Blog

AI agents are rapidly moving from experiments to core business systems, but governance is struggling to keep pace. 65% of organizations experienced at least one AI agent-related security incident in the past year, making incidents a mainstream operational reality.

The biggest impact was exposure or mishandling of sensitive data (61%), followed by operational disruption (43%) and unintended business actions (41%). Although 68% believe they have good visibility into their AI agents, 82% discovered previously unknown “shadow agents” operating without governance oversight.

Most organizations rely on exception-based governance: low-risk actions run autonomously, while high-risk actions require human approval. Continuous monitoring remains rare (16%); most organizations review AI agent behavior only periodically.

Lifecycle management is improving, but only 21% have formal decommissioning processes, creating “retirement debt” from forgotten agents with lingering access rights. Governance is shifting from static permissions toward dynamic controls based on risk level, context, and human authorization.

The combination of broad access and high autonomy is emerging as the key driver of AI agent risk. The report concludes that AI agent governance must become an integrated discipline spanning visibility, lifecycle management, monitoring, permissions, and enterprise risk management.

AI agents are already creating real security incidents in enterprises. The challenge is no longer discovering AI, it is controlling, monitoring, and retiring autonomous systems before they become the next major source of cyber and operational risk.