilege Abuse) and ASI07 (Insecure Inter-Agent Communication) address trust propagation — how authority bleeds across agent boundaries. ASI04 (Supply Chain Vulnerabilities) addresses the tool and skill ecosystem beneath the agent. ASI08 (Cascading Failures) addresses blast radius in multi-agent architectures. Each category includes mitigation guidance grounded in both research and deployed practice — and each maps to the attack vectors this corpus has documented empirically across six series.
The Agentic AI Threats and Mitigations Guide provides the threat-model depth the Top 10 summarizes. It maps attacker capabilities, preconditions, and exploitation paths to each risk category — the document to use when building a threat model for a specific deployment rather than evaluating overall posture.
The AI Security Solutions Landscape Q2 2026 addresses procurement. Updated quarterly, it maps the current market of open-source and commercial tools to agentic AI lifecycle stages from development-time scanning through runtime enforcement to incident response. For security teams evaluating vendors or building out an agentic security stack, it provides a structured view of what exists and where categories remain sparse.
The OWASP Cheat Sheet Series has also matured significantly in this space. The MCP Security Cheat Sheet — published within the past month — addresses tool poisoning, rug pull attacks, tool shadowing, the confused deputy problem, and data exfiltration via legitimate channels with concrete implementation guidance. The AI Agent Security Cheat Sheet covers prompt injection, tool abuse and privilege escalation, memory poisoning, cascading failures, and supply chain attacks with code-level patterns. These are practitioner resources, not policy documents — they are the implementation layer of the standards framework, and they belong in every agentic AI development workflow.
The standards bodies have done the field a genuine service. The question is not whether to use these frameworks — it is whether to mistake them for a destination.
— Luminity Digital synthesis, April 2026What NIST Has Added
NIST’s contribution operates at the policy and compliance layer. The CAISI AI Agent Standards Initiative, launched February 2026, is building the infrastructure that organizations operating under NIST-aligned compliance frameworks will need. Its three pillars are industry-led standards development, open-source protocol development building on MCP and A2A baselines, and fundamental research on agent authentication, identity, and security evaluations.
Attack attempts from 400+ participants against 13 frontier models — with at least one successful attack found against every target model — from NIST’s red-teaming competition conducted in partnership with Gray Swan, the UK AI Security Institute, and frontier model laboratories. Vulnerability rates did not correlate uniformly with model capability. No model was immune.
The most immediately relevant NIST deliverable for enterprise practitioners is the SP 800-53 control overlays for agentic systems, currently in development. These overlays will translate NIST’s established control framework into specific guidance for agentic deployments — giving organizations operating under existing NIST compliance requirements a defined path to agentic AI alignment. The NCCoE concept paper on AI agent identity and authorization, with a public comment period that closed April 2, 2026, directly addresses the authentication gap the research corpus has documented at scale.
The RFI findings are also worth attending to. Practitioners encountering real governance failures — authorization boundaries that do not hold, tool invocation chains executing without adequate verification — submitted comments that will shape the overlays as they develop. The standards process is incorporating production deployment data, not only theoretical attack models.
What the Standards Layer Covers Well
Three things the standards ecosystem now provides that practitioners have not previously had for agentic AI.
First, a shared risk vocabulary that closes the coordination problem. Before the ASI taxonomy, conversations about agentic AI security inside organizations consistently broke down at the vocabulary level — with different teams using different terms for the same vulnerabilities, and no authoritative reference to resolve disagreements. That problem has a solution now.
The current standards layer’s most significant contribution is interpretive infrastructure. It does not close the protocol-level vulnerabilities the research corpus has documented. It gives practitioners the vocabulary to identify them, categorize them, and hold vendors accountable for addressing them. That is not a small thing.
Second, procurement navigation. Knowing that supply chain attacks are real (ASI04) and that tool poisoning is well-documented does not tell a security team which available tools address that risk. The Solutions Landscape maps the market. The cheat sheets provide implementation baselines. Together they give a security team starting coordinates for vendor evaluation and internal build decisions.
Third, an institutional compliance roadmap. The NIST SP 800-53 overlays in development will give organizations operating under existing compliance frameworks a defined path to agentic AI alignment. The standards bodies are building the infrastructure that makes agentic AI security auditable — not just defensible in principle.
Where the Checklist Passes and the Agent Fails
The title of this readout is not a critique of the standards bodies. It is a description of the structural boundary every compliance framework has — and that the OWASP and NIST frameworks share with every well-designed standards document that has preceded them. A fully compliant deployment can execute the wrong action, in the right way, with complete audit trail, perfect authentication, and zero policy violations recorded.
Compliance answers: is the agent who it claims to be, and can it do what it is attempting? It does not answer: should the agent be doing what it is about to do, given the objective it was authorized to pursue? That second question is not what the standards frameworks are designed to address — and the research corpus is specific about why that gap exists and where it lives.
Application-Layer Controls
- ASI risk taxonomy — shared vocabulary for threat modeling and vendor evaluation
- Threat model depth — attacker capabilities, preconditions, exploitation paths
- Procurement navigation — market map of tools by lifecycle stage
- MCP implementation baseline — tool poisoning, rug pulls, confused deputy, OAuth scoping
- Agent architecture baseline — injection, memory isolation, tool privilege scoping
- NIST control framework mapping — SP 800-53 overlays in development
Protocol-Layer Gaps
- Agent identity verification: 100% of scanned MCP servers lack cryptographic authentication (AIP, arXiv:2603.24775)
- Protocol composition failures: 20 of 21 security invariants break when agent protocols combine (AgentRFC, arXiv:2603.23801)
- Memory control flow attacks: >90% of agents vulnerable through standard user interaction (arXiv:2603.15125)
- Supply chain implicit payloads: 11–33% bypass rates against application-layer defenses (arXiv:2604.03081)
- Tool schema binding: no MCP protocol standard for cryptographic schema verification exists
Each item in the right column traces to a structural property of the current protocol layer. AgentRFC found that 20 of 21 security composition invariants break when agent protocols are combined — a failure that no application-layer checklist can close because it is a protocol design property. The AIP research documented that 100% of scanned MCP servers lack cryptographic authentication — an absence the MCP Security Cheat Sheet correctly names as a requirement but cannot enforce because authentication standards for MCP servers do not yet exist at the protocol level. Memory Control Flow Attacks achieve greater than 90% success against frontier models through standard user interaction — the AI Agent Security Cheat Sheet’s memory isolation guidance is sound and necessary, and it does not prevent this attack class because the attack operates at a layer the application controls cannot fully reach.
These are not failures of the standards. They are the designed boundary of what standards can accomplish without corresponding protocol-layer changes. OWASP and NIST are building the application-layer controls correctly. The protocol-layer architecture is still being designed.
A Note on Vendor OWASP Mappings
Every major platform — AWS, Microsoft, Salesforce, Google, and dozens of others — now publishes OWASP mappings for its AI products. These mappings are legitimate documentation of application-layer controls. They address what the standards address. The structural gaps above the standards layer are not present in those mappings — not because vendors are being evasive, but because the standards framework the mappings reference does not cover that layer. The mapping passes. The protocol gap remains.
The Practitioner’s Working Position
These frameworks are required reading, not optional context. The ASI taxonomy belongs in every enterprise threat model. The MCP Security Cheat Sheet is the baseline review document for every MCP server deployment. The Solutions Landscape should inform every agentic security vendor evaluation. The NIST SP 800-53 overlays, when released, should be integrated into compliance programs immediately.
The organizations that treat OWASP compliance as a destination will have something valuable: a defensible minimum bar, a shared vocabulary, and a documented audit trail. What they will not have is a closed attack surface. The structural gaps above the standards layer require the same architectural discipline the standards layer brought to the application layer — applied one level down, at the protocol, and one level up, at the behavioral governance layer where agent intent meets organizational authorization.
Use OWASP to establish the minimum bar and evaluate vendor claims against it. Use NIST to plan compliance alignment. Use the research corpus to understand why the structural gaps the standards name have not yet been closed — because the protocol-layer architecture is still being designed. Understanding the gap is what allows you to build the right controls above it.
The standards bodies are building toward a more complete picture. The current frameworks are a starting point, not a ceiling. Reading them precisely — acknowledging what they accomplish and being honest about where they stop — is how practitioners make them useful rather than how they get misled by a false sense of coverage.
If you are working through how these frameworks apply to a specific agentic deployment — mapping the ASI categories to your architecture, evaluating vendor claims, or planning the control layer above the OWASP minimum bar — the Luminity team is available for a focused conversation.
Series 11 — The Standards Layer — will track the development of NIST’s SP 800-53 agentic overlays, the NCCoE agent identity and authorization framework, and the protocol-level standards work as it matures. Coming later in 2026.
