OWASP Says the Quiet Part Out Loud: Prompt Injection May Never Be Fixed, So Govern What Your Agents Do, Not Just What They Read
The OWASP GenAI Security Project has published version 2.01 of its State of Agentic AI Security and Governance report, and the change from last year's edition is the story: the 2025 report cataloged plausible threats; the 2026 edition catalogs CVEs, vendor advisories, and breach reports that already happened. Prompt injection now maps to six of the ten OWASP Top 10 categories for agentic applications, and the report's underlying finding is uncomfortable: large language models have no reliable way to distinguish commands from data, which means the flaw may be permanent. A backdoored release of the popular LiteLLM library was downloaded roughly 47,000 times in about three hours. When the input layer cannot be trusted and the supply chain moves at machine speed, the only durable control is validating what agents do before it takes effect.
Organizations betting on a future patch for prompt injection are betting against the architecture of the models themselves. The OWASP report documents the cost of that bet: a backdoored AI library downloaded 47,000 times in hours, a mail-server connector that turned malicious after 15 clean releases (CVSS 9.6), coding agents shipping updates faster than any review cycle, and per IBM only 37 percent of organizations with any policy to detect shadow AI. Industry surveys report 88 percent of organizations running agents have already had a confirmed or suspected incident while only 14 percent say every agent went live with full security approval.