Every quarter, the OWASP GenAI Security Project publishes a round-up of the period's most significant AI security incidents, mapping each to the OWASP Top 10 for LLM Applications and the new Top 10 for Agentic Applications. The Q1 2026 edition is worth every security leader's attention — not for any single breach, but for the pattern running through all of them.
OWASP's own summary names it plainly: the field has crossed from theoretical risk into real-world exploitation, and the action has moved off the model itself. Attackers and failures are now targeting agent identities, orchestration layers, and supply chains — not just model outputs. The credit for the underlying research belongs to OWASP and the reporters it cites; what follows is my reading of four incidents that matter most to regulated enterprises, and what each one demands of your controls.
"Securing AI now requires a shift from model-level safeguards to holistic system, identity, and operational security controls." — OWASP GenAI Security Project, Q1 2026 round-up
That sentence could be the mission statement for everything we build at OneCompliant. Below, each incident is followed by the OneCompliant lens — the control that would have caught or contained it.
1. GrafanaGhost — when your dashboard becomes the exfiltration path
Per the OWASP round-up (citing research from Noma Security), attackers could plant hidden instructions in external content that Grafana's AI assistant ingested. The poisoned context steered the assistant into rendering an external image — and that render call smuggled enterprise data out to an attacker-controlled server as a URL parameter. Grafana patched the Markdown image-rendering path and noted that exploitation required meaningful user interaction. But the shape of the attack is what matters: a trusted observability layer, holding telemetry, infrastructure, customer and financial data, turned into a leak.
Treat everything an AI assistant ingests — logs, links, dashboards, tickets — as untrusted input, and govern what it can send out. This is indirect prompt injection; threat-model it like XSS or SSRF. An assistant with broad telemetry access should never also have an unconstrained outbound path. Inspect the context flowing into the model; control what's allowed to leave.
2. Vertex AI "Double Agent" — identity is the new perimeter
Per the round-up (citing Palo Alto Unit 42), a deployed agent in Google Cloud's Vertex AI Agent Engine inherited far more permission than it needed through a Google-managed service account. Researchers used that over-scoped identity to extract credentials, act as the service agent, reach into customer-project resources, and even touch restricted internal images and source. Google subsequently revised its guidance. The lesson isn't "Vertex is unsafe" — it's that managed-platform defaults granted an agent more reach than anyone intended.
Agent identity deserves the same scrutiny as privileged admin access. Least-agency by default, per-deployment scoping, short-lived credentials, and a live inventory of every service identity tied to agent execution. Don't trust platform defaults — explicitly test whether an agent can pivot across projects, buckets, registries, or model infrastructure.
3. Meta's internal agent leak — the blast radius of one unsafe answer
Per the round-up (citing The Guardian), a Meta engineer asked for help on an internal forum, an AI agent proposed a fix, and the engineer implemented it — briefly exposing a large volume of sensitive user and company data to engineers for about two hours. There was no external attacker and Meta said no user data was mishandled, but it still triggered a major internal security response. It's a clean illustration of how a single unsafe agent recommendation can become an access-control incident at enterprise scale.
There must be a control layer between AI advice and execution. Any recommendation that can change permissions, data visibility, or policy should pass deterministic validation and human review before it lands — especially inside engineering and security workflows. Treat agent output as untrusted until it's verified.
4. Mercor / LiteLLM — your AI supply chain is bigger than your models
Per the round-up (citing WIRED), Meta paused work with AI data vendor Mercor after a breach tied to malicious versions of the open-source tool LiteLLM. Because Mercor supports proprietary training-data generation for major labs, the incident raised the prospect that sensitive training-data methods and contractor operations were exposed — and prompted reassessment across multiple labs. The compromise rode in through a software dependency in the AI-adjacent stack, not the model.
Your AI supply chain includes the orchestration libraries, the MCP integrations, and the vendors generating your data. Pin and verify dependencies, demand SBOM-style evidence and incident-response maturity from AI vendors, and treat data vendors as critical suppliers inside your governance programme — not procurement footnotes.
The thread tying them together
OWASP makes a second observation that should reshape how you think about AI risk: most of these incidents have no CVE. They aren't discrete code bugs — they're misconfiguration, excessive autonomy, weak trust boundaries, and data-flow manipulation. Only a classic embedded software flaw, like the actively-exploited Flowise remote-code-execution issue (CVE-2025-59528), slots neatly into traditional vulnerability management.
That is the gap. If your AI risk programme is built on scanning for CVEs, it is structurally blind to the majority of how AI actually fails. These are systemic and architectural risks, and they demand controls that operate at runtime — across identity, agency, and data flow — and that produce evidence.
"The action has moved from model outputs to identities, orchestration, and supply chains. Governance has to move with it — from documents to operational controls."
That's exactly the layer OneCompliant builds: OASF defines the control domains, OASAT measures where you stand against them, and Aegis enforces them at the point of use — inspecting prompts and context, governing what data can leave, scoping what agents are allowed to do, and recording every decision as evidence. Reports like OWASP's are the field telling us, incident by incident, why that layer is no longer optional.
Read the full round-up — it's a genuinely valuable quarterly resource, and OWASP welcomes contributions to it: OWASP GenAI Exploit Round-up, Q1 2026 →
These incidents map to controls. Do you have them?
OASAT scores your AI estate against exactly these failure modes — identity, agency, supply chain, and data flow — and Aegis enforces the controls at runtime. Find your gaps before they become your round-up entry.