For two years the conversation about securing generative AI has been a sidebar at every major security conference: a track here, a panel there, a vendor booth promising to "secure your LLM." At Infosecurity Europe 2026, OWASP decided the sidebar deserved its own room. On Thursday, June 4, at ExCeL London, the OWASP Gen AI Security Project ran a dedicated half-day GenAI Security Summit, pulling project leaders, practitioners, and regulatory voices into a single program built entirely around one question: how do you secure systems that no longer just answer prompts but take actions on their own?
That framing matters. The stakes have shifted. A chatbot that hallucinates is an embarrassment. An autonomous agent with tool access that gets goal-hijacked is an incident. The summit was OWASP's clearest signal yet that the community's center of gravity has moved from model-level risks to agentic ones, and the announcements made there are worth a sober read rather than a press-release skim.
From LLM Top 10 to Agentic Top 10
The summit didn't appear out of nowhere. It sits on top of a year of fast-moving OWASP output. The OWASP Top 10 for LLM Applications 2025 codified the model-layer risks most teams now recognize: prompt injection, insecure output handling, training data poisoning, sensitive information disclosure, and excessive agency among them. That list did real work in giving security teams a shared vocabulary.
But the LLM Top 10 was always scoped to the model. In December 2025, OWASP published the Top 10 for Agentic Applications for 2026, developed with input from a large body of contributors across the research and vendor community. The distinction it draws is the one the summit kept returning to: agentic systems inherit every model-level risk and then add entirely new classes that come from autonomy, tool integration, multi-agent coordination, and persistent state. The agentic list names risks like agent goal hijacking, tool misuse and exploitation, and memory and context poisoning. None of those are "the model said something wrong." They are "the system did something wrong, repeatedly, with credentials."
If you read only one thing out of the summit's source material, read both lists side by side. The LLM Top 10 tells you what can go wrong inside the box. The Agentic Top 10 tells you what goes wrong when you give the box a hand, a wallet, and a to-do list.
The Agentic Research Council
The headline announcement was the formation of the Agentic Research Council. According to Infosecurity Magazine's reporting from the event, OWASP positioned the council as a coordinated research effort meant to close the widening gap between how fast agentic capabilities are shipping and how slowly conventional security research and standards move.
That gap is real, and naming it honestly is the most useful thing the council can do. Frameworks like the LLM Top 10 worked because they crystallized consensus that already existed in scattered form. Agentic systems do not have that luxury. The attack surface is changing month to month: new orchestration patterns, new tool-calling conventions, new memory architectures, each shipping before anyone has finished writing down how the last one breaks. A standing research body that can publish faster than an annual list is the right structural answer, assuming it actually publishes and does not become another mailing list.
I will reserve judgment on impact. Councils are easy to announce and hard to sustain. The thing to watch over the next two quarters is throughput: concrete threat models, reference architectures, and test methodologies, not position statements. OWASP's track record on the LLM side suggests they can deliver. The agentic problem is harder.
A Maturity Framework for Agentic AI Security
The summit also introduced an Agentic AI Security Maturity Framework. Maturity models get an eye-roll in some circles, and often deserve it, but this one lands at a useful moment. Most organizations deploying agents today cannot answer a basic question: are we doing this well, or are we just doing it? A maturity model gives a CISO a defensible way to say "we are at this stage, here is what the next stage requires," which is exactly the language that gets budget approved.
The honest caveat is that maturity frameworks are only as good as the controls they map to, and agentic controls are still being invented. A maturity ladder for something with no settled bottom rung risks measuring conformance to practices that are themselves unproven. The framework is best read as a structured set of questions to ask, not a certification to chase. Used that way, it is genuinely helpful for prioritizing where to spend limited security attention.
Why a Dedicated Summit, and Why Now
It is fair to ask whether GenAI security needed its own forum or whether this is conference economics dressed up as a movement. Having watched the agenda focus, I think the dedicated format earned itself. The summit's stated scope covered real-world risks, emerging agentic threats, and European regulatory developments shaping AI security strategy, with an audience pitched at CISOs, security architects, AI product leaders, and compliance professionals. That regulatory thread is the part a US-centric reading tends to miss. The EU AI Act and adjacent rules are turning "secure your agents" from a best practice into a documentation-and-evidence obligation, and a European venue is the right place to work that out.
The deeper reason now is the right time is that agents have crossed from demo to deployment. Shadow AI is no longer someone pasting code into a chat window; it is an autonomous workflow someone wired up over a weekend with a tool that can write to production. Prompt injection stops being a parlor trick the moment the injected instruction can call an API with real permissions. The summit treated these as operational problems with owners and budgets, which is the correct altitude.
What Practitioners Should Actually Do
Strip away the announcements and the practical takeaway is unglamorous. Inventory your agents and the tools they can call, because you almost certainly have more of both than you think. Map your agentic deployments against the 2026 Agentic Top 10 the way you already map applications against the API and web lists. Treat agent tool access like privileged access, because that is what it is. And build verification around agent behavior rather than trusting the model's output by default, since the model is now the least predictable component in a chain that touches your real systems.
The summit's framing, that agentic systems inherit model risks and add their own, is the mental model to keep. You do not get to stop worrying about prompt injection because you moved up the stack. You inherit it, and then you add goal hijacking, tool misuse, and memory poisoning on top.
How Safeguard Helps
Safeguard was built for exactly the layer the summit kept circling: the orchestration and verification layer that sits above the model, where reliability actually lives. Our Multi-Agent TAOR Deep Think AI Engine runs findings through multiple verifying agents rather than trusting any single model pass, which is the same defense-in-depth logic OWASP's agentic work argues for, and it materially cuts false positives. The platform is model-agnostic by design, so OpenAI Daybreak, Anthropic Mythos, or your own model plug in as interchangeable components while policy gates, AIBOM/ML-BOM inventory, and provenance attestation give you the agent-and-tool visibility the Agentic Top 10 demands. If you are trying to turn the summit's frameworks into something you can operate, reach out and we'll walk through it.