Agentic AI is in production. The same transition that retrieval-augmented generation made in late 2023, from controlled demonstration to live incident, is now underway for autonomous agents. Agents that plan, execute multi-step tasks, write and run code, browse the web, manage files, and call external APIs are carrying legitimate access to sensitive systems. Traditional application security architectures were never designed to govern them. The Aigos Blueprint on Securing Agentic AI provides the most current framework available for security leaders who need to address this with architectural rigour rather than reactive patch management.
📄 Download the Full Blueprint: Securing Agentic AI
The Agentic Framework Landscape in 2026
Five agentic frameworks anchor the enterprise conversation. Each occupies a distinct position between developer tool and enterprise platform, between local execution and cloud orchestration. Their architectural differences are the security constraints defenders inherit.
Goose, backed by Block and governed by the Linux Foundation through AAIF, is the developer-focused framework positioned as the open-source counterpart to Claude Code. It runs as a local CLI agent with shell access and MCP-based tool extensions. Its security model relies heavily on user discretion. That is appropriate for trusted development workflows and a significant risk in enterprise environments where that assumption does not hold uniformly across operators.
OpenClaw is a local-first, open-source personal AI assistant, not an enterprise platform targeting regulated industries. It runs on the user’s own devices as a local Gateway daemon, responding through messaging apps such as WhatsApp, Telegram, Slack, and Discord. Docker is available as an optional sandbox backend for non-main agent sessions. There is no Kubernetes integration, no RBAC system, and no dedicated audit logging. Its security model uses a DM pairing and allowlist mechanism, appropriate for a single-user assistant but not an enterprise access control framework. By default, the main agent session has full host access. Any multi-user or remote exposure requires explicit sandbox and network configuration.
Hermes Agent is a self-improving agent that rewrites its own skill documents based on past failures. This persistent memory capability introduces governance challenges around memory poisoning and unauthorised capability expansion that no other framework in the current landscape has fully resolved, making it one of the most consequential frameworks for enterprise deployment.
Claude Cowork, Anthropic’s collaborative desktop assistant, occupies the human-in-the-loop position with an isolated VM workspace, a Sentry permission module with seven independent safety layers, and a Bring Your Own Cloud architecture that enables enterprise data residency compliance. Claude Code is the dominant CLI agent in software engineering workflows, distinguished by PreToolUse and PostToolUse hooks that attach security controls at critical boundaries in the agent execution loop.
The OWASP Top 10 for Agentic Applications 2026
Released in December 2025 after peer review by more than 100 industry experts, the OWASP Top 10 for Agentic Applications is the first industry-standard taxonomy dedicated to autonomous AI agent risks.
The three highest-impact risks sit at the boundary between model reasoning and system action. ASI01 (Agent Goal Hijack) describes how attackers manipulate an agent’s objectives through poisoned inputs: emails, PDFs, calendar invites, web content, RAG documents. The attack exploits the agent’s inability to reliably separate instructions from data. The EchoLeak incident involving Microsoft 365 Copilot in 2025, where a hidden email payload caused silent exfiltration of confidential content, is a documented production example.
ASI02 (Tool Misuse) covers scenarios where agents leverage legitimate capabilities, including file access, API calls, and code execution, for unintended purposes through adversarial manipulation or emergent behaviour. ASI05 (Code Execution and Sandbox Bypass) addresses agents that generate and execute code capable of escaping execution environment constraints. Both manifest at the pre-execution boundary where output filtering controls must operate.
The Principle of Least Agency and the Three Control Attachment Points
The OWASP framework’s foundational position is the principle of least agency: agents receive the minimum autonomy required for their intended task. This is the agentic equivalent of least privilege, paired explicitly with strong observability as the foundational defensive posture. Least agency without observability is blind constraint. Observability without least agency is surveillance of harm already in progress.
Every agentic framework runs the same fundamental loop: the agent reasons, selects an action, the system executes, the result returns to context, the agent reasons again. The Blueprint maps controls to three critical attachment points. Pre-execution output filtering examines what the agent is about to do before it does it, the natural point for blocking dangerous commands, tool calls, and file operations. Post-execution input redaction inspects tool outputs before they enter the next model request, preventing sensitive data from reaching the model provider’s infrastructure. Inter-agent boundary controls validate trust and content when agents communicate with each other, an increasingly important control surface as multi-agent architectures become standard.
A Layered Defence Architecture for Production
Tier 1 is a purpose-built classifier running locally in the millisecond range, calibrated for high recall on catastrophic outcomes and high precision on benign-looking commands. Tier 2 is a stateful correlation component maintaining a session-local view of agent actions. It catches multi-step attack patterns, reading credentials in one step and exfiltrating in the next, that single-command classifiers miss. Tier 3 is a deobfuscation preprocessor that handles encoding techniques before classification, closing the gap that allows attackers to evade pattern-based controls.
A fourth tier using LLM-based escalation for intent reasoning is available to organisations whose threat model justifies the added latency and cost. It is not load-bearing in the baseline architecture. The architectural commitment underlying all tiers is local execution. A safety system dependent on external network connectivity cannot satisfy strict data residency requirements and cannot be considered reliable under network constraint. The vendors and frameworks building toward this architecture are the ones that will be defensible at enterprise scale.