OWASP Agentic AI Report Flags Tool Poisoning and Multi-Agent Failures as Top Enterprise Governance Gaps
What happened
OWASP released the State of Agentic AI Security and Governance 2.0 on December 1, 2025, providing a global-scope practitioner reference on securing and governing autonomous AI systems. The report maps the current landscape of agentic AI frameworks, governance models, and applicable regulatory standards across jurisdictions. It specifically calls out tool poisoning, in which malicious or compromised tools manipulate agent behavior, and multi-agent coordination failures, where trust breakdowns between agents produce unintended or harmful outcomes, as the highest-priority emerging risks for enterprise deployments. OWASP advises compliance and security teams to abandon reliance on model-centric benchmarks in favor of system-behavior evaluation that assesses what the full deployed agent stack actually does at runtime. The report is positioned as a deployment safety and compliance architecture guide for organizations already running or planning to run agentic AI in production environments.
Why it matters
- ·Regulatory exposure: Existing AI risk frameworks, including the EU AI Act and emerging U.S. state laws, impose requirements on high-risk system behavior and auditability that agentic deployments may not satisfy under current model-only evaluation approaches, creating direct compliance gaps if system-level assessment is absent.
- ·Operational impact: Tool poisoning and multi-agent coordination failures are runtime attack surfaces that existing pre-deployment testing programs are unlikely to catch, meaning organizations relying solely on pre-production validation may be operating agents with undetected behavioral vulnerabilities.
- ·Organizational risk: The shift OWASP recommends from model benchmarks to system-behavior evaluation requires cross-functional coordination across security, compliance, and AI engineering teams, exposing governance programs that lack clear ownership of agentic AI risk as structurally unprepared for production-scale deployments.
Governance controls affected
What to do now
- ☐Audit current agentic AI deployments to determine whether evaluation coverage extends to full system behavior at runtime, not only to underlying model performance benchmarks.
- ☐Review tool and plugin inventories connected to deployed agents against the OWASP tool poisoning risk criteria to identify third-party integrations that lack integrity verification or provenance controls.
- ☐Map multi-agent architectures in production to confirm that trust hierarchies and delegation chains are formally documented and that agent-to-agent communication cannot be exploited to escalate permissions or bypass human oversight gates.
- ☐Update the AI incident response playbook to include agentic-specific scenarios, including tool compromise events and coordination failures between agents operating in the same workflow.
- ☐Assess whether the governance program assigns explicit ownership for agentic AI risk, including a named function responsible for ongoing behavioral monitoring post-deployment.
What to watch next
Compliance teams should monitor whether OWASP follows this report with updated entries to its Top 10 for LLM Applications that incorporate agentic-specific threat categories, as those lists are frequently cited by auditors and regulators as de facto testing baselines. Regulatory bodies including the EU AI Office and Singapore IMDA have both signaled active work on agentic AI governance guidance, and the frameworks they produce are likely to reference or align with OWASP's system-behavior evaluation posture. Organizations in sectors with existing algorithmic accountability requirements, including financial services and healthcare, should also watch for enforcement actions that cite inadequate runtime evaluation of agentic systems as a compliance deficiency, as this report sharpens the technical basis regulators have available to make such findings.