)
We surveyed over 160 CISOs and security leaders across the globe and what we found should concern every executive responsible for AI strategy: the organizations moving fastest on AI agents are, almost by definition, the least prepared to secure them.
There is a version of the AI agent story that sounds like pure progress. Enterprises experimenting with large language models just two years ago have rapidly matured those pilots into autonomous agents, systems that don't just generate text but take actions, retrieve live data, execute decisions, and interact with customers and internal tools at scale. The numbers back this up: 72% of the organizations we surveyed have already implemented AI agents or are actively scaling them.
Then there is the other version of the story. Only 29% of those same organizations report having comprehensive security controls in place to govern those agents. One in five has already experienced a security breach directly attributable to an AI agent. And 73% of CISOs describe themselves as very or critically concerned about AI agent risks, even as most of them acknowledge their safeguards are not ready for what those risks actually look like in production.
That is the story this report tells. Not a story about AI being dangerous in some abstract, speculative sense. A story about a specific, measurable, and already-widening gap between how fast enterprises are deploying autonomous AI systems and how slowly they are building the controls, governance, and institutional readiness to manage what those systems can do wrong.
From co-pilot to autonomous agent: understanding what changed
To understand why this gap is so consequential, it helps to understand what makes an AI agent fundamentally different from the LLM-based tools most enterprises deployed first. When a company rolls out an AI writing assistant or a summarization tool, the system is reactive and sandboxed. It generates output in response to a prompt; a human reviews it; the human decides what happens next. The blast radius of a malfunction is limited. If the model hallucinates a fact in a draft, a person catches it before it reaches a customer.
AI agents operate differently. They are designed to act: to retrieve information from live databases, call external APIs, submit forms, trigger workflows, update records, and interact with customers without a human reviewing each step. That autonomy is precisely what makes them valuable: they can handle complex, multi-step tasks at a speed no human team can match. But it is also what makes a security failure so much more dangerous. When an agent acts on a manipulated input, the damage doesn't wait for a human to review a draft. It happens.
"Enterprises must now secure, monitor, and govern systems that act, not just advise."
The survey data reflects how far this transition has already come. 70% of organizations use LLMs for internal productivity, essentially the co-pilot stage, where AI assists human workers with research, drafting, and code generation. 35% have extended LLMs into customer-facing roles. But 19% have now crossed into genuine agentic territory, deploying systems that don't just assist but execute defined tasks and decisions in internal workflows. And 4% have gone further still: autonomous agents that interact directly with customers, handling queries, transactions, and support without any human in the loop.
That last figure, 4% running fully autonomous customer-facing agents today, will grow sharply. 37% of respondents plan to have AI agents in production by end of 2026. By 2027, another 29% expect to follow. The adoption curve is not gradual; it is a wave, and most security teams are watching it approach without the infrastructure to meet it.
)
Scale is the multiplier that makes everything harder
Adoption numbers alone don't capture the full scope of what security teams are about to face. The more revealing question is not whether enterprises are deploying AI agents, but how many they expect to manage, because scale changes the nature of the governance problem entirely.
Today, 20% of enterprises operate fewer than 10 agents. That is a manageable footprint. A security team can, in principle, track each agent's permissions, monitor its behavior, and review its integrations with some degree of manual oversight. The largest cohort, 35% of organizations, currently operates between 10 and 50 agents, still within the range where centralized oversight is feasible if not always practiced.
"45% of enterprises expect to manage more than 50 AI agents within three years. 5% already anticipate operating over 1,000 agents, treating AI as infrastructure, not tooling."
What happens at 50, 100, or 500 agents is qualitatively different. Each new agent introduces a new identity with its own permissions, its own integrations, and its own potential exposure points. A network of 200 agents interacting with each other and with external systems isn't 200 separate risks, it's a distributed system with emergent behaviors that no single team can monitor manually. Governance frameworks designed for static enterprise software, where human administrators control each change, cannot contain adaptive systems operating at machine speed.
By 2028, one in three enterprises (33%) expects to operate more than 500 AI agents. By 2030, over half (56%) will treat AI agents as core operational infrastructure on par with their data platforms or cloud environments. The implication for security leaders is stark: the window to build the governance architecture before scale makes it exponentially harder is not years away. For many organizations, it has already closed.
What CISOs are actually afraid of, and why they're right
The survey asked security leaders which AI agent risks concern them most. The answers reveal a clear-eyed understanding of what makes autonomous systems dangerous in ways that traditional software is not.
Data leakage tops the list at 62%. This is not an abstract concern. When an AI agent has access to a company's customer database, its internal communications, or its regulated financial records, and that agent processes thousands of queries per day, the surface area for unintended data exposure is enormous. The risk isn't primarily that an attacker will break in and steal data. It's that an agent configured with overly broad permissions will surface sensitive information in response to a seemingly innocent query, or pass it through to a third-party integration that was never intended to receive it.
)
Prompt injection at 58% is perhaps the most technically distinctive risk on the list, and the one that has no real analogue in traditional application security. In a prompt injection attack, a malicious actor embeds instructions inside content the agent will process: a document it reads, a web page it visits, an email it summarizes. If the agent follows those embedded instructions rather than rejecting them, an attacker can hijack its behavior without ever touching the underlying model or infrastructure. Early incidents already confirm this is not theoretical, 68% of AI agent security events reported in the survey involved prompt injection.
The concern over unauthorized actions (47%) speaks to something deeper than any individual attack vector. It reflects a fundamental anxiety about deploying systems whose decision-making processes are not fully interpretable, into environments where the consequences of unexpected actions are real and sometimes irreversible. An agent that books the wrong travel, updates the wrong customer record, or triggers the wrong financial transaction isn't just a technical failure, it's a governance failure with business consequences that may cascade before anyone notices something went wrong.
The security controls in place: a landscape of adapted tools and dangerous gaps
Given how seriously CISOs take these risks, one might expect robust protective infrastructure. The reality is significantly more fragile. The survey reveals a security posture defined largely by existing IT tools repurposed for a new context — not by purpose-built agent governance architecture.
Activity monitoring (42%) and role-based access control (38%) lead adoption. These are necessary foundations, but they were designed for environments where humans trigger actions and administrators assign permissions deliberately. Applying them to autonomous agents operating at scale introduces coverage gaps that neither capability was designed to close. An agent might technically be operating within its assigned role permissions while still taking actions that no human authorized, because the permission model wasn't designed with agent behavior in mind.
"25% of enterprises have no AI-specific security controls at all — leaving agents unmonitored, untested, and ungoverned in production environments."
Data loss prevention (31%) and prompt injection filtering (27%) show early adoption, but the gap between recognition and implementation is striking. Red teaming, the practice of actively simulating adversarial attacks to find vulnerabilities before attackers do, is only practiced by 19% of organizations, despite being one of the most effective ways to understand how agents behave under adversarial conditions. Supply chain integrity protection (16%) is even rarer, leaving most enterprises unable to verify the security properties of the third-party models, plugins, and APIs their agents depend on.
What this adds up to is a security landscape we describe as defined by intent, not maturity. Organizations know what threats they face. They have not yet built the infrastructure to reliably detect, contain, or prevent those threats in the context of autonomous AI systems.
Incidents have started. The costs are ransomware-scale.
For some organizations, the readiness gap has already produced consequences. 19.5% of CISOs report at least one AI agent-related security incident within their organization. These are not near-misses or theoretical vulnerabilities: they are events that happened, with real operational and financial impact.
The incident profile is consistent with the risks CISOs identified. 68% of reported incidents involved prompt injection or adversarial manipulation. 61% resulted in leakage of sensitive or regulated data. 52% involved unauthorized agent actions or privilege escalation, agents doing things they were not supposed to do, in systems they were not supposed to touch. 46% produced harmful or false interactions with customers.
40% of CISOs estimate a major AI agent incident would cost between $1M and $10M, and 13% expect losses exceeding $10M, comparable to large-scale ransomware
Those figures demand context. The $1–10M range is not an exotic outlier; it is the modal expectation among the security leaders who know these systems best. And 13% anticipating losses above $10M places AI agent failures in the same financial severity category as the ransomware attacks that have dominated enterprise security planning for the past decade. The difference is that ransomware has driven a decade of investment, insurance products, incident response playbooks, and regulatory frameworks. AI agent security has received a fraction of that attention, while the attack surface has grown comparably.
There is also a compounding dynamic that financial estimates alone don't capture. AI agent incidents tend to be discovered late, because the systems operate at speeds and scales that make anomalous behavior harder to detect than a ransomware encryption event. A prompt injection that causes an agent to leak customer data across thousands of transactions may be invisible until a compliance audit, a customer complaint, or a regulatory inquiry surfaces it, at which point the remediation window has long passed.
Maturity is unevenly distributed, and the gap is widening
NeuralTrust's AI Security Maturity Model maps the landscape across four tiers, and the distribution tells a troubling story about where most enterprises actually stand.
)
The practical implication of this distribution is that 71% of enterprises, are operating AI agents with either no controls at all or controls that were never designed for autonomous systems. That majority will shrink as incidents accumulate and regulation tightens. But the organizations that wait for external pressure to drive investment will have already absorbed preventable damage, paid preventable fines, and spent their board's trust on an incident they could have anticipated.
Europe and North America: two different bets on the same future
The geographic split in the data is one of its most instructive dimensions. North American enterprises lead in deployment velocity: 74% are piloting or scaling AI agents, versus 68% in Europe. But European enterprises lead significantly in control maturity: 34% report comprehensive security controls, compared to just 23% in North America.
The explanation is not that European technology leaders are more cautious by temperament. It is that they are operating under regulatory pressure that North American enterprises are not yet facing at the same intensity. The EU AI Act, DORA, and NIS2 have collectively created a compliance environment that forces enterprises to assess AI risk systematically, document their governance, and demonstrate accountability or face regulatory consequences. That pressure, whatever its costs, produces a maturity uplift that voluntary standards alone do not.
The implication for North American CISOs is worth sitting with. The regulatory gap between Europe and North America will not last indefinitely. By 2030, 80% of global enterprises are expected to operate under AI-specific regulation. The organizations that have used the pre-regulatory window to build genuine security maturity will absorb compliance requirements with relative ease. Those that have used it to sprint on deployment without building governance will face the double burden of incident recovery and regulatory remediation at the same time.
What to actually do about it: five concrete steps
The report is not pessimistic about enterprises' ability to close the readiness gap, but it is direct about what closing it requires. These are not aspirational recommendations; they are the specific capabilities that separate the 29% of organizations with comprehensive controls from the 71% without.
1. Select safe models, protocols (MCPs, A2A), and tools.
Every agent in your environment is only as secure as the components it depends on. Scan for supply chain vulnerabilities before deployment and maintain a registry of every model, tool, and API your agents can access. Third-party integrations that haven't been vetted are open doors.
2. Enforce identity and tool access control at the agent level.
Each agent should have a defined identity with the minimum permissions required for its specific function, not broad access inherited from a service account or administrator role. An MCP gateway gives you the control plane to enforce this at scale, restricting what each agent can do rather than trusting it to stay within intended boundaries.
3. Deploy an Agent Firewall for real-time protection.
Traditional perimeter security doesn't operate at the speed or granularity that agent interactions require. An Agent Firewall inspects agent-to-agent (A2A) and human-to-agent (H2A) interactions in real time, filtering unsafe outputs, blocking adversarial inputs, and reducing hallucinations before they produce downstream harm. This is the capability that stops prompt injection attacks, the leading cause of AI agent incidents in transit.
4. Build compliance and oversight infrastructure from day one.
Route agent logs, alerts, and traces to your SIEM and cloud monitoring platforms. Establish audit trails that make it possible to reconstruct what an agent did, when, and why, because regulators and incident investigators will require this, and because it's operationally necessary to diagnose failures. The organizations that implement this from deployment rather than retrofitting it after an incident are the ones that control their narrative when something goes wrong.
5. Test your agents adversarially and continuously.
Red teaming AI agents is not the same as penetration testing traditional software, and the 81% of enterprises that don't practice it are leaving a critical visibility gap open. Regular adversarial simulation reveals how agents behave under manipulation, what actions they will take when prompted unexpectedly, and where the boundaries of their autonomy actually sit versus where you assumed they sat. These are not questions you want answered in production by an attacker.
The window is narrowing
The honest conclusion from this data is that the AI agent security problem is not coming, it is already here. Incidents are being reported. Costs are being absorbed. The enterprises that have already experienced a breach are discovering, often painfully, that the controls they had were not designed for autonomous systems that act rather than systems that advise.
What the data does not show is the full cost of the gap. Most organizations have not had a major incident. But 80% of those that haven't still expect one within 18 months. The absence of a serious breach so far reflects limited deployment scale more than robust security. As that scale grows and organizations move from 10 agents to 100, from 100 to 500, the probability of a consequential failure grows with it, and the cost of closing the gap after an incident is exponentially higher than closing it before one.
The next phase of enterprise AI will not be defined by which organizations deploy the most agents. It will be defined by which ones can demonstrate that their agents are trustworthy, that they behave as intended, that their access is governed, that their failures are detected and contained, and that there is accountability for what they do. That is what security maturity means in the age of autonomous AI. And the organizations building it now will have an advantage that compounds over time.
FAQs about the state of AI agent security for 2026
1. What percentage of enterprises have AI agents in production in 2026?
10% of enterprises already have AI agents in full production today. 37% plan to deploy by end of 2026, and 29% expect to follow by 2027. Taken together with earlier stages of adoption, 72% of organizations have already implemented or are actively scaling AI agents across their operations.
2. What are the biggest AI agent security risks in 2026?
According to our survey of 160+ CISOs, the top risks by concern level are: data leakage of sensitive or regulated information (62%), prompt injection and adversarial manipulation (58%), harmful or false outputs (53%), unauthorized agent actions and excessive autonomy (47%), and user misuse or abuse of agents (44%). Compliance and liability exposure rounds out the list at 39%.
3. How much can an AI agent security breach cost?
40% of CISOs estimate that a major AI agent-related incident would cost between $1 million and $10 million. 13% anticipate losses exceeding $10 million, placing AI agent failures in the same financial severity category as large-scale ransomware attacks. Only 3% believe an incident would have no material financial impact.
4. What percentage of companies have already experienced an AI agent breach?
19.5% report having experienced at least one AI agent-related security incident. The most common causes are prompt injection attacks (68% of incidents) and data leakage of sensitive or regulated information (61%). Unauthorized agent actions or privilege escalation account for 52% of reported events.
5. What AI-specific security controls do enterprises currently have?
The most widely adopted controls are activity monitoring and alerting (42%), role-based access control (38%), and data loss prevention (31%). More advanced capabilities like prompt injection filtering (27%), AI posture monitoring (24%), red teaming (19%), and supply chain integrity protection (16%) remain far less common. Critically, 25% of enterprises have no AI-specific security controls of any kind.
6. How does the EU AI Act affect AI agent security readiness?
Significantly. European enterprises operating under the EU AI Act, DORA, and NIS2 report 34% comprehensive security control adoption, compared to 23% in North America. Regulatory pressure is acting as a maturity accelerator. By 2030, 80% of global enterprises are expected to operate under AI-specific regulation, making the compliance investments made today a competitive advantage rather than a sunk cost.
)
)
)
)