THE LINUX FOUNDATION PROJECTS
BlogReport

Agentic AI Momentum Report

By July 9, 2026No Comments
  • Sam Boysel is a Data Scientist at the Linux Foundation. In this role, he contributes to a variety of empirical initiatives to uncover new insights into open source communities. His work often leverages microeconomic theory to analyze behaviors, incentives, and community dynamics across open source ecosystems. Before joining the Linux Foundation, he was a postdoctoral researcher with the Laboratory for Innovation Science at Harvard. He holds a B.A., M.S., and Ph.D. in Economics.

Summary

  • We track the top open source agentic AI projects gaining traction and becoming core ecosystem infrastructure.
  • The Momentum set spans 116 projects across 5 layers: Frameworks & Infrastructure, Agent Capabilities, Agent Applications, Foundations & Protocols, and Operations & Safety.
  • Agentic AI Frameworks & Infrastructure demonstrate strong popular adoption signals, while Agent Applications attract the most active contributors of any layer.
  • Health scores are generally strong, but deeper analysis still reveals development strain, security gaps, and contributor concentration in some layers.
  • The ecosystem has seen ~2.6x growth in unpatched CVEs over the past 6 months, with Frameworks & Infrastructure and Agent Capabilities carrying the heaviest burdens, underscoring a growing security debt.
  • Organizational concentration remains a concern for many popular projects. AAIF-hosted projects like MCP and AGENTS.md show healthier contributor distributions, while high-profile projects outside AAIF stewardship like LangChain and Milvus still face single-organization dominance.
  • Encouragingly, a large cluster of the most popular and active projects in the ecosystem are characterized by high-quality governance practices.
  • Dive even deeper into the data with the Agentic AI Momentum Dashboard.
  • Help us stay on top of important emerging projects by submitting your suggestions by opening a PR or issue in aaif/aaif-landscape.

Introduction

Open source agentic AI has moved quickly from a research-adjacent niche to a densely interconnected ecosystem. Adoption signals are growing faster than in prior ML infrastructure cycles. Projects that were experimental a year ago now underpin commercial products, and new layers of the stack — protocols, safety tooling, and governance frameworks — are forming around them.

This report tracks 116 open source projects across five layers of the Agentic AI stack: Frameworks & Infrastructure, Agent Capabilities, Agent Applications, Foundations & Protocols, and Operations & Safety. All data is drawn from LFX Insights, the Linux Foundation’s open source health and analytics platform. The projects range from widely deployed frameworks with millions of GitHub stars to emerging protocol specifications, and are evaluated against a consistent set of health and governance metrics.

The analysis looks at three dimensions. Popularity measures where adoption is concentrating, using GitHub stars, forks, and active contributors as proxies for ecosystem gravity. Health examines how well projects sustain development over time, drawing on LFX Health Scores alongside operational signals such as issue resolution latency, PR merge time, and unpatched vulnerability counts. Strategic risk looks at structural factors — contributor concentration, organizational dependency, and governance maturity — that shape long-term project viability.

The Agentic AI Infrastructure Foundation (AAIF) both tracks ecosystem developments and provides a neutral home for key infrastructure. A central question is which projects in the broader ecosystem match that level of structural maturity, and which do not.

Popularity

Which parts of the ecosystem are attracting the most attention? Figure 1 breaks the Momentum projects out by layer and compares key adoption signals.

Figure 1: Agentic AI Momentum by Layer. The columns contain the sum across all projects in each layer.

Agentic Frameworks & Infrastructure projects are the ecosystem’s center of gravity by almost every raw metric — 1.5M GitHub stars and roughly 226K forks. The wider community increasingly builds on the infrastructure formed by these 34 projects. Agent Applications show the strongest contribution surge: 15 projects attract 16.7K active contributors, the most of any layer and roughly twice what their project count alone would predict. Agent Capabilities show a similar pattern at the project level, matching Agent Applications in total stars despite a comparable project count, suggesting that a handful of breakout names drive the layer’s visibility. Foundations & Protocols still show healthy competition and experimentation across 30 projects, though activity is concentrated in a smaller subset. Operations & Safety remains the smallest layer.

Health

How healthy are the Momentum projects? LFX Insights Health Scores provide a high-level view across four dimensions: Popularity, Contributors, Development, and Security. A score above 80% is generally strong, while scores below 60% may indicate concern.

 

Figure 2: How Agentic AI Infrastructure Measures Up Across Health Dimensions. Average by project layer. Note that rankings of the scores in the plot are normalized by column.

Frameworks & Infrastructure lead on both Popularity (97%) and Development health (74%), a combination consistent with older, well-staffed projects with established release and review cadences. Security is where the standard-setting layers distinguish themselves: Operations & Safety and Foundations & Protocols score 91% and 90% respectively, likely reflecting their mandate to define best practices rather than ship fast. Agent Applications inverts this: it scores lowest on Development health (58%), yet as Figure 3 shows, it is the most operationally responsive layer in practice. The notable weak point for Foundations & Protocols is its Contributors health score (53% despite the most projects in any layer), signaling that a relatively small number of contributors carry a disproportionate share of the work.

Figure 3: The Pace of Maintainer Responsiveness in Agentic AI. Average by project layer, weighted by active contributors. Issue resolution time is defined as the time between issue creation and closure. Pull request merge time is defined as the time between pull request creation and merge.

Another important health dimension is maintainer responsiveness to issues and pull requests. Agent Applications is the only layer below the median on both measures — resolving issues in roughly two weeks and merging PRs in about two days — despite carrying the largest weighted contributor base. That scale-without-slowdown result challenges the intuition that larger communities are harder to coordinate. Foundations & Protocols sits at the opposite extreme: just under five weeks for issue resolution and about eight days for PR merges, likely reflecting its standards-body character, where deliberation is part of the process. Operations & Safety shows a different split — PR merges in about two days but issue resolution still stretches a bit beyond three weeks. Agent Capabilities and Frameworks & Infrastructure sit near the cross-layer medians.

Figure 4: Where Agentic AI Security Debt Is Accumulating. Monthly totals by project layer.

Consistent with broader OSS trends as automated vulnerability scanning expands, unpatched CVEs have grown roughly 2.6x within the Agentic AI Momentum projects since December 2025, reaching approximately 9,200 by June 2026. This rise appears across layers. Frameworks & Infrastructure, with their complex dependency graphs, now account for nearly half of all unpatched vulnerabilities in the Momentum set: the average project carries about 137. Agent Capabilities is not far behind; its libraries sit inside many higher-level agent systems, amplifying the blast radius of unresolved vulnerabilities. Operations & Safety presents a useful contrast: it scores highest on security health process metrics yet still carries a meaningful backlog, showing that compliance scores and remediation velocity capture different things. Foundations & Protocols is the relative bright spot, with both the lowest per-repo CVE average and the second-highest security health score. The larger pattern is clear: the ecosystem is accumulating security debt faster than it is resolving it.

Strategic

Popularity and health show that projects are relevant and viable, but long-term resilience depends more on structure than on technical strength alone. The next question is governance: how concentrated is development activity, and do projects have the contribution policies, public discussion channels, and maintainer roles needed to support durable growth?

Figure 5: Maintenance Burdens & Risk in Agentic AI Infrastructure. The number of top contributors in a project is defined as the smallest number of entities that collectively account for at least 50% of total project contribution. Risk in this plot is defined as the contribution share of these top contributors (organizations or individuals) divided by the number of top contributors. In other words, risk measures how concentrated development activity is across organizations or individual contributors.

Figure 5 shows a clear pattern: many Momentum projects depend on a small number of top contributing organizations. Projects whose maintenance burden sits with only a few entities (and require contributors to assert their legal right to commit via a Developer Certificate of Origin (DCO) or Contributor License Agreement (CLA)) should be treated as structurally riskier by downstream users. Individual contributor risk is often more diluted, but organizational concentration remains common across the Momentum set. Projects under foundation stewardship — such as AAIF-hosted MCP, AGENTS.md, and goose — are notable counter-examples, clustering near the lower-left corner of Figure 5 with healthier multi-contributor distributions and clear distance from the single-organization-dominance threshold. At the other extreme, projects like Agentless and Sweep combine near-maximum org concentration with high visibility. Projects like TaskWeaver and W3C Decentralized Identifier Specification carry dual exposure on both axes — the most structurally vulnerable combination in the dataset. The practical lesson from widely used projects like LangChain and Prefect is simple: adoption alone does not diversify governance.

Figure 6: Project Governance Maturity in Agentic AI Infrastructure. In this figure, we divide projects into quadrants based on their governance quality. Along the vertical axis we disaggregate between projects where a single organization accounts for >50% of contribution. Along the horizontal axis, we distinguish projects by their compliance with the Governance & Legal checks from the OpenSSF’s Open Source Project Security Baseline (OSPS Baseline). Each bubble is a project scaled by the number of active project contributors.

The most encouraging signal in Figure 6 is how many labeled projects achieve full OpenSSF Governance & Legal compliance. A meaningful cluster of large, active projects — including Cline, PydanticAI, and goose — occupy the upper-right quadrant, combining multi-organizational contributor bases with strong compliance. Governance quality and contributor diversity, however, remain distinct dimensions. Hugging Face Transformers and LangChain are effectively single-org controlled yet fully compliant, while OpenHands and Mastra have broad contributor participation but fall short on formal governance documentation. The highest-risk combination — single-org dominated and non-compliant — includes OpenAI Agents SDK and LiteLLM, both of which attract substantial community interest. Agent Applications and Foundations & Protocols are overrepresented in the compliant quadrants, a pattern consistent with the security health advantage those layers showed in Figure 2.

Conclusion

The Momentum watchlist is meant to give maintainers, adopters, and ecosystem stewards a consistent view of which open source agentic AI projects are becoming foundational and how resilient they are likely to be over time. Across the three lenses, the signal is clear: Frameworks & Infrastructure remains the ecosystem’s adoption center, Health is broadly strong but increasingly pressured by a rapidly growing vulnerability backlog, and Strategic indicators show that organizational concentration remains a meaningful obstacle to long-term stability.

The governance findings also point to the most practical next step. A meaningful set of large projects already shows that strong governance and broad contributor participation can coexist at scale. Projects that are still single-organization dominated or not yet governance-compliant should prioritize formal governance and legal baselines now, and high-impact maintainers should consider neutral foundation stewardship pathways such as AAIF before concentration becomes a structural bottleneck.

References