From Hypothetical Lists to Measured Data

OWASP's 'State of Agentic AI Security and Governance' v2.01, published on June 1, 2026, attaches real CVEs, vendor security advisories, and breach reports to most of the threats the first edition could only hypothesize. The evidence base for agent threat modeling has shifted from "scenarios that could happen" to "incidents that already did." As Help Net Security notes, prompt injection remains the single technique behind most production failures, but the categories with the most public incidents are supply chain (ASI04) and code execution (ASI05).

Start by Counting Advisories in Your Own Stack

Of the 53 projects the report tracks, 28 are coding agents, and the advisory leaderboard reads n8n with 57, Claude Code with 22, and AutoGPT with 15. A team running n8n for workflow automation and Claude Code in its dev pipeline is sitting downstream of 79 advisories from just those two tools — and plenty of organizations do not even subscribe to the feeds. The first input to a threat model is not an abstract attack scenario; it is the advisory history of the tools you actually depend on.

Regulators Already Set Your Reporting Clock

The same report catalogs 42 regulations across 10 jurisdictions, with incident-reporting deadlines that vary wildly: 4 hours under DORA, 24 hours under NIS2, 72 hours under New York's RAISE Act, 15 days under California's SB53. If your response process was designed without these clocks in mind, you can recover technically and still end up in violation.

The Quarterly Refresh Routine: Inputs Through Rehearsal

Pin the targets to numbers first. Refresh the threat model once per quarter; hold advisory remediation lead time — from publication to patch or mitigation deployed — under 7 days; pass a reporting-SLA rehearsal for every applicable regulation twice a year. Writing the lead-time measurement window into the doc keeps the metric stable when the owner changes.

The routine draws on three input sources. First, the security advisory feeds for your dependencies (n8n and Claude Code, if that is your stack). Second, public incident aggregations such as OWASP's incident tracker. Third, the CVE databases. At each quarterly review, diff the new entries from all three sources against your threat model categories, and add controls where measured incidents cluster — ASI04 and ASI05 above all.

Failure recurs in three shapes: the abandoned model, frozen at launch and never touched; the untracked stack, where nobody counts advisories against the tools in use; and the disconnected process, where incident response ignores regulatory reporting deadlines. All three appear in v2.01 as observed failure patterns.

Recovery differs by type. For an abandoned model, diff the full v2.01 category list against your existing document and rewrite the gaps first. For an untracked stack, the opening move is subscribing to advisory feeds — the ones producing counts like n8n's 57 and Claude Code's 22 — and instrumenting lead time. For a disconnected process, start by copying the deadlines (DORA's 4 hours, NIS2's 24) into your incident runbook as literal timer entries.

Make the AI SBOM section of the checklist concrete. The minimum set: model version and provider, system prompt hash, the list of connected tools and MCP servers, external API dependencies, and the provenance of any third-party workflow templates. The agent identity section should require dedicated credentials per agent, no privilege sharing with human accounts, session-scoped token expiry, and a per-agent action audit log.

An SLA that has never been rehearsed is just a document. Against a DORA-grade deadline, run a mock incident and measure whether detection, triage, and a report draft all fit inside 4 hours, recording pass/fail and where the bottleneck sat. Close each quarterly review by logging advisory-count and lead-time trends to a dashboard, and register the next OWASP report release as the trigger for the following refresh so the routine never lapses.

Takeaways at a Glance

Refresh the threat model quarterly from measured data — CVEs, advisories, breach reports, as v2.01 does — and concentrate controls on ASI04 and ASI05, the categories with the most public incidents. Track three metrics: advisory remediation lead time under 7 days, a quarterly refresh cadence, and twice-yearly reporting-SLA rehearsals passed for every jurisdiction, with AI SBOM and agent identity as permanent checklist sections.

References

OWASP GenAI Security Project: State of Agentic AI Security and Governance 2.01
Help Net Security: Prompt injection still drives most agentic AI security failures in production