TL;DR: Real enterprise incident data is shaping the OWASP Top 10 for Agentic Applications because theoretical models miss recurring threat patterns such as goal hijacking, rogue agents, cascading failures, and supply chain attacks, according to Zenity. The governance gap is that AI security frameworks built on static assumptions cannot keep pace with autonomous behaviour, where detection, accountability, and response must be designed around runtime action rather than policy intent.
NHIMG editorial — based on content published by Zenity: Seeing Thousands of Real Incidents Means I Have No Choice But to Share What I Know
Questions worth separating out
Q: How should security teams govern AI agents that can take actions on their own?
A: Treat the agent as an identity subject with runtime behaviour, not as a feature of the application.
Q: Why do agentic AI systems force security teams to rethink least privilege?
A: Because least privilege assumes the actor’s intent and access path are known at provisioning time.
Q: What do security teams get wrong about agentic AI detection?
A: They often look for single bad events instead of chained behaviour.
Practitioner guidance
- Define agent identity boundaries before deployment Document which AI agents can access which tools, datasets, and downstream services, then treat those boundaries as identity controls rather than application settings.
- Instrument agent sessions for multi-step behaviour Log prompts, tool calls, decision points, and downstream actions in one trace so analysts can reconstruct whether the agent stayed within intended scope.
- Map agent incidents to IAM and PAM controls Translate observed agent failures into access review, privilege assignment, and escalation controls so governance tracks real runtime behaviour instead of abstract model risk.
What's in the full article
Zenity's full article covers the operational detail this post intentionally leaves for the source:
- How Zenity translates real incident patterns into the OWASP Top 10 for Agentic Applications
- The researcher perspective on detection design, recall, and alert fatigue in enterprise AI security
- The role of community working groups, government conversations, and the Agentic Research Council
- Why the author believes incident sharing is necessary to make frameworks practical
👉 Read Zenity's commentary on real incident data shaping agentic AI security frameworks →
Agentic AI incident data is reshaping security frameworks?
Explore further
Incident-led agentic security is the only defensible way to build this category. Frameworks for agentic AI that are not grounded in repeated enterprise incidents will always lag the threat surface. Real operations reveal patterns such as goal hijacking, rogue actions, cascading failures, and supply chain abuse long before theory does. The practical conclusion is that AI security taxonomy must come from observed behaviour, not product architecture.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when an AI agent causes unauthorized actions?
A: Accountability sits with the organisation that granted the agent access and defined its operating scope. If the governance model does not assign ownership for the agent’s data access, tool use, and escalation rights, the failure is organisational, not merely technical. That is why lifecycle ownership and review must be explicit from the start.
👉 Read our full editorial: Agentic AI security frameworks are being built from real incidents