Last week, the Xygeni team was at OWASP Global AppSec EU 2026 in Vienna, where 800+ cybersecurity experts gathered at the Austria Center for OWASP's 25th anniversary. Two days on the expo floor, dozens of conversations with CISOs, AppSec leaders, and DevSecOps engineers, and one clear signal: securing the software supply chain has entered a new phase, and most organizations are not ready for it.
Here is what we saw, what we showed, and what the industry is telling us.
What OWASP Launched in Vienna
The headline announcement at this year’s conference was OWASP AISVS 1.0, released on June 24, 2026, during the event itself. The standard contains 514 verifiable requirements across 14 chapters covering everything from prompt injection to MCP security. Unlike governance frameworks such as NIST AI RMF or ISO/IEC 42001, every AISVS requirement is written to be checked, pass or fail. It is the first community-driven, testable security verification standard purpose-built for AI systems, modeled after OWASP ASVS, the gold standard for web application security..
Beyond AISVS, the session track reflected where the community’s attention has shifted. Talks on agentic application security, MCP security, secure software supply chain practices, shadow AI detection, and testing LLM applications in production dominated the schedule. The OWASP LLM Top 10, Agentic Apps Top 10, and MCP Top 10 are no longer emerging frameworks; they are live standards that most organizations have not yet mapped their exposure against. Vienna made that gap visible.
What Xygeni Showed at Booth G-08
We used the two conference days to demonstrate something the industry is increasingly asking for but rarely seeing in practice: how to discover, score, and enforce security across the AI your teams use to develop, not just the code they produce.
The Vienna debut of Xygeni AI Inventory showed an organization’s entire AI attack surface mapped in real time, every model, agent, MCP server, and AI coding tool, with risk scores, relationship graphs, and an exportable AI-BOM ready for regulators and enterprise buyers. For most visitors to the booth, it was the first time they had seen their own AI attack surface rendered as a structured, auditable inventory.
The AI Dependency Firewall demonstrated Shield blocking a malicious npm package at the developer endpoint before install, before a signature existed. This is the secure software supply chain control that traditional SCA tools cannot provide, detection that works at the moment of fetch, not after the package has already run its postinstall script.
The conversations that followed the demos were consistent. Most teams could not answer the question on screen: where is the AI in your SDLC?
Three Things the Expo Floor Told Us
Across dozens of conversations at the booth and in the hallways, three themes came up repeatedly.
MCP security is the new blind spot
Every team running AI coding assistants or agentic workflows has MCP servers they have not fully inventoried. Most have no allowlist, no behavioral monitoring, and no enforcement layer at the developer endpoint. This is not a niche concern, 5.5% of public MCP servers carry tool-poisoning flaws, and 43% carry command-injection vulnerabilities. AISVS 1.0 dedicates an entire chapter to MCP security requirements, and the conversations at Vienna confirmed that this is where the next wave of supply chain attacks will land.
The AI-BOM question is becoming real
Security leaders are beginning to receive requests from auditors and enterprise buyers for a machine-readable inventory of every AI asset in the organization (models, datasets, agents, MCP servers, and AI coding tools) with their relationships, risk scores, and regulatory mapping. Most organizations cannot produce one today. The AI-BOM is rapidly becoming the AI-era successor to the SBOM, and the organizations that can generate one on demand will have a significant compliance and trust advantage as EU AI Act audit obligations arrive.
Secure software supply chain now means securing the AI layer
Traditional supply chain controls (SCA, SBOM generation, build provenance, SLSA attestation) were built for a world where humans wrote the code and packages came from public registries. In 2026, AI agents commit code autonomously, MCP servers execute tool calls on behalf of users, and malicious packages are being engineered to target AI tooling directly. A secure software supply chain strategy that does not cover the AI attack surface is no longer complete. Vienna made that consensus visible across vendor booths, session talks, and hallway conversations alike.
What We Take Away From Vienna
OWASP Global AppSec EU 2026 was a useful calibration point. The three conversations happening most frequently on the expo floor (MCP security, AI-BOM readiness, and securing the full software supply chain in an AI-native SDLC) are the conversations Xygeni was built for.
Zero Trust reached the network, the cloud, and identity years ago. The software development lifecycle is the layer that hasn’t been fully covered. With AI-generated code now accounting for 40% of commits at leading organizations, and with agentic workflows expanding the attack surface faster than traditional AppSec tools can adapt, that gap is becoming the defining challenge for security teams in the second half of 2026.
If you missed Vienna and want to see what we demonstrated at Booth G-08, there are two ways to go deeper: take a product tour to see the platform in action, or book a demo, and we will walk you through exactly what we showed on the expo floor.
FAQs
What is OWASP AISVS?
OWASP AISVS (AI Security Verification Standard) is the first community-driven, testable security verification standard purpose-built for AI systems. Released in June 2026 at OWASP Global AppSec EU Vienna, it contains 514 verifiable requirements across 14 chapters, covering training data integrity, prompt injection, MCP security, agentic orchestration, supply chain, and more. Unlike governance frameworks, every requirement is written to be checked as pass or fail.
What is a secure software supply chain in 2026?
A secure software supply chain in 2026 means protecting not only open-source dependencies, CI/CD pipelines, and build artifacts, but also the AI models, agents, MCP servers, and AI coding tools that are now embedded in every stage of software development. As AI agents commit code autonomously and malicious packages increasingly target AI tooling, supply chain security has expanded to include the full agentic development lifecycle.
