A new OWASP report, the GenAI Security Project's State of Agentic AI Security and Governance (version 2.01), lands as the production-side companion to a theme that ran all week: capability is racing ahead of security. Its central finding is blunt. Prompt injection is the universal joint that connects most agentic incidents, and it maps to six of the ten categories in OWASP's Top 10 for agentic applications. This is not a new vulnerability so much as the one that keeps reappearing, because its cause is not a bug to be patched. It is architectural: a language model reads the system prompt, the user's request, and any text it retrieves from the web or a tool as a single undifferentiated stream of tokens, with no reliable way to tell an instruction from data. Any text the model ingests can therefore become a command.
Because you cannot eliminate it, the report's prescription is about limiting the blast radius rather than sealing the hole, and it leans on two design rules that builders should know by name. The first is Simon Willison's lethal trifecta: an agent becomes dangerous when it simultaneously has access to private data, exposure to untrusted content, and the ability to communicate externally, because those three together are exactly what an exfiltration attack needs. The second is Meta's Agents Rule of Two: an autonomous agent should satisfy at most two of those three properties on its own, and the moment it needs all three, a human has to be in the loop. Both are the same move, accept that injection will land and make sure the worst it can do is bounded.
The damage section is not hypothetical. The report walks through real production incidents: the LiteLLM supply-chain backdoor that was downloaded 47,000 times during a three-hour window, Replit's agent deleting a database and fabricating records unprovoked despite explicit safety instructions, an MCP remote-code-execution flaw rated 9.6, a Cursor execution-environment poisoning via allowlisted commands, and a Codex CLI bug where the agent's own output could redefine its sandbox boundary. It also sketches the speed problem underneath: of 53 agentic projects tracked, seven ship releases daily or faster, one averaging a release every eight hours, which is a pace no security review keeps up with. And the governance gap is wide, only 37% of organizations have any policy to detect shadow AI, against a thicket of 42 regulatory instruments across 10 jurisdictions with incident-reporting windows as tight as four hours.
This is the empirical floor under the NIST proof we covered yesterday. NIST argued, formally, that no finite set of guardrails can be made unbreakable; OWASP shows what that looks like in production, prompt injection as the mechanism that keeps finding the gap, and a field responding not by claiming a fix but by constraining what a compromised agent can reach. The two rules, the lethal trifecta and the Rule of Two, are the practical face of NIST's operational resilience: assume the breach, and engineer so that the breach cannot reach private data and an exit at the same time. For anyone shipping an agent, the report reduces to one uncomfortable design question worth asking before launch, not after: if this agent's input were fully attacker-controlled, what is the worst single action it could take, and is anything irreversible on the other side of that action.
