Most enterprise security teams already know OWASP. For two decades, the OWASP Top 10 has been the practitioner-level reference for web application risk — not because a regulator mandated it, but because security engineers, application teams, and auditors all reach for the same list when they need a shared vocabulary. That common vocabulary is the project's most undervalued contribution. It is also exactly what the generative AI security conversation has been missing.
Containment.ai is joining the OWASP GenAI Security Project as a contributor. This post explains why, and what we plan to bring.
What OWASP gets right
OWASP is open and community-driven. The artifacts that practitioners actually use — the LLM Top 10, the AI Security and Privacy Guide, the threat catalogs — are produced by working security engineers, reviewed in public, and revised against real-world incidents rather than vendor narratives. There is no paywall, no certification body gating access, and no single vendor steering the roadmap.
For a category as new as generative AI, that posture matters. The risk surface is moving faster than any standards body can ratify, and the people closest to the problem are the ones running red-team exercises against production systems this quarter. OWASP's working-group model lets that field experience compound into shared knowledge in weeks, not years. We have seen the LLM Top 10 referenced in customer security reviews, in CISO board materials, and in regulator follow-up questions. It has become the lingua franca of GenAI risk because it was built the way real practitioner references get built — collaboratively, in the open, and with low ceremony.
How the LLM Top 10 is expanding into agentic risks
The original LLM Top 10 catalogued the failure modes of a model sitting behind a chat interface: prompt injection, insecure output handling, training data poisoning, model denial of service, sensitive information disclosure. Those categories still apply. What has changed is that the model is no longer alone on the page.
Agents now invoke tools, hold tokens, write to production systems, and chain themselves into multi-step workflows that no single prompt fully describes. A prompt-injection payload that would have produced an embarrassing chat output a year ago now produces a CRM update, a sent email, or a pushed commit. The blast radius is structurally different, and the controls have to follow.
The GenAI Security Project's expansion into agentic risk reflects this. Tool abuse, excessive agency, identity and authorization gaps for non-human actors, runaway autonomous loops, and supply chain risk from third-party agent components are not theoretical research topics — they are the issues showing up in enterprise governance reviews right now. OWASP is in a position to make the agentic risk taxonomy the same kind of practitioner default that the original Top 10 became for web applications. That is the work we want to support.
What we are contributing, and what we are not
Containment.ai's product is in AI governance for the enterprise — policy enforcement, visibility, and guardrails across third-party AI tools used inside customer organizations. That means we sit on a particular slice of the problem: how administrators define acceptable use, how those policies are enforced across browser, desktop, and agent surfaces, and what telemetry security teams need in order to investigate incidents after the fact. We are happy to contribute what we see from that vantage point, and we expect to learn at least as much from the practitioners working on the other slices.
Concretely, we are committing engineering time to the working groups, publishing the redacted incident patterns we observe across customer deployments, and offering review on draft taxonomies where our deployment data is relevant. We are not joining to brand-stamp our logo onto OWASP's work, and we are not positioning ourselves as the project's spokesperson. The reference value of the OWASP catalogs depends on the catalogs staying vendor-neutral, and we want that posture preserved.
We also want to be clear about what this is not. Joining a community working group is not a compliance attestation. Containment.ai does not currently claim SOC 2, FedRAMP, or ISO 27001 certification, and contributing to OWASP does not change that. Those are separate undertakings on a separate timeline, and we will speak to them when they are real.
The invitation
If you are working on agentic security, GenAI threat modeling, or the practitioner side of AI governance, the GenAI Security Project is genuinely worth your time. The project page is at https://owasp.org/www-project-genai-security-project/, and the working groups are open. The shared vocabulary the industry needs is being written right now, and the door is unlocked.
We will see you there.