The agent security gap: 54% of enterprises have already had an AI agent incident, and most still let agents share credentials
Methodology
VentureBeat fielded this survey as part of its ongoing Pulse Research series, this instrument focused on enterprise agent security - the tooling, identity, isolation, and enforcement controls organizations use to secure autonomous AI agents.
Responses are filtered to organizations with more than 100 employees (n=107; the survey's smallest size band, 1-100 employees, is excluded), drawn from a single June 2026 wave. Because this is one wave rather than a pooled multi-month sample, the report reads cross-sectionally and does not infer month-over-month trends. Several questions were multiple-select, so those shares can sum to more than 100%.
By role the sample is senior and buyer-credible: 45% are final decision-makers for AI purchases and another 30% recommenders or influencers. Managers (43%), individual contributors (24%), VPs and directors (15%), and the C-suite (11%) make up the seniority mix.
By organization size the sample is mid-market-weighted: 251-1,000 (42%) and 101-250 (25%) employees lead, with 1,001-5,000 (19%), 5,001-10,000 (8%), and 10,001+ (7%) above them. Technology/Software is the largest industry at 23%, followed by Manufacturing (15%), Retail/E-commerce (14%), and Healthcare/Life Sciences (13%).
At 107 respondents the sample is large enough to read directionally but should be treated as a directional signal rather than a precise measurement; it is self-selected and is not a probability sample. It skews toward the mid-market, so it is best read as the view from organizations actively standing up agent security rather than from the largest operators. Satisfaction ratings are computed on the respondents who answered each rating question; the overall satisfaction score reflects 82 of the 107 qualified respondents.
Finding 1: The incidents are already here
More than half have had an agent security incident or near-miss
We asked whether organizations had experienced an agent security incident - a confirmed breach, or a near-miss caught before harm. Most that run agents in production had. This is the report's defining number.
More than half of organizations (54%) have already had an agent security event - 18% a confirmed incident and 36% a near-miss caught before it caused harm. Only 42% report nothing, and a small remainder either run no agents in production or don't track such events.
That so many report near-misses rather than only confirmed incidents is telling: enterprises are catching problems, but they are catching them close to the edge. The controls examined in the rest of this report - identity, isolation, enforcement - are what determine whether the next near-miss stays a near-miss.
Exposure scales with company size, but containment does not. The incident-or-near-miss rate rises from 49% in the mid-market (companies with 101-1,000 employees) to 63% at larger enterprises (above 1,000 employees), while sandbox isolation of high-risk agents falls from 35% to 20%, and satisfaction with security tooling drops from 4.36 to 3.97. The organizations running the most agents across the most systems carry the most incidents and the least of the one control that bounds an incident's blast radius.
Finding 2: The identity gap
Only a third give every agent its own scoped identity
We asked how enterprises manage the identity of their AI agents - whether each agent has its own credentials, or agents share them. Full per-agent identity is the exception.
Rolled together, the overlapping answers show 69% of enterprises (74 of 107) with credential sharing somewhere in the agent fleet. Identity is the structural weakness beneath the incidents.
- Only about a third of enterprises (32%) give every agent its own scoped, managed identity - the precondition for least-privilege access and clean attribution.
- Nearly half (48%) say some agents have scoped identities but many still share credentials.
- Another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials.
(Respondents could describe more than one pattern across their agent fleet, so these overlap.)
The consequence is direct: when agents share credentials, an over-permissioned or compromised agent can act with far more reach than intended, and forensics after an incident cannot cleanly tell which agent did what. The non-human identity problem - giving every agent its own governed identity - is the single largest unfinished piece of enterprise agent security.
Moreover, a company's agent credential posture is correlated with incidents. Organizations with credential sharing anywhere in the fleet were hit - with an incident or a near-miss in the past twelve months - at 63.5% (47 of 74). Organizations where every agent carries its own scoped identity were hit at 40.9% (9 of 22). The fully-scoped group is small, so for now the relationship is an association rather than proven causation, and the gap is concentrated in the mid-market - but within a single survey, a twenty-three point difference in incident rate suggests significance.
Finding 3: Observe and enforce, but rarely isolate
Only three in 10 sandbox their highest-risk agents
We asked what an organization's agent security posture looks like in practice - whether they observe, enforce, isolate, or some combination. The control that bounds damage is the least common.
Monitoring and enforcement are reasonably common; containment is not. Roughly half of enterprises observe agent activity (47%) or enforce scoped permissions at runtime (49%), but only 30% isolate their highest-risk agents in sandboxes that bound the blast radius when the other controls fail.
That ordering is backwards from a defense-in-depth standpoint: observation tells you what happened, enforcement tries to prevent it, but isolation is what limits the damage when prevention fails - and it is the control enterprises have adopted least. Combined with the identity gap in Finding 2, the picture is of agents that are watched and permissioned but rarely boxed in, which is precisely the configuration in which a single failure propagates.
Finding 4: Security runs on borrowed, provider-native controls
Guardrails from OpenAI, Google and Microsoft dominate; specialists barely register
We asked which agent security tooling enterprises use, and which is their primary layer. The answer favors the model providers and hyperscalers over the dedicated security vendors.
Enterprises are securing agents with tools that came bundled with their models and clouds. OpenAI's guardrails lead at 51%, followed by Google's and Microsoft's cloud-native controls and Anthropic's managed-agent controls - and when asked to name their single primary security layer, 82% name one of these provider-native offerings.
The purpose-built agent-security category - Palo Alto's Prisma AIRS, CrowdStrike, Cisco AI Defense, Zenity, HiddenLayer, Check Point's Lakera, Okta for AI Agents, non-human identity platforms - barely registers, each in the low single digits, and only 5% run no dedicated tooling at all.
As with retrieval and evaluation elsewhere in this series, the provider bundle is winning the default: enterprises reach first for the guardrails their platform ships, and the independent security layer that would address the identity and isolation gaps has not yet been adopted at scale.
The provider-default pattern is consistent across both Q2 survey waves. In April-May (n=110), usage was led by the same names - OpenAI's controls at 26%, Azure at 15%, AWS at 14%, Google at 12% - with every dedicated agent-security specialist at 3% or below and one in ten using no dedicated tooling at all. The common finding from the two surveys: Enterprises are defaulting to the solutions provided by the platform they're using, and the specialist category vendors have yet to become big players here.
A note on reading these shares. As described in the methodology section, the respondent sample is self-selected and skews mid-market, and the usage question counted every vendor or approach a respondent has in place - so the figures measure presence in the security stack rather than spending or exclusivity. Individual vendor percentages therefore carry all the usual sample caveats. The structural pattern, however, held across both Q2 waves on two differently worded questions: provider-native and hyperscaler controls lead, and dedicated agent-security specialists remain in low single digits. Read the individual shares loosely and the pattern with confidence.
Finding 5: And enterprises are comfortable with it
Satisfaction is high, even as incidents mount and identity lags
We asked how satisfied enterprises are with their current agent security tooling. The comfort is notably out of step with the exposure documented above.
Satisfaction with agent security tooling is high - 4.2 out of 5 overall, and 4.1 for value for money - among the most positive readings in this series. That is the striking part: enterprises are highly satisfied with a stack that is mostly borrowed provider guardrails, even though more than half have already had an incident or near-miss and only a third give their agents scoped identities.
The comfort appears to rest on the convenience and low friction of provider-native controls rather than on demonstrated containment. It is a false comfort in the making - the same enterprises expressing satisfaction are, as Finding 8 shows, a clear majority planning to change tooling within the year, which suggests the confidence is thinner than the score implies.
Finding 6: Budgets haven't caught up
Most spend under a tenth of the security budget on agents
We asked what share of the security budget enterprises allocate to securing AI agents. For a fast-emerging risk, the allocation is modest.
Spending on agent security is still a thin slice. The most common allocation is 6-10% of the security budget (46%), and a third of enterprises (34%) spend 5% or less; only a quarter (24%) devote more than a tenth.
Given the incident rate in Finding 1 and the identity and isolation gaps in Findings 2 and 3, the budget looks like a lagging indicator - the risk has arrived faster than the funding to address it. The enterprises spending more than a tenth of their security budget on agents are a distinct minority, and they are likely the ones building the scoped-identity and isolation controls the rest have not.
Finding 7: The arms race is even, at best
Only a third think their AI defenses are ahead of AI-enabled attackers
We asked how enterprises assess the balance between their AI-enabled defenses and AI-enabled attackers. Confidence is far from settled.
Enterprises are split on whether they are winning. Only about a third (35%) believe their AI-enabled defenses are ahead of AI-enabled attackers; the rest are less sure - 32% call it roughly even, 21% think attackers are ahead, and another 21% say it is too early to tell.
Taken together, a clear majority (53%) rate the balance as even or tilted toward the attacker. That uncertainty sits uneasily beside the high satisfaction of Finding 5: enterprises are content with their tooling yet unconvinced it is winning the contest it exists to win. In a domain where the offense is also compounding with AI, an even race is not a comfortable place to be.
Finding 8: A security reshuffle is coming
Nearly six in 10 plan to adopt or switch tooling within a year
We asked whether enterprises plan to adopt a new, additional agent security tool or switch providers within the next twelve months. The answer signals significant churn ahead.
Nearly six in 10 enterprises (58%) plan to adopt or switch agent security tooling within the year. Only 42% plan to stay with their current stack. That intention to change is the strongest signal in the survey that the current provider-default equilibrium is temporary.
The combination of high satisfaction (Finding 5) and high planned churn (Finding 8) is the survey's most revealing paradox: enterprises are comfortable with what they have, but they do not expect it to be what they keep. The reshuffle, if it materializes, will likely shift spending toward the identity and isolation controls that the survey identifies as the largest gaps.
Comments
No comments yet. Start the discussion.