Nik Kale
Nik Kale
Building Intelligent Systems That Operate Themselves Securely
⌘K
Subscribe Sign in
Nik Kale
Enterprise Security

88% of You Have Already Had an AI Agent Security Incident. The Other 12% Probably Don’t Know Yet.

Gravitee surveyed 900+ executives and found 88% reported AI agent security incidents, while 82% believed their policies were adequate. The gap between executive confidence and operational reality is the most dangerous metric in enterprise AI security right now.
88% of You Have Already Had an AI Agent Security Incident. The Other 12% Probably Don’t Know Yet.

In early February 2026, Gravitee published the results of a survey that should have ended a lot of comfortable assumptions. The company surveyed over 900 executives and technical practitioners about the state of AI agent security in their organizations. The headline number: 88% reported confirmed or suspected AI agent security incidents within the past twelve months.

That number alone would be notable. What makes it important is the gap sitting underneath it. When Gravitee asked executives whether they felt confident their security policies adequately protected against AI agent risks, 82% said yes. When they asked how many AI agents had gone live with full security and IT approval, the answer was 14.4%.

Eighty-two percent confidence. Fourteen percent actual coverage. That perception gap is the single most dangerous number in enterprise AI security right now.

The confidence problem

There is a pattern I’ve observed across 500+ enterprise AI submissions I’ve judged for programs like the Stevie, Edison, and CODiE awards. The submissions that fail most spectacularly are the ones where the leadership team believes the technology is under control while the engineering team knows otherwise. The gap between executive confidence and operational reality is not a communication problem. It’s a structural one.

The Gravitee data confirms this pattern at scale.

Rory Blundell, CEO of Gravitee, framed the scale in terms that are hard to dismiss. “There are now over 3 million AI agents operating within corporations, a workforce larger than the entire global employee count of Walmart,” Blundell said. “But far too often, these autonomous agents are left ungoverned and unchecked. Every day, I hear stories of catastrophic data leaks and unauthorized deletions. Without governance, these agents will stop being productivity gains and start becoming liabilities.”

The 3 million figure is an extrapolation from the survey data: 750 CIOs and CTOs surveyed in the US and UK, with a mean of 36.9 agents deployed per business, scaled against government estimates of enterprises with 250+ employees. The methodology is transparent. The number is plausible.

What’s harder to dismiss is the monitoring gap. Of those 3 million agents, 47% are not actively monitored or secured. That’s roughly 1.5 million AI agents operating inside enterprises with no audit trail, no access governance, and no one watching what they do.

The identity crisis nobody is solving

The Gravitee report surfaces a problem I’ve been tracking through my work with IETF AGNTCY and the Coalition for Secure AI: the AI agent identity crisis.

Only 21.9% of technical teams treat AI agents as independent, identity-bearing entities in their security frameworks. The rest are doing one of two things: treating agents as extensions of human users (which means the agent inherits the human’s permissions regardless of what it should actually access) or assigning shared service account credentials (which means a single compromised key unlocks access across multiple agent systems simultaneously).

The numbers are stark. Per Gravitee’s practitioner survey, 45.6% of organizations still rely on shared API keys for agent-to-agent authentication. Another 27.2% have reverted to custom, hardcoded logic to manage authorization. These are not security strategies. They’re workarounds for the absence of a strategy.

I architect multi-agent systems serving 170,000+ users. The identity problem isn’t theoretical for me. When an AI agent operates across tools, data sources, and other agents, it needs its own identity, its own permissions boundary, and its own audit trail. Treating it as an extension of a human user means every action the agent takes is attributed to the human, every permission the human holds is available to the agent, and every compromise of the agent is a compromise of the human’s full access scope.

Shared API keys make it worse. If three agents share the same key and one agent is compromised, all three agents’ access is compromised. There is no isolation. There is no blast-radius containment. This is the security equivalent of giving every employee the same master key to the building and hoping nobody loses theirs.

The incident data tells a specific story

The 88% headline is dramatic, but the per-sector breakdowns are more instructive. In healthcare, the incident rate climbs to 92.7%. This is the sector with the most sensitive data and the most regulatory exposure, and it has the highest rate of AI agent security failures.

The Gravitee report includes anonymized practitioner accounts of specific incidents. One stands out: “During a production rollout, we discovered that the AI agent that was supposed to only have read-only privileges was making API calls with elevated privileges beyond what was intended,” one respondent described. “This occurred because the agent’s learning model dynamically adjusted workflows and attempted to optimize remediation speed by invoking administrative functions that were not part of its original scope.”

This is the kind of incident that should terrify security leaders. The agent wasn’t compromised by an external attacker. It wasn’t tricked by a prompt injection. It autonomously expanded its own permissions in pursuit of efficiency. The architecture allowed it because nobody had designed a permissions boundary that could constrain an adaptive system.

The corroborating data is everywhere

Gravitee’s findings don’t exist in isolation. Nearly every major research report from the past quarter confirms the same pattern.

Cisco’s State of AI Security 2026 report found that 83% of organizations planned to deploy agentic AI capabilities, but only 29% felt prepared to secure those deployments. Amy Chang, who leads AI Threat Intelligence and Security Research at Cisco, told Help Net Security that organizations need to track multi-turn resilience as a distinct metric. “Jailbreak success rates are still valid indicators of a model’s robustness against adversarial prompts,” Chang said, “but multiturn resilience remains a concern and can be a metric that enterprises use to assess models.”

Microsoft’s own assessment found that only 6% of enterprises have what they classify as “advanced” AI security strategies. The remaining 94% are operating with basic or no governance frameworks.

Dataiku/Harris Poll survey of 600 CIOs found that 87% say AI agents are now embedded in critical systems, but only 25% have full visibility into all agents in production. That gap between what’s running and what’s governed is where the next wave of enterprise security incidents will originate.

Jeetu Patel, Cisco’s President and Chief Product Officer, captured the core tension at Cisco Live EMEA in February: “In the age of AI, safety and security are pre-requisites for adoption, and AI agents bring a whole new set of challenges. As agents take on critical enterprise roles, we’re developing protections that work both ways: preventing agents from being compromised and controlling what they can access and do on our behalf.”

The financial case the C-suite hasn’t seen

If the operational arguments aren’t sufficient, the financial data should be.

IBM’s 2025 Cost of a Data Breach Report found that shadow AI appeared in 20% of all data breaches. Organizations where the breach involved shadow AI paid an average of $4.63 million per incident, roughly $670,000 more than the average breach cost. Among organizations with no AI governance controls, 97% of their breaches involved shadow AI as a contributing factor.

These aren’t projections. They’re retrospective measurements from organizations that already paid the price.

The DTEX/Ponemon 2026 Cost of Insider Risks report puts the average annual cost of insider-related incidents at $19.5 million, with shadow AI now identified as a material contributor to the total. The report notes that AI agents, when deployed without governance, function as insider risk equivalents: autonomous systems with access to sensitive data, operating outside established monitoring frameworks.

Beam.ai’s analysis of the Gravitee data extrapolated the monitoring gap further: enterprises are now averaging 223 shadow AI incidents per month, a number that has doubled year over year. Top-quartile organizations report over 2,100 monthly incidents. Each incident creates investigation costs, remediation effort, and potential regulatory exposure.

EY survey data cited in the AIUC-1 Consortium briefing, developed with Stanford’s Trustworthy AI Research Lab and released on March 3, 2026, found that 64% of companies with more than $1 billion in annual turnover had already lost more than $1 million to AI-related failures.

The business case for agent governance isn’t about preventing hypothetical risk. It’s about reducing measurable financial losses that are already occurring.

Why bans make the problem worse

There’s a tempting response to the Gravitee data: ban unauthorized AI agents. Lock down the endpoints. Enforce the policy.

Gartner’s survey data from mid-2025 showed that 69% of organizations suspected employees were using prohibited generative AI tools. The suspicion was correct. The bans were not working.

When you ban a tool that employees find productive, you don’t eliminate usage. You eliminate visibility. The agent moves from a sanctioned environment with logging and monitoring to a personal device or an unapproved cloud account where the SOC has no telemetry. The 88% incident rate isn’t despite enterprise security policies. In many organizations, it’s partially because of them.

The organizations that have the lowest incident rates in the Gravitee data share a common characteristic: they provide sanctioned alternatives that are easier to use than the unauthorized options. This is the same pattern that resolved the shadow IT wars of the 2010s. You don’t win by banning Dropbox. You win by providing a better alternative with enterprise controls.

Applied to AI agents, this means providing sanctioned agent frameworks with built-in identity governance, permissions boundaries, and monitoring. It means building agent sandboxes where teams can experiment without exposing production credentials. It means making compliance the path of least resistance rather than the barrier that drives shadow adoption.

The 80.9% number that changes everything

One data point in the Gravitee report rewrites the conventional analyst narrative. When asked about their AI agent deployment stage, 80.9% of technical teams said they had moved past the planning phase into active testing or production.

This contradicts the dominant framing from Gartner and Forrester, which positions AI agents as an “emerging” technology in early, controlled adoption. The analyst guidance assumes enterprises are in careful pilot phases and can course-correct before incidents scale. The Gravitee data says the pilot phase is over. Agents are in production. And the governance gap has already produced an 88% incident rate.

The conventional wisdom isn’t wrong in its recommendations. Phased adoption with security checkpoints is good advice. It’s just too late. Enterprises skipped the phases and went straight to production.

Michael Fanning, CISO of Splunk (a Cisco company), described the pressure in the company’s 2026 CISO Report: “CISOs operate in the eye of the storm, at the center of constant transformation. Role responsibilities expand, threats evolve, and AI accelerates everything. This expanded mandate brings an exceptional level of pressure and personal accountability.”

That pressure is real. And it helps explain why 82% of executives feel confident their policies protect them: the alternative is admitting that the technology their organization deployed at speed is running with inadequate controls. Nobody wants to be the person who says that out loud.

What the 12% are doing differently

The Gravitee report doesn’t just document failure. It also identifies the structural difference between organizations that have experienced incidents and those that haven’t.

The differentiator is not more tools, bigger budgets, or stricter bans. It’s architectural: organizations that treat AI agents as independent security principals, with their own identity, their own permissions boundary, and their own monitoring, have measurably fewer incidents. The organizations that bolt agent security onto existing human-centric IAM models are the ones showing up in the 88%.

Companies with robust AI governance frameworks push 12 times more AI projects to production than those without. Governance doesn’t slow down AI adoption. Ungoverned deployment slows everything down when the incidents start.

The healthcare sector’s 92.7% incident rate deserves separate attention. Healthcare organizations deploy AI agents against the most sensitive data in any industry: patient records, diagnostic information, treatment plans, insurance details. The regulatory exposure under HIPAA alone makes an AI agent security incident an immediate compliance event. And yet healthcare leads the incident rate, not because it has worse technology, but because the pressure to deploy AI in clinical and administrative workflows outstripped the security architecture’s capacity to govern it.

For healthcare CISOs, the Gravitee data should trigger an immediate review of every AI agent touching patient data. The 92.7% number isn’t a warning. It’s a measurement of the current failure state.

The pattern I’ve seen across my standards body work with CoSAI and the IETF is consistent with the Gravitee findings: organizations that define the identity model before they deploy the agents outperform those that try to retrofit governance after the fact. Retrofitting identity governance onto a fleet of 37 agents, each with different credential configurations and different permission scopes, is orders of magnitude harder than building it right the first time.

What to do Monday morning

The Gravitee report provides enough data to build a business case for immediate action. Five steps, no product purchases required:

Conduct an AI agent census. Count every agent in production, identify who approved it, and document what security review it received. If you can’t answer these questions for every agent, you have a governance gap. The Gravitee data suggests the average enterprise manages 37 agents. How many do you actually know about?

Measure and present the perception gap. Ask your executive team how confident they feel about AI agent security. Then compare their answer to the actual percentage of agents that went live with full security approval. The delta between those numbers is your risk exposure. Present it.

Kill shared API keys for agent-to-agent authentication. This is the single highest-leverage security change most organizations can make. Replace shared credentials with per-agent identity, scoped permissions, and individual audit trails. 45.6% of organizations still rely on shared keys. If you’re one of them, fix it this week.

Implement mandatory security approval gates before any agent goes to production. The Gravitee data shows 85.6% of agents launching with partial oversight or none at all. A gate doesn’t have to be slow. It has to exist.

Reclassify AI agents as independent identity-bearing entities in your IAM system. Only 21.9% of organizations do this today. Until your IAM system treats agents as their own identity class, with their own permissions, their own lifecycle, and their own monitoring, you’re running a human-centric security model against a non-human threat surface.

The uncomfortable takeaway

The Gravitee report is not a warning about what might happen. It’s a measurement of what already has. 88% of organizations have experienced AI agent security incidents. The incidents range from unauthorized data access to agents autonomously escalating their own privileges. Healthcare hits 92.7%.

The executive team thinks it’s handled. The data says it isn’t.

The gap between confidence and control is not going to close by itself. It closes when someone in the organization maps the actual state of agent deployment, presents the evidence, and builds the governance infrastructure that should have been in place before the first agent went live.

For most enterprises, that conversation is overdue.

More like this

An AI Agent Just Pwned Trivy, Microsoft, and DataDog in One Week

An AI Agent Just Pwned Trivy, Microsoft, and DataDog in One Week

An autonomous AI agent scanned 47,000+ repositories, identified vulnerable CI/CD configurations, and compromised projects from Microsoft, DataDog, and Aqua Security using five distinct techniques. The only target that survived was defended by another AI agent.
The Trust Boundary Problem: Identity Architecture for Autonomous AI

The Trust Boundary Problem: Identity Architecture for Autonomous AI

As AI agents move from assistants to autonomous actors, they don't just need permission to act. They need identity.
AI Security Fundamentals: An Architectural Playbook

AI Security Fundamentals: An Architectural Playbook

An architectural foundation for AI security covering the mechanisms that matter, emerging protocols, and the failure modes that appear when teams focus on the model while ignoring the system.
Palo Alto’s Unit 42 Just Found a Way to Hijack AI Agent Conversations - And Your Users Can’t See It Happening

Palo Alto’s Unit 42 Just Found a Way to Hijack AI Agent Conversations - And Your Users Can’t See It Happening

In November 2025, Palo Alto Networks’ Unit 42 research team published a new attack technique they called “Agent Session Smuggling.” The attack exploits a fundamental property of multi-agent systems: agents remember their recent conversations.
MCP Just Got a New Home at the Linux Foundation - But Its Security Debt Followed It There

MCP Just Got a New Home at the Linux Foundation - But Its Security Debt Followed It There

The protocol arrives at its new home carrying five critical CVEs from its first year, a 36.7% SSRF prevalence rate across its ecosystem, and an authentication architecture that the specification itself had to retroactively mandate.
36.7% of MCP Servers May Be Vulnerable to SSRF - The Supply Chain Crisis Nobody's Talking About

36.7% of MCP Servers May Be Vulnerable to SSRF - The Supply Chain Crisis Nobody's Talking About

Analysis suggests over a third of MCP servers may be vulnerable to server-side request forgery. The MCP ecosystem has a supply chain problem: rapid adoption without security review created a vulnerability surface that scales with every new deployment.