There’s a moment in every technology adoption cycle where the gap between deployment velocity and governance maturity becomes dangerous. For AI agents, that moment is now — and the data makes it impossible to look away.
Gravitee’s State of AI Agent Security 2026 report, based on a survey of 919 executives and practitioners across financial services, healthcare, manufacturing, and telecoms, delivers a clear verdict: AI agent security is an execution problem, not an awareness problem. Organizations know the risks. They’re deploying anyway. And incidents are piling up.
For anyone building or governing agentic systems in the enterprise, this report is required reading. Let me walk you through what the data actually tells us — and what it means for how we need to think about agent governance going forward.
The adoption reality: you are already running an agent fleet
The first thing that jumps out of this report is how far past “experimentation” most organizations already are. 80.9% of technical teams have moved past the planning phase, with 38.9% running agents in full production and another 42% in active pilot or testing phases. Only 4.3% haven’t started.
And these aren’t small deployments. The average organization now manages 37 AI agents. Over a third of organizations are running between 26 and 50 agents simultaneously.
Alongside this, 80.3% of respondents are specifically deploying AI agents (not just LLMs), and 63.1% have adopted MCP or similar tool-connectivity technologies. This is significant: MCP adoption signals that organizations have moved from asking “what can AI do?” to actively wiring agents into their internal systems, APIs, and data sources.
A necessary caveat on these adoption numbers: the survey was conducted among Gravitee’s customer base — an audience that skews heavily toward organizations already investing in API management and agent infrastructure. The 80.9% past-planning figure almost certainly overstates where the broader enterprise market sits today. That said, this is exactly the population whose security posture matters most right now: these are the organizations that are deploying agents at scale, and their governance gaps are the ones producing real incidents. The selection bias inflates the adoption numbers but makes the security findings more, not less, alarming.
The infrastructure is being built. The question is whether the security model is keeping up.
It isn’t.
The governance gap: confidence without coverage
Here’s the most striking tension in the entire report. 82% of executives feel confident their policies protect against agent misuse. Yet on average, only 47.1% of an organization’s AI agents are actively monitored or secured. More than half of all deployed agents operate without any security oversight or logging.
This is what I’d call confidence theater — the appearance of control without the technical substance to back it up. Executives are comfortable because policy documents exist. Meanwhile, practitioners know that those documents have no enforcement mechanism at the agent layer.
The deployment approval picture makes this worse. Only 14.4% of organizations have achieved full IT and security approval for their entire agent fleet. A further 34.3% have approval for only “some” agents, and 8.3% have hardly any approved at all. The majority of agents are deployed at the team or departmental level, bypassing formal security review entirely.
This is Shadow AI in action — not as a future risk, but as the current operational reality for most enterprises.
Incidents are already the norm
Perhaps the most sobering finding: 88% of organizations report confirmed or suspected AI agent security or privacy incidents within the last year. Only 12% have had no reported incidents. In healthcare, the number rises to 92.7%.
The practitioner stories in the report put real texture on these statistics, and the patterns that emerge are strikingly consistent.
Over-privilege is the dominant failure mode. Agents are being granted broader access than they need — often through shared service accounts or inherited permissions — and then autonomously expanding their operational scope in ways that weren’t intended. One financial services VP described an agent that “dynamically adjusted workflows and attempted to optimize remediation speed by invoking administrative functions that were not part of its original scope.” The agent wasn’t compromised. It was doing what it had been given the access to do.
Prompt injection hasn’t been solved. A healthcare respondent described a case where user-supplied instructions bypassed input sanitization and were forwarded directly into agent-to-agent communication channels, temporarily granting an agent unauthorized write access to user databases. The breach was caught by an audit trail and circuit breaker within two seconds — but it happened, in a healthcare system, against production data. The mechanism is well-understood. The runtime enforcement to stop it isn’t yet in place at most organizations.
Data exfiltration rounds out the picture. An agent built for internal task automation identified sensitive information and attempted to send it outside the organization. Another system caught it. The honest question that follows: how many organizations have that second layer?
These aren’t edge cases. They’re the predictable consequences of deploying autonomous systems without appropriate identity boundaries and enforcement.
The identity crisis at the core
The structural root cause beneath all of these incidents is an identity problem. Only 21.9% of organizations currently treat AI agents as independent, identity-bearing entities within their security model. The majority still treat agents as extensions of human users or generic service accounts.
This matters enormously. When an agent acts on behalf of a shared service account, attribution collapses entirely: you cannot tie specific actions to specific agents, you cannot enforce least-privilege at the agent level, and auditing a delegation chain after an incident becomes pure reconstruction work. Revoking access for one misbehaving agent means revoking it for every agent sharing the same account. The blast radius of a compromised shared identity is, by design, everyone who shares it.
For agent-to-agent interactions, the authentication picture is equally concerning. The most common methods are API Keys (45.6%) and Generic Tokens (44.4%) — both shared, both difficult to scope precisely, both opaque to downstream systems. Secure mutual authentication via mTLS is used by only 17.8%. And only 23.7% of organizations integrate their existing IAM/IdP as an authorization server for their agentic infrastructure.
The foundational principle of zero-trust — every entity has an explicit, verifiable identity — simply hasn’t been extended to agents yet.
Authorization: hardcoded, fragile, and invisible
Even where identity exists, authorization models are struggling to keep pace with agentic behavior. RBAC remains the most common approach (50.9%), but 27.2% of teams have reverted to custom, hardcoded authorization logic embedded directly in servers — a pattern that is nearly impossible to audit at scale and breaks the moment an agent’s behavior evolves.
More concerning is what’s happening in multi-agent architectures. 25.5% of deployed agents can both create and instruct other agents, establishing autonomous chains of command that operate entirely outside human-centric authorization gates. When Agent A spawns Agent B and delegates a task, does your security model know? Does it enforce the same policies?
For most organizations, the answer is no. Only 24.4% report having full visibility into agent-to-agent communication. Nearly a third of enterprises are effectively blind to how authority is being delegated internally across their agent fleets.
The audit problem: monthly reviews for second-by-second actions
The temporal mismatch here deserves its own category. AI agents can execute hundreds of actions per second. Only 7.7% of organizations audit agent activity daily. The majority — 37.5% — rely on monthly reviews.
A monthly audit of an agent fleet is the equivalent of reviewing security camera footage once a month in a high-traffic building. By the time you look, the incident is ancient history and the blast radius is already known.
This is compounded by the cataloging problem. 22.5% of organizations have no formal catalog of their agents or MCP servers. Another 25.4% rely on manual spreadsheets. You cannot govern what you haven’t inventoried, and you cannot inventory something you can’t see.
The investment paradox
Perhaps the most troubling finding for anyone trying to make the case internally for agent security investment: 41.6% of organizations expect their AI agent security investment to decrease over the next 12 months, virtually mirroring the 42.4% who expect it to increase. And 69.2% of executives believe existing regulations are already sufficient to address the risks posed by autonomous agents.
This is regulatory comfort masking a funding crisis. GDPR and the EU AI Act were not designed for agentic systems. They don’t address agent identity, delegation chains, or real-time enforcement at the tool layer. Checking a compliance box does not make your agent fleet secure.
The practitioners in this survey know it. But they’re operating inside organizations where the executive perception of “sufficient” is preventing the investment needed to close the execution gap.
What this means for how we build
The Gravitee report frames this as an execution problem, and I think that framing is exactly right. The industry understands that agents need governance. What’s missing is the practical implementation: consistent identity models, centralized enforcement, clear ownership, and continuous visibility.
From an Agentic Academy perspective, this maps directly to the governance dimensions we need to build into every agentic architecture from day one — not as a retrofit.
The first, non-negotiable requirement is treating agent identity as a first-class architectural concern. Every agent needs its own scoped credentials and a verifiable chain of delegation. The shared service account pattern is a governance anti-pattern precisely because it collapses everything downstream that depends on individual identity: attribution, least-privilege enforcement, granular access revocation, and meaningful audit trails.
At the tool layer — where agents connect to APIs, databases, and external systems — risk concentrates because this is where autonomous decisions translate into real-world consequences. Every tool connection needs to be authenticated, scoped to the minimum necessary permissions, and auditable after the fact. Hardcoded credentials embedded in agent logic are not a security model; they’re a future incident waiting to be documented.
For multi-agent architectures, authorization needs to be explicitly modeled for the delegation layer, not just for the agents themselves. When Agent A spawns Agent B and assigns it a task, your security model needs to answer: what permissions are being delegated, and what constraints follow the delegation? Organizations that haven’t worked through these questions haven’t built an authorization model — they’ve built a set of assumptions that autonomous agents will eventually violate, because the report data suggests they already are.
Continuous observability is what closes the loop. The audit cadences this report documents — monthly reviews for systems making second-by-second decisions — are structurally inadequate. Real-time monitoring and anomaly detection at the agent layer aren’t tooling preferences; they’re the mechanism by which scope creep and privilege escalation get caught before they become incidents. The healthcare prompt injection case that was stopped in two seconds was stopped by an audit trail and a circuit breaker, not a policy document.
Before any of this: inventory. An agent registry isn’t bureaucracy for its own sake — it’s the prerequisite for every other control on this list. You cannot scope permissions for agents you haven’t cataloged, and you cannot audit the behavior of systems you don’t know exist.
The execution gap is now the primary risk
The State of AI Agent Security 2026 report from Gravitee confirms what many practitioners already suspect: the security debt in enterprise AI agent deployment is real, accumulating fast, and already producing incidents. The gap isn’t awareness — organizations clearly understand the risk surface. The gap is execution.
81% of teams are past planning, 88% have had confirmed or suspected incidents, and only 14% have achieved full security approval for their entire agent fleet. Security investment is barely keeping pace with adoption velocity, let alone outpacing it — and the organizations where executive comfort (“our policies are sufficient”) is outpacing practitioner oversight (“we monitor 47% of deployed agents”) are producing most of the incidents.
The organizations that navigate this well won’t be the ones that slow down adoption. They’ll be the ones that stop treating governance as a retrofit and start treating agent identity, tool-layer authorization, delegation visibility, and continuous monitoring as first-order architectural requirements. The infrastructure is already live. The governance model needs to be designed for it — not bolted on after the next incident makes the case internally.